Malware Analysis Report

2024-10-16 03:03

Sample ID 240830-w9ejyazcmn
Target cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118
SHA256 b3dcd6e523ce44cf15638ca1f0de17554758f38ed8b7e7965b868fd28cb797dc
Tags
netwalker execution ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3dcd6e523ce44cf15638ca1f0de17554758f38ed8b7e7965b868fd28cb797dc

Threat Level: Known bad

The file cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

netwalker execution ransomware

Netwalker Ransomware

Renames multiple (7466) files with added filename extension

Renames multiple (6821) files with added filename extension

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 18:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 18:36

Reported

2024-08-30 18:39

Platform

win7-20240704-en

Max time kernel

150s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Netwalker Ransomware

ransomware netwalker

Renames multiple (7466) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP C:\Windows\Explorer.EXE N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\33BD29-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18201_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48F.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02450_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3 C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186002.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153307.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialLetter.dotx C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\33BD29-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157167.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Regina C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Chicago C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN108.XML C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232395.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8 C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4 C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115844.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPV C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate.css C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1036\33BD29-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152608.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172193.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00126_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\VIBE.WAV C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\33BD29-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Trek.thmx C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00941_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_es.dub C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00853_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar C:\Windows\Explorer.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2280 wrote to memory of 2708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2280 wrote to memory of 2708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2708 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2280 wrote to memory of 2436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2280 wrote to memory of 2436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2280 wrote to memory of 2436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2436 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2436 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2436 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2280 wrote to memory of 1184 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 11664 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe
PID 1184 wrote to memory of 11664 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe
PID 1184 wrote to memory of 11664 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118.ps1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnrpqp-0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA7F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEA7E.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8hrvcbtv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC91.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC90.tmp"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\33BD29-Readme.txt"

Network

N/A

Files

memory/2280-4-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

memory/2280-7-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2280-8-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2280-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/2280-9-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2280-5-0x000000001B7A0000-0x000000001BA82000-memory.dmp

memory/2280-10-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2280-11-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xnrpqp-0.cmdline

MD5 06f215c4cefab053e741e0d4de7dd4a2
SHA1 25e2eb5099495ab6e5f36c6d4bc38b19f6a00344
SHA256 609ddd75cdec3dde13cb7a6e48a383e48e1086ce72117095a267daa8c98f72ee
SHA512 06bd999bc2efb0fb26a48ff7f4b13c36e7dd18430d2c8517140d661ded9997db28172e6bbc2bf168f741776c8c258ec775f2681eaf2d2974534453063f853938

\??\c:\Users\Admin\AppData\Local\Temp\xnrpqp-0.0.cs

MD5 77db487c078b0fa51e7fcace9b258cf1
SHA1 f73dc69329586dd07c5f4e273c03ee9164dc4936
SHA256 20a335545d41bad6dd654205fe7e8e38c807634307edc4463661f172d8b575de
SHA512 471f92bfb9a32090fa925e4cea14b218a290560e27ec5726ae65b8999293eaf3bb0f7b1b45595076a93d1406d00a5b61a1aa0c2b79294f355ef6df0f25f36cac

memory/2708-20-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCEA7E.tmp

MD5 4c962e17ca382bfdf78da8c3577fa88e
SHA1 a848fb944739db2713bc8f2843a40f067947d4a6
SHA256 d7109018158798966f4988eb5255a2221ee68d89153e1ae94bd1f20ddc64c850
SHA512 9d1d29df95a25bb5feecb18bfeb3bea053c04ffde0aca0391bd5d13b53754b3715e5e7270889c39aedd0180eda5ebd36fa543561b6dcc00171ad1925e528413a

C:\Users\Admin\AppData\Local\Temp\RESEA7F.tmp

MD5 dbebfa14478f1ddbb62fd507fbda1ec2
SHA1 a1d71e28f7f4b6f7a6a13f169dd0fb459e3079e3
SHA256 97622596d3b42a05259a709d75e57c0b14ed677aa9e621941e10af2f8135e227
SHA512 c4391f81a73679fda21a6154ee51df6d200fbe66daa25d648318c8895a301bbd5346eec49b083122ddc197fccba5267f5edf9d55830adc863329ff50d5c8ab75

memory/2708-25-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xnrpqp-0.pdb

MD5 1b4bb70e7063266b8c8d142884b4965c
SHA1 fe5ee9bea54718f56fed8049482ffba9c3b31e10
SHA256 584efc5f96b972b545b7f73042ed0210bcbe8829c9fad3970363616b18254c73
SHA512 fa03316f5b6323ffb56f585e4b5be7eef81c7abd2e4e08fa3179f66dbc4dd993b0bbc3065286ac2df270a8445706ae37cc9bab40d593d6ed8a33d642eaf6da90

memory/2280-27-0x00000000029F0000-0x00000000029F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xnrpqp-0.dll

MD5 103e1cbc8e87dff7ed6dbcede282d6a1
SHA1 77d3498d06d4cbc614a3bbd34428b64faadbd8e7
SHA256 5a8f3ec19b6417faa9117f8614d8cc0f8770571112bfce103e3af93d58a67156
SHA512 3054c268a2ae6dd35e5a3549c7cddd70cf8b5db8bb1970d5a182663edf50806b412b15755476e859ac1801e0d0ed85bff015ec0c473b476c8eefbe09b8f35952

\??\c:\Users\Admin\AppData\Local\Temp\8hrvcbtv.cmdline

MD5 b1b6941e436b3a05f42220e97741c179
SHA1 c55a0d7e34d15ceca217b485130b3c58ed3921df
SHA256 59aa78f62971551e83ad981ffc1579486a46537f570d4bee403915763fc4600e
SHA512 38840aab4bcf59d0df56e42787c036bab17bc76ec11d4d61e203ecbe9befc92159e08fb6bedf4d9cd7e84455387b47ca7ffcf5ddeb1acaa71592c622c0ef5dcc

\??\c:\Users\Admin\AppData\Local\Temp\8hrvcbtv.0.cs

MD5 d491bc3537450532785880e98f087e97
SHA1 bf5a817e3776cff4554c03206159c54717ca09f2
SHA256 7e7bd87416a61d72128f5c5bdeb3b3054631393d22acfd84bc0a351e4cc6b491
SHA512 ebbd7f91049304640f30697cadea49eb8f69a26dc1581dc2e58fbf16421769ed5df67b4fe4bfc1dd6c58367adea0449c52aa26c0286e7ab153c6571b7fd59856

C:\Users\Admin\AppData\Local\Temp\RESEC91.tmp

MD5 6ea6c37dddab54d1f95bb58ad03088e6
SHA1 15f0b5ecd0dfa2f59be776837e4c72a99a4738e8
SHA256 2ea5a2f5e568ec81eba73338309c9d6a855e09b9292eb55cb7718f8f6502c3ac
SHA512 f93503a696294b7dbb5a6a84d7178fdf4b5d0c965b99592bb307721c9857d800f558c34b4789a4318a3f4dda01ee97433a0327e3a542fcf9f99c29f6171957af

\??\c:\Users\Admin\AppData\Local\Temp\CSCEC90.tmp

MD5 15ec2605db9e25e1a2b743cd0c0907f5
SHA1 f7718d892162a593082ab626e9ae96ee4c0596fc
SHA256 ff271ee2749c3480337069264ce6d8f229eb88dcc0d859521cf65ebb33cd9e9a
SHA512 c1d388a448d55fa664e2785d2298079ba224a8aa22123e9f7fa73b75695a4bdbba7eeff3bff8b2d3ca98ecc36bf5969db4f4f7758c19faec4cb5bc4f52553c4e

C:\Users\Admin\AppData\Local\Temp\8hrvcbtv.dll

MD5 7b68d84dbafe7b06b6a81e06a11683f5
SHA1 20a01f03dd83be6a628125b344dee52fe46fe0de
SHA256 478af54bce431bd2f3d55f4cba10f6456412f26cba3e79ed1b1a2fcdabbc378d
SHA512 54d244f9d2f35a39c9f7cdfa9ab9a74e742dd7696978a4916fa77f2c720ddc1fb62632254b2015524cf0d0e26c15ecfe7d699c618111830056876815d161d669

memory/2280-43-0x0000000002A00000-0x0000000002A08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8hrvcbtv.pdb

MD5 ec10c1748dcf1c8623a6a6978109df5f
SHA1 404f9aa3687a6db39ffd0fb8c315e2c813997c0c
SHA256 4108f474668d8feae075a6b76ab3467d323368b29cf59bde8706c2a5336be4be
SHA512 e33b36ed3b0561fa9bd529dde7631aa724448cb560702851166bd3eb9fa30d317791aef20ecc161fef7683140b8686e261073ab17562f8a51eeeb186fbfbfa9d

memory/2280-46-0x000000001B690000-0x000000001B6B2000-memory.dmp

memory/2280-47-0x000000001B690000-0x000000001B6B2000-memory.dmp

memory/2280-48-0x000000001B690000-0x000000001B6B2000-memory.dmp

memory/2280-49-0x000000001B690000-0x000000001B6B2000-memory.dmp

memory/2280-50-0x000000001B690000-0x000000001B6B2000-memory.dmp

memory/2280-51-0x000000001B690000-0x000000001B6B2000-memory.dmp

memory/2280-52-0x000000001B690000-0x000000001B6B2000-memory.dmp

memory/1184-56-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-57-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/2280-61-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/1184-64-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-70-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-63-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-73-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-66-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-65-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-68-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-67-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-72-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-85-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-88-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-69-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-93-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-94-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-98-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-74-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-71-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-83-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-84-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-82-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-81-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-79-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-78-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-77-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-76-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-75-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-87-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-86-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-89-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-90-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-91-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-92-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-95-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-97-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-99-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-100-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-96-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-103-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-111-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-110-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-109-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-108-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-107-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-106-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-105-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-104-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-102-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

memory/1184-101-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\33BD29-Readme.txt

MD5 dd3fd96542f33fe3156758f7aa77c407
SHA1 7b1d6f0acbe63d3260e72aa779252ce8c1fe5c64
SHA256 a5c35fb9f3e9eb720c26e893c8ea69a69784fcd0914e58ab7521d13191c76651
SHA512 230745a0e317ffdd4d0051700a935c622d9632be6999447a5c5ac667418db70ad0c6ad6484a68059717c15af0245c03a4fb70187c89ef40707c5903abdca92a9

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\SGRES.DLL.trx_dll.33bd29

MD5 36c9476f4e4345dc1703044bc4758f09
SHA1 80afb790146bfe597514fcb2e2eb2ffcbbdca1f1
SHA256 ecc483b0a690dc4c0ea05d2e0db2133e1bcb420667f6bec552a02c1270b0382d
SHA512 bae128f462da3f9aa16d24a1a4669b29ec02f2cd56c0339ce0b2d9237f2aefe600429300bad838f149961772e5c59526e09909ae3726e0bc426ed9cdf86a2756

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.REST.trx_dll.33bd29

MD5 026dfde440f96216cd7ba5c3cdb18d7d
SHA1 9711c6c913dd8b6607386263a8dd3e6fcb95bcc9
SHA256 27bc496770ad2a9c40e7da4a9f75d7fbee39ae77642baee056ffa8fa179dccce
SHA512 76118cf15e08fe75d1d4b3e5561284f780f6cb944da635cedaafb6d71c34aeb4407f0544ee008a8aa116cb548ec6a71c44ec9c286e5a57704a00c65c84d206e7

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.Lck.33bd29

MD5 97bae8b50fd99dc00d4fb68a4afcf902
SHA1 a046105cedbd48314e38520cf94c56f73062f122
SHA256 ef45761f9a41e7b48554fce09588e39727d4e4e1133d5e5e94d6b08fba2438bb
SHA512 094f1e61a6cd39a9c416eb67257153bddff85db3bcf2f1aa10e47f998c3c1c3db609e09446565f363b990cc2a0c302490af5b25e0efe8ece441dab4b2fe987e5

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_AssetId.H1W.33bd29

MD5 9718409f37cdee2ac30b5efe9d1aaf40
SHA1 dfa5acb35ffdf90068508327458e1bf612e5ae01
SHA256 0647d00ebb8f891995c4553895623d4173b1ea17c97f674f946eb720e9f2bc13
SHA512 c39acca71cd941df20088f79d4d600514ebeea8675bba660e3ee8747b914e9e90ac71356149154b28995a5d9d3e82b6929234679450c519004cab8f15f76776d

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W.33bd29

MD5 f2188455c8f45ae62db051e8af5bf7c1
SHA1 06f5fee48c62cba195bfd31b73b3600c154bbad8
SHA256 1db7918c45ca74f2a15eb35aa63f6d6e11e5fcbe33a34c168c1b9800179f43c3
SHA512 b7e59296cbe6f9d9c7ecccf6f015bac26dcdfdb82428b6020841b6d82e44d4a7ab65de3f2d59658a9ba74d51d38ad963a0d65182d526e755801d14c00a4375af

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck.33bd29

MD5 addcbe9e0a21628bcbe73e65bfb53e7b
SHA1 fa2b508c8472fe90ca47be474d6003a2a0071df7
SHA256 ac23976b9d7848d3b64cfb1ced8bfc47a23fec7b059eafd0313119222a9ba31f
SHA512 5801b86277c41e770cb8b0f2d783189909d64f26f80746408a7d6f4856c4461dfa9ff3145966f35b499adf8e4a14af7dbf259460fd65d3dd46127f1d48aa4da9

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\VISBRRES.DLL.trx_dll.33bd29

MD5 b187a83865a9cbf7bd642f72d6107ceb
SHA1 91c654effb15497dd75af28923843b3107d102d2
SHA256 63db56a7cd0056d837d4d8b9e45e848067b1e04c41f1d9016c899c37507d3436
SHA512 ef0bd58d75dc3fdd46d0d65f84212f64ef5ec907e3ae3160a4ddb49917414e506665008afbc86ffeacdb6836785a9b2acfaf93496771dc4a5da88f39c1900007

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLSLICER.DLL.trx_dll.33bd29

MD5 695d5c2ccf397c17737806e36a202d6a
SHA1 0be4613b37ddea3c1e54d627a1aa104904d90bce
SHA256 ff85bbe0a2987922511335245962cf9598ca448c27b6d8c21e2c9227f71daaf8
SHA512 f60479b2fe09a3bf27509929822eae2bc8162044c2675dec2f742e49683310873d4c0ebdd721237c56a592644eee164feda54d50693049c41aaa621a76a4141d

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_CValidator.H1D.33bd29

MD5 687e282e19b4df11ad9f79ba75a893e3
SHA1 4d1f31d6e9f10743081d33184597b3452c39248e
SHA256 9d33e041a8d5cd7daddb3419afe72138d3c4cf8547ef33fa1fd1e2fee9372505
SHA512 9d16777c27dffe15d202ae4cb77833469c3bc3a9f568409f907228cc3cc952c4635903a7ca394dcb8b2f4decbf762c90f16f73ff80236ab83ab109c90093d543

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_CValidator.H1D.33bd29

MD5 b1b18060befcf3108704533e77ed047a
SHA1 2999720f12d054197cb9c5d6487697694fd3991a
SHA256 f75677eba4e025e1b9020c5275fcb4da79a3ba884ad6319135f0ae364f9e4257
SHA512 f1170812613a20d860cdb1071ef4f289ebd5b07ac69f318d00749cad37eee1b5971b5215b7fd51a49d95ac9c38bc3bbb89355635d66d1a808d2876db80a3ce2b

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.H1D.33bd29

MD5 76650117bec87d0264989917b6ab1b75
SHA1 8c0475c498d6e6127ca345ac6a9b25cd40a7afa6
SHA256 bfa19ba8b4fe33373dbf8eba841aef0f910a47aed49a51c7b2b179937a51cce0
SHA512 4dee8ec607ba06f9dfdc39486c84e4b9f7c6b96a8558f0c446eab3ce668fef24eb0b36e94ded1113fe044c16bece098a6f2415156e5fc1ed829160925a3c09f7

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H.33bd29

MD5 dcfc920a3812d14ae92de6d9d06df32f
SHA1 f915e2966318d4beb15dbf5de65bab739bea608c
SHA256 5ee34cacb138a29c109d45803f31cd84be9d487710f020673a77258f973ba174
SHA512 e87cb2afd4925f0cba6885d9f0a27091acefa30e24a375fee71c2408fa39ba5fa130c3b9aaebf870bc907870360134aa458013da490ded5019087df1f8d9dd5b

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_AssetId.H1W.33bd29

MD5 2818b3ca931341a1a182cb12470ee03e
SHA1 6bdd8f3bcda4392054e5e5f525ebf5648bcb68da
SHA256 82833f7e45ba6e3f01feb0f2de4d57b02bd78ed848668b2f4a2b523f05325224
SHA512 ce366550f331c6e591436ac8e9bc492c29f76bb40fa9f6ffb7f8ba879c43babe26a065f0f07e6c6ba574b010127cf18fd1578e0ad428b81b17dc84189cc2b595

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_7e7688eac2ab845272f4daac96479e93e0f0a5_cab_07543c63\DMI3C63.tmp.log.xml.33bd29

MD5 8c65f6416de35f11c74dfb9ad8227b59
SHA1 01fa08f0c937fd9443afe6f1718989f9d15b6f95
SHA256 24488bcb051b718700a3a4416ec941270b2028e3603a22e85a8d9f47bfe35c16
SHA512 fc8ad6eed156f92df0a1105c897d5a7899ab393fcd9df88cefbb6a7b677de5e221ea244d0e3703dfc5f8a4362b8600f7114d49750db82665d8ef60ce0df08f74

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.REST.trx_dll.33bd29

MD5 8a0474ea75aebd613714d3737e85d572
SHA1 b7f0052ce8a8a57edc57b3b2347aefbdf53503f4
SHA256 e795e6811b2dcae9d8e529a0f9424de81b01878c34a0626eed29994b8c92d941
SHA512 a213b500548ee2c4c511ea1be632750e7e0b4f51997077f7acc1fac0f2887e4bef44023b83d08fdfded4ec022d1f2a2f7191757bd90c73b5cd38c40fe81cc774

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 18:36

Reported

2024-08-30 18:39

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

99s

Command Line

C:\Windows\Explorer.EXE

Signatures

Netwalker Ransomware

ransomware netwalker

Renames multiple (6821) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlInnerCircleHover.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\rachelVaughan.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-200.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_rename_18.svg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-white.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-125.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsBadgeLogo.scale-100.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\4F7D92-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Star.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-48_altform-unplated.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_settings.targetsize-48.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-white.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\4F7D92-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-lightunplated.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Content.DATA C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Microsoft.Xaml.Interactions.winmd C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\SkypeAssets-Light.ttf C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ja_135x40.svg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxl C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-100.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\4F7D92-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-125.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\complete.contrast-black.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-200.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview.svg C:\Windows\Explorer.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4104 wrote to memory of 688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4104 wrote to memory of 688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 688 wrote to memory of 2164 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 688 wrote to memory of 2164 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4104 wrote to memory of 3252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4104 wrote to memory of 3252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3252 wrote to memory of 4136 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3252 wrote to memory of 4136 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4104 wrote to memory of 3516 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3516 wrote to memory of 21936 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe
PID 3516 wrote to memory of 21936 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C4D.tmp" "c:\Users\Admin\AppData\Local\Temp\mjlz45fl\CSC9780523AB30E499EB1DBB7A5D13A313.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D18.tmp" "c:\Users\Admin\AppData\Local\Temp\0lc3qphp\CSCD8537F8769B74967A7C1E9A180B41142.TMP"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\4F7D92-Readme.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4104-0-0x00007FF813C53000-0x00007FF813C55000-memory.dmp

memory/4104-1-0x000002E08D8B0000-0x000002E08D8D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obugjy5z.l3q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4104-11-0x00007FF813C50000-0x00007FF814711000-memory.dmp

memory/4104-12-0x00007FF813C50000-0x00007FF814711000-memory.dmp

memory/4104-13-0x00007FF813C50000-0x00007FF814711000-memory.dmp

memory/4104-17-0x00007FF813C50000-0x00007FF814711000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.cmdline

MD5 625ffa4a69314e32b72d3b62b2460cbe
SHA1 d858d399317261a778dbc333b19dd0010f98392d
SHA256 0ede440ca7fbdff032cf875f2fb1b2f50260bd6529f95956400398f7e4a45809
SHA512 e1c0dc97dbf6e84842bb082ad7a2a7d6281cf4860e3134b6b9af0e734a94973f1810072468453546df4e90e8fdfc9986ee0c287808e25b42a1db5d9d009aa37e

\??\c:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.0.cs

MD5 77db487c078b0fa51e7fcace9b258cf1
SHA1 f73dc69329586dd07c5f4e273c03ee9164dc4936
SHA256 20a335545d41bad6dd654205fe7e8e38c807634307edc4463661f172d8b575de
SHA512 471f92bfb9a32090fa925e4cea14b218a290560e27ec5726ae65b8999293eaf3bb0f7b1b45595076a93d1406d00a5b61a1aa0c2b79294f355ef6df0f25f36cac

\??\c:\Users\Admin\AppData\Local\Temp\mjlz45fl\CSC9780523AB30E499EB1DBB7A5D13A313.TMP

MD5 26da31a1e2c49c042817f32c17994e62
SHA1 8fe459c720056728c2fde7916844c3ee5eb6bd9e
SHA256 13b16014ad66cc158434b960edf10b4ad9cd3633eac9ff314ae3623b5da683b8
SHA512 66b56be32967585e2d9a028497143517bafa7af09f78f30fef533d015f53521a73a2819ea60b8a1e0363932814e08049944b664fdf60e8f6745670300228fb74

C:\Users\Admin\AppData\Local\Temp\RES1C4D.tmp

MD5 6e58f0e432687eda1c89066157871338
SHA1 c75629d51208f3aa4c4a9e4af304e50c49ad2c7f
SHA256 b982326a4def4a391d24ebb709adefecb0d5e5061963adc3b20bd19e1daa72f1
SHA512 9d10766424620fff2287af972fe58166d25b0c541ef78389556c60f0c6c68e088cb297195cb1cdcf92c3c8050aa26715512341da5fba5f1e4b11131d1fc07792

memory/4104-27-0x000002E08D890000-0x000002E08D898000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.dll

MD5 3a97aef741c6d002f6722d4c4d9ed9b8
SHA1 b8c34edb0dc28362bf2db2a195300922a521feae
SHA256 cad4415d49a09dccf24181775591a5021df6ba74593f4746a5639f0e0314d770
SHA512 201bd8f3168a6d2a30e8ec2e19573512c10d949ba89449f3685c7c6089b59a50d4d08f17c3c8ffcf9bf9edb03b08868eb55dd4f83c6acaeeaaae8ba2094f0789

\??\c:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.cmdline

MD5 465a3678c23652935c53357133914166
SHA1 f47681d3d8c3f42ae1139a23e9e204e3bcc729b2
SHA256 38ba95d21381200ca73402c819937b6e4b77dde7e4d39c97d15f31d9dced56ed
SHA512 5ba2776405e46c0bcf86b3418711ad5e0c8c342249dda03cde7ce2755951026e330577259b20650cb4fef68480c86f41a94a6d7a6f7d54a1a158fa54add6989a

\??\c:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.0.cs

MD5 d491bc3537450532785880e98f087e97
SHA1 bf5a817e3776cff4554c03206159c54717ca09f2
SHA256 7e7bd87416a61d72128f5c5bdeb3b3054631393d22acfd84bc0a351e4cc6b491
SHA512 ebbd7f91049304640f30697cadea49eb8f69a26dc1581dc2e58fbf16421769ed5df67b4fe4bfc1dd6c58367adea0449c52aa26c0286e7ab153c6571b7fd59856

\??\c:\Users\Admin\AppData\Local\Temp\0lc3qphp\CSCD8537F8769B74967A7C1E9A180B41142.TMP

MD5 e506bf8f2490b097b99ee5dec3473369
SHA1 5b102195e657c8764b72cfcf7a98b72549afbe66
SHA256 ff12e3ec5696fbc4ba4c5f5cd131db802250b9a6f308b5ae63067c2dd50d3442
SHA512 01ae5a476a02a903e737ec573c93f85db6a6eefd879cf0e530ac5add808235f6fe19594110ae1f4c5d73eef320f6dd955129d7400bab938bb7c086b626204940

C:\Users\Admin\AppData\Local\Temp\RES1D18.tmp

MD5 ccbe5dd7fd4ace9b64fef0544439dd18
SHA1 0f6f77488bbf7a964dc570405d66ad4d5e805224
SHA256 fc32b5c5b83e983e3914162afa4efa312293eb188c5744efcfedefc3276cb876
SHA512 c5247e4bc95096765082ea108aefe98b14cb841b232ffe8e57184cc1e58a5ea53ba7e252ac1399639746d2ae5b8ba0101744c338193892ada24523115bce99d3

memory/4104-41-0x000002E0A5CB0000-0x000002E0A5CB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.dll

MD5 0f3f2d7ca9f4583e83ca21df4c671b24
SHA1 3413b5314974f1fa55b911fa44eb2e4ebb7c839f
SHA256 05868865838d6b2d72156d49caa6c70ceac0b039a99be804304f0d40b87046f7
SHA512 26d13a6affbeab542e540236125e75077828726fc263f1b75206c096eff223536e31ff0a861cf6fce48d2ff243a162246517e58d1683a023d58d9ac9b0a36517

memory/3516-43-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-44-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/4104-50-0x00007FF813C50000-0x00007FF814711000-memory.dmp

memory/3516-52-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-51-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-109-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-107-0x0000000003090000-0x00000000030B2000-memory.dmp

C:\Users\Admin\Searches\4F7D92-Readme.txt

MD5 8998443a510ee7d3b26e2c2b2b4219e7
SHA1 e706049475f6dbcb08ebf0fd356e5508422e7966
SHA256 d43b3b68739b48897482b10b75d4e55246b1e8e86d23a11db0e5bf81adcb6741
SHA512 dc1b60c617dc627dd8f99d0f6a60f63a28faeb18f2d6089ba109e2900557146741f544d94d3870f1d7c6446cff8e43acd2d8a17532bf1009da1ea07b00b44f5f

memory/3516-106-0x0000000003090000-0x00000000030B2000-memory.dmp

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

MD5 54d65ef224e9ca201c74f6e2028c69d0
SHA1 226bbb450ca7f37b4438a6e57f07976be0f1dbb5
SHA256 8322279d5c05fae8e2b27581a9adee99b31f1bcae59384ee752335af23eecbe5
SHA512 4fe449d28b8315df20a89c869eb633ae4eed7464a2f7404d3d14f83a2291a43c45da2d4dc615f782ec53acfd777aec474677cf38ca2605ae0f6341979adbd66e

memory/3516-105-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-104-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-103-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-102-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-101-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-100-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-99-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-98-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-97-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-96-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-95-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-94-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-93-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-91-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-90-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-89-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-88-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-87-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-86-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-85-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-84-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-83-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-82-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-81-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-80-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-79-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-78-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-77-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-76-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-75-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-74-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-73-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-71-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-70-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-69-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-68-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-67-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-66-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-65-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-63-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-62-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-61-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-60-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-59-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-54-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-53-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-108-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-58-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-57-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-56-0x0000000003090000-0x00000000030B2000-memory.dmp

memory/3516-55-0x0000000003090000-0x00000000030B2000-memory.dmp

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml.4f7d92

MD5 e7bced071a8e269f065fac9c39f85d91
SHA1 cae1c6201423337c4426e9ab9ba0db03782ab2fd
SHA256 492ca5767c7dd1aa6b2ce1bc1c5b1a0f01e72e897afeb722b94c4bb5005a7343
SHA512 a935f6e573bfd77752e7254fa7d656f05c28bfb77d80c728439d100faf0f96190a825fe66951458ba31f632fdceb5bf9295af83dd17acdc6bf8a46ea07f73c9c

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\f8dd0907-0dc8-3c5d-8345-cc7a1da52eb7.xml.4f7d92

MD5 c8d8a81931c9960d4056702ca3673a05
SHA1 2892aca841ef186e5b393bbf6c666f8dbe09da6e
SHA256 7ddfe2ff850d52477548bc782f3b2815d7689e0b3a801d6b1cf912f729621ce4
SHA512 14503235fa5a9a376caf24e2ee5b60a5447e3dc9194ecad743059753e9060c41941a742b071d757831aeb7e7e445006cf2702e767dbb536b41495d6f6fa2c0cb

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8cfc804a-d777-2361-1670-4569e516397e.xml.4f7d92

MD5 619e55d838cfd27c1df9ac3ca7420f5c
SHA1 425d55a3c805c9a7d7b9c80f63e471d4afde1915
SHA256 f7d94a51c9cad2a2e3c469a6d0424d5cd4baa9b0ffac79ec74c8e57dd9f9068a
SHA512 34f6438ce65334b6b6b235e1aebb6d18fde26576d9e9c1827a1d385813941360a76cc67b3c321113b617159c449ac62c90ead402e07c2e7db026dfac66bfced9