Malware Analysis Report

2024-10-16 03:04

Sample ID 240913-wy4ppasala
Target dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118
SHA256 197390ed197b649aba275ca233a210c21ec03323df2aa5a445db47bee13b619c
Tags
netwalker execution ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

197390ed197b649aba275ca233a210c21ec03323df2aa5a445db47bee13b619c

Threat Level: Known bad

The file dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

netwalker execution ransomware

Netwalker Ransomware

Renames multiple (7437) files with added filename extension

Renames multiple (6802) files with added filename extension

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-13 18:20

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-13 18:20

Reported

2024-09-13 18:23

Platform

win10v2004-20240802-en

Max time kernel

104s

Max time network

143s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118.ps1

Signatures

Netwalker Ransomware

ransomware netwalker

Renames multiple (6802) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\719095-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\719095-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-200_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\719095-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-LTR.gif C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryRight.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase.Component.winmd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-unplated.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\jvm.lib C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-125.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-BR.pak C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\719095-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\719095-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-200.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\719095-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-125.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag_retina.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\719095-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\719095-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-100.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-64.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\29.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_altform-unplated_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 4560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3556 wrote to memory of 4560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4560 wrote to memory of 5076 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4560 wrote to memory of 5076 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3556 wrote to memory of 4044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3556 wrote to memory of 4044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4044 wrote to memory of 232 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4044 wrote to memory of 232 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3556 wrote to memory of 6188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\notepad.exe
PID 3556 wrote to memory of 6188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\notepad.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awnpczmu\awnpczmu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F25.tmp" "c:\Users\Admin\AppData\Local\Temp\awnpczmu\CSCB01A3A4B2E2740BFAD641B4F2A7F8CFD.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wwyng2aw\wwyng2aw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F73.tmp" "c:\Users\Admin\AppData\Local\Temp\wwyng2aw\CSCA2C1A4CFACD64042BC75E1157598562E.TMP"

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\719095-Readme.txt"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3556-0-0x00007FFD1AAC3000-0x00007FFD1AAC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rbconqed.pjf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3556-1-0x000001A86AC70000-0x000001A86AC92000-memory.dmp

memory/3556-11-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

memory/3556-12-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

memory/3556-13-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

memory/3556-14-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\awnpczmu\awnpczmu.cmdline

MD5 1a6fb1f990242d9f4de9fe91022b251c
SHA1 09761a225891a18ef70a89ee2f01f37cc567e682
SHA256 efd204b3a9047f7b841bbd2e2509069fd65f37df82ca5b109c3e1f0c3c80f009
SHA512 cf0b780b23ff890aa31c3e3e20ca2e4b524cf6816fcda1ea730439f0d785fbb5359bb97f38dac5f1a5f102ec5746152963fc26df17f8b1a8a11e65dc585e6f09

\??\c:\Users\Admin\AppData\Local\Temp\awnpczmu\awnpczmu.0.cs

MD5 d5c00611ebcab33ffe4fc0f571f14b46
SHA1 cea0b42714d5e88cc7441b1cca1c6c4dc3626e83
SHA256 b04adeb7a2519d2ede2849c84bb6516e4471154caa1eaace60cf57f58cbab47e
SHA512 77782080e1ee91ffed3088a52ab236dfd06d9a9269f9df9a1575594862bbea5e9dab3f797b4ed862bb52026f253574a6483da82281f5e1fd9c25b84773b54926

memory/3556-27-0x000001A86AC60000-0x000001A86AC68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awnpczmu\awnpczmu.dll

MD5 27aeb815cdded7c366f9164af6caeaf7
SHA1 0032df40f6f41c61689c696a4c9f7496ee64cd5c
SHA256 f7694b9231e9c6de56d1a80bb00ae937be5c7d8df2dad5d342b627c6475abf03
SHA512 6d119db48a9fddc16dbf25743b1041ada34dc2abb3e01de6650db3d31b3b5579a7d229189a1268e9e7b6fa191ea063d3dcc75a58ff28d6c0d5c2cc39de9da71c

\??\c:\Users\Admin\AppData\Local\Temp\wwyng2aw\wwyng2aw.cmdline

MD5 d86c500378518f648241b031a2c30737
SHA1 6d07d48190b87f108f9805f38c2b4f2242492276
SHA256 c9f167c8d99a6c695167b1b43824ab6b90f3e1d26dc4c37a2f81fb82db04cbb7
SHA512 8dbeddd09e4129fc2a17d04bdb978fd59725e5d7f007bf246cc431cae90ea48c3c8626b2e8fbede1e95e8828f697707f6e9d24c758e4e00ea02928129edec6cd

C:\Users\Admin\AppData\Local\Temp\RES6F25.tmp

MD5 a6ce0e0ff3f855edaa0a18987c3e44c0
SHA1 871d15c70c3b3d6edcc3e12b1b105bd194bdbbfc
SHA256 a286d2775958be4567f6662e04c7ab5659a3be6561d0ca3fcc5e2d1d2d97f936
SHA512 ac1e934d06e8ffd392444d9ba3280f2e5b0c277dc26e086c4a87831bc786f8d38909e242de837d156791d6aa7db1a9daf7e35fc182a07ee35ba66c604da45f1c

\??\c:\Users\Admin\AppData\Local\Temp\awnpczmu\CSCB01A3A4B2E2740BFAD641B4F2A7F8CFD.TMP

MD5 590ece9ab8e641cd5a73388ca5f4f558
SHA1 42d74138bed9de079d605cf9a5e8bddd16039846
SHA256 b44726e196791fb12ad6847c3e1c29c76d5e954bf22c86c0b88415579e988b4c
SHA512 a1b34199edd5cfe486f95aa52152ad1e3e383ae1f0243f875b602b8349f3ceabad3e4b376ecd85427c8f67359a047fa9a316cbcc6ae79b21f1037f7888feae77

\??\c:\Users\Admin\AppData\Local\Temp\wwyng2aw\wwyng2aw.0.cs

MD5 c6165496f076b4dc9c829317274a7e09
SHA1 0b2e56f84dc5d57a189d8079eeb761b8b91c96c0
SHA256 661a347736b792bfe0810528af624db0968e0ba6f31d2daa2a6645fbe6749ce4
SHA512 57499e49c60aa17e9eb0bbd0828973881c1b405ef7459c2618785e1fc28495544f9e9e7dcbbf75982f30e2a8af1f8e66b14ec85d87a88ae8fec6f0024553f9f9

\??\c:\Users\Admin\AppData\Local\Temp\wwyng2aw\CSCA2C1A4CFACD64042BC75E1157598562E.TMP

MD5 2b322e16352728d73b6aab410a4849a3
SHA1 e485fe7372998a8a22caf30030201fe3b9a9ad01
SHA256 09a66912deca78a63539f3f3c3b701ba34662bfb77d926b3e068ccbd626b10cf
SHA512 d76829a27339bf4021520d4f7d3d14761ffb3e41c64ed593b26edcc60790ffc73645a56db5c6905cebe5e4962181cd04a81c2993ab9ce4dfff1658f21d66bfef

C:\Users\Admin\AppData\Local\Temp\RES6F73.tmp

MD5 09727b17d92abc320c1800225a96726a
SHA1 7c5c21e61ded34173dc4255932cfee48f7ae5b78
SHA256 afaa02c2277ead3b33041a94de525f259a444fe16e4c7946894eb984f9516611
SHA512 41f7f89aff2c62cf7444eed2b2e81016207401267a61c47bc07855e450e95e9d6afec44f20e7fdd6c23e9e92b0209c0b688985b36ed58575360f572aca3b73d4

memory/3556-41-0x000001A86BA70000-0x000001A86BA78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wwyng2aw\wwyng2aw.dll

MD5 82a5a394f178ab9094128134394e806b
SHA1 64492a4a8974040c60ede81ba0fd317babe91c4f
SHA256 d0ccc9f634163aca9aff0773df0a7f7e8be32a87d605e7d73ce3cd3f75d2d0f3
SHA512 8583925c418122f9ff4fa6ed56ebc4cddf1a15762779e90df503ab15db150bdafac0922f19aeab81b2e224b6336aef49808f69247c681e3610f05db998ac1d07

memory/3556-43-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-44-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-48-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

memory/3556-49-0x00007FFD1AAC3000-0x00007FFD1AAC5000-memory.dmp

memory/3556-51-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-50-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-53-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-55-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-56-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-79-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-78-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-77-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-76-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-75-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-74-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-73-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-72-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-71-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-70-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-69-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-68-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-67-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-66-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-65-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-64-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-80-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-62-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-61-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-60-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-59-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-58-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-57-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-63-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-54-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-52-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-88-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-86-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-107-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-106-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-105-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-104-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-103-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-102-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-101-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-100-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-99-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-98-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-97-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-96-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-95-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-94-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-93-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-92-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-91-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-89-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-85-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-84-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-83-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-108-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

memory/3556-90-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

C:\Program Files\7-Zip\719095-Readme.txt

MD5 55694d38b5bb27dc4e06c1de9c8a8c8d
SHA1 b97c0d82f5de4dc3d6f5b44fa60dd3653889f058
SHA256 effa111e82e6c42be23e83559ddbe01c319482ec7f21066b8747e358898d283c
SHA512 8b3ab074288d21329ad5e64678a2ec9d216cc30f2b9ae698bd4b4d77f6d62f6a5a447f96be7a86a4b7377784bfa94e756672035b47ee33e55abef340cab29602

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

MD5 9d872a2aec68de5bf13c1ab232bb0316
SHA1 c756c1b63bc283abc8c2ceee8fffc28e3384cb30
SHA256 f8b5a3cf2309f1ff5fd7542d883a2f1e7193bef8e403b56dbf95992c80bb2f2b
SHA512 4962e38db369dc6ebe5efead402a929c4f923dbdcac53cb3f7c9da988aa904a3a51e573c612cfd161d84a12fec6de831db135f3d877fc4ad9838d9ebb4aa22d9

memory/3556-22390-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 18:20

Reported

2024-09-13 18:23

Platform

win7-20240903-en

Max time kernel

150s

Max time network

128s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118.ps1

Signatures

Netwalker Ransomware

ransomware netwalker

Renames multiple (7437) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuching C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04323_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285796.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324704.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO98.POC C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00916_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\FindConvert.wpl C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\11B918-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\11B918-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.xsl C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01216_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXC C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\11B918-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\11B918-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172067.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts2.css C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL102.XML C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\11B918-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01629_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\PopRead.vssx C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sitka C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\SendUse.pdf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\APA.XSL C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01563_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2068 wrote to memory of 2392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2068 wrote to memory of 2392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2392 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2392 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2392 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2068 wrote to memory of 472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2068 wrote to memory of 472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2068 wrote to memory of 472 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 472 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 472 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 472 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118.ps1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\is71-ydo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0E7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0E6.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvz3pc3u.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD28C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD28B.tmp"

Network

N/A

Files

memory/2068-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

memory/2068-5-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2068-6-0x000000001B310000-0x000000001B5F2000-memory.dmp

memory/2068-7-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2068-8-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2068-9-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2068-10-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2068-11-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\is71-ydo.cmdline

MD5 77041577697f0cac82f8f621d52b0059
SHA1 d0af4b625dd254629169b8b72e10e34b264879c1
SHA256 f2cdb22b6d2253fb015e213045ebbd354c524a2269c5c65563ca245a58f2e5f4
SHA512 89a97d07597c6a55454518fbe9acc7cb8e60cd1f82ff356d83f522dc04522a9e3403cc796d26a754d7f3369fa70dc9f6f688c19e7ba3a5d0eafd2c8b53a1463e

\??\c:\Users\Admin\AppData\Local\Temp\is71-ydo.0.cs

MD5 d5c00611ebcab33ffe4fc0f571f14b46
SHA1 cea0b42714d5e88cc7441b1cca1c6c4dc3626e83
SHA256 b04adeb7a2519d2ede2849c84bb6516e4471154caa1eaace60cf57f58cbab47e
SHA512 77782080e1ee91ffed3088a52ab236dfd06d9a9269f9df9a1575594862bbea5e9dab3f797b4ed862bb52026f253574a6483da82281f5e1fd9c25b84773b54926

memory/2392-17-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCD0E6.tmp

MD5 9b10a67cb5872c2dc7b3d447d8bf4f19
SHA1 a5fbedb799583bb28bf630f2f580e4f9343cf6c5
SHA256 edb820c4ad64e5f1018e84454a122823aedbfc97f26087c5a50cb31f21158367
SHA512 82e621ea6d88b66fd50241eebdf708861bcc6912605331671d9db284579b1acc73fc37d7f2d84422a6696a7e4ac851240c129a9a2f72667494402eb099f1507a

C:\Users\Admin\AppData\Local\Temp\RESD0E7.tmp

MD5 3735966aa90c3c081e61539f3369cf5e
SHA1 86030df8450a82bae735f209ab6869971665619b
SHA256 cba424acaa253e0e247ee23d940c97c02d71283e33dc2207414be9843cb33a46
SHA512 334398e691bbba9d342750936dffcbe94a3a7bbc38f23c6c05d62fc555b5f17c89a9f96bedb170a82a3a15d35499784c38fb7c9fa09ad8d76b8df8ff6a9441b9

memory/2392-25-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rvz3pc3u.cmdline

MD5 dae7a3e5ec960b8da0ba632818276fca
SHA1 9278a6396bf2df6d163492717c1ce1a891f164bf
SHA256 9e357127345cf89279e938537d6dd9e09916f92154b4a23fb0757683a4c97606
SHA512 388d7e22d2b726a4c121d470f51c73028ca1a3e044e6411ad90040d60aa2ca48c795f7063e45c80dadd4a136875161508878c8a83e9bf02aa4c3466ceae1123f

C:\Users\Admin\AppData\Local\Temp\is71-ydo.pdb

MD5 3066df66e1d2c149ceccfbca4917e193
SHA1 1cbeeb464b9a31b4e3a382f8cb8b7d65a15015e3
SHA256 905315a7ac77e9b424cad1ebc19940e7ad89bf5c9dab24ec3a7424398d55324b
SHA512 3bb86d8786c848e0468ae167018d118d526eecf7b16cc2e0b7e5a446cd343d765700bd4bcfd6fe8139c193bf30613e2a916fbf6d5fa63bdaa5e7a49c9eaedfca

memory/2068-27-0x0000000002680000-0x0000000002688000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is71-ydo.dll

MD5 8cbee83ce6e11ed4f37c52b07f1291c3
SHA1 466c3f3d54859b607f4f9b0445b9b8535ed94775
SHA256 c6c2c17055bfa9b63b67348c5920e34b47f80a0c608712f26516f3e6eec7ee48
SHA512 26c406ec484c6d53c826ba991e7db6fd7388143baf47a8f784a17a44c9b9b10a84ba0921a41b212042a6cca0056f23007f2100a51401ffc99e05113ecb6b9cbb

\??\c:\Users\Admin\AppData\Local\Temp\rvz3pc3u.0.cs

MD5 c6165496f076b4dc9c829317274a7e09
SHA1 0b2e56f84dc5d57a189d8079eeb761b8b91c96c0
SHA256 661a347736b792bfe0810528af624db0968e0ba6f31d2daa2a6645fbe6749ce4
SHA512 57499e49c60aa17e9eb0bbd0828973881c1b405ef7459c2618785e1fc28495544f9e9e7dcbbf75982f30e2a8af1f8e66b14ec85d87a88ae8fec6f0024553f9f9

memory/2068-43-0x00000000028F0000-0x00000000028F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rvz3pc3u.pdb

MD5 e5d78acd71bddd7d28da8bccbd107f4b
SHA1 e1071cf619d41923f8f8848225a42ea885baa85a
SHA256 5bcd851d8e0669bbe4976c45c19029801046b8bc3e7324c439c381390cfed349
SHA512 4af198dd7ca162b0952282d594a98ac701743827d6003d3f34e692358e56d4db8284003ada459152d89792571b085e060c21a8c819cc77db3159380baee9f48f

C:\Users\Admin\AppData\Local\Temp\rvz3pc3u.dll

MD5 916da7f11c250fe5b390aac4cc3a330a
SHA1 4171cac2a9d1421f8caa787700f7fb55d05c237c
SHA256 ff325b7cb905eed1d51f42300c3a66e820a68be8872025145f43b2956c8589b5
SHA512 73b8af2008e5aa0d5c9828724fa0904684e9e3035bdfd7dfb54fdd9d65f791b5a4a6bf92de89cbd72f9b63d34c4d108be271b38e90dc310022ddb2c274fc2c26

C:\Users\Admin\AppData\Local\Temp\RESD28C.tmp

MD5 f0ddd16b7cf65597bf8f287d33acf4c9
SHA1 e9fc3d7285250315b85d7829ffb82be5ea7edea8
SHA256 da88835f6ed2c1b49f215047a1a32287c795964551d5a63877800f01a6c33fd5
SHA512 13d5b0c154764f11994af7da7ee2d98a9d6d7ee486e74504e1b3dd4c1566d3d22591482185bd2a957796c578482bd5826a65d4cd55b163373d464f9308d1674d

\??\c:\Users\Admin\AppData\Local\Temp\CSCD28B.tmp

MD5 abee0f4341fcc34b84901625a0f9726c
SHA1 50845c15fa0e2c9ba139ab02ceb47b258c59a604
SHA256 6b66db0f430c629fa88cb42e36d716b486608b8484b8d7aa5adf6abb16a8ca64
SHA512 62e4ccc173f9471d2d70a7bb1a147e4c97de400d313392e3a025e8540ff4583f410214bc99c9b6dddc8e34ea113e2943c3d3f3b99218d4c4c873e96945169f5f

memory/2068-47-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-53-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-52-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-51-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-50-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-49-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-48-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-46-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-55-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-58-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2068-59-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

memory/2068-60-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2068-62-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-63-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-67-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-66-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-65-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-64-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-69-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-103-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-107-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-113-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-111-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-110-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-109-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-108-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-106-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-105-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-104-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-102-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-101-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-100-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-99-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-98-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-97-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-96-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-94-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-93-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-92-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-91-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-90-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-89-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-88-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-87-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-86-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-85-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-83-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-82-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-81-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-80-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-79-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-78-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-77-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-76-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-75-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-74-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-73-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-71-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-95-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-72-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-84-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

memory/2068-68-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

C:\Users\Admin\Favorites\Links for United States\11B918-Readme.txt

MD5 28e0261e9470a73a9b151bca73a25f91
SHA1 04c6230f3405ad4c72369ab7467a94699d2930c4
SHA256 422fa7bef11fc3ca92e5f8404fd7c9bbf6cf45594b26a43ed6c3f7e891aa85f3
SHA512 89a5ac10a9158fdf0327d8b1cc6f5f0a561758154046bc9a18e9d2e53f68b59882e5f9c63e9d6c605e5ee59af30f90396fbe26493e6e6307a1fce66759d8adef