Malware Analysis Report

2024-10-16 03:03

Sample ID 240921-gd2l9sxepn
Target ef2a52b9b2457045fefc4d5374b73261_JaffaCakes118
SHA256 d0bcef569548210cf0d2f1ade88c6f92d48fb4b1ce7d3bfb21987ca796c6465d
Tags
netwalker execution ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0bcef569548210cf0d2f1ade88c6f92d48fb4b1ce7d3bfb21987ca796c6465d

Threat Level: Known bad

The file ef2a52b9b2457045fefc4d5374b73261_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

netwalker execution ransomware

Netwalker Ransomware

Renames multiple (6786) files with added filename extension

Renames multiple (7383) files with added filename extension

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 05:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 05:42

Reported

2024-09-21 05:44

Platform

win7-20240903-en

Max time kernel

145s

Max time network

142s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ef2a52b9b2457045fefc4d5374b73261_JaffaCakes118.ps1

Signatures

Netwalker Ransomware

ransomware netwalker

Renames multiple (7383) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAV C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.JPG C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\release C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01545_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterRegular.ttf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\2179CB-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\PST8PDT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\2179CB-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendtoOneNoteFilter.gpd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5F.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14845_.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\2179CB-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00438_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02094_.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\HST C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2068 wrote to memory of 2724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2068 wrote to memory of 2724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2724 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2724 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2724 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2068 wrote to memory of 2812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2068 wrote to memory of 2812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2068 wrote to memory of 2812 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2812 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2812 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2812 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2068 wrote to memory of 10232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\notepad.exe
PID 2068 wrote to memory of 10232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\notepad.exe
PID 2068 wrote to memory of 10232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\notepad.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ef2a52b9b2457045fefc4d5374b73261_JaffaCakes118.ps1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vz2iu_tp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B95.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B94.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9_zdx8iv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E24.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E23.tmp"

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\2179CB-Readme.txt"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/2068-4-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

memory/2068-5-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2068-6-0x000000001B330000-0x000000001B612000-memory.dmp

memory/2068-8-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2068-7-0x0000000001F30000-0x0000000001F38000-memory.dmp

memory/2068-9-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2068-10-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2068-11-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vz2iu_tp.cmdline

MD5 230590279586339a07521c73b3fa545c
SHA1 5f672c56206589c86757e31549a710d98c5f086d
SHA256 7a112365bd8e95d1c30620455a8abf3566941b6ec2d5a220c83fee4b49454e8f
SHA512 d5cb50445631424ab9e173cbaaafd9520e79812d924463055cd61971c0722d3fec9368bf50e7fa7a7872c50b9a2731fc0f2238be5f1fa7eb0c19c55e6be5f2c8

\??\c:\Users\Admin\AppData\Local\Temp\vz2iu_tp.0.cs

MD5 02a0899f755d28aa8ca5b6dbf9d79db8
SHA1 5cbb31d741541eb9a6ffff3b5ea404fd462d4d12
SHA256 c789d50f8fd9714067788f5f35199ac13157da910695570b7662beca2750d00b
SHA512 2d1dfaac2440f630bb391e3b3fe4bfccd4c91dfb6d6382201b8a14c419d89ac97ef52ad0a40490ee50879dd08e14cfd7a760978bd4921e1ac849877d84b5bcdb

memory/2724-17-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES9B95.tmp

MD5 635e97f300d3b0f1ec14fd57ad1e65a4
SHA1 7486b975180039dd3d8acaa09c677c09d04a0d4e
SHA256 66595be358d2e30bfe8cb724bbf48e433209bf47bb523b2ce1cb59de6a43f5ba
SHA512 1f566d39577877a0f8249f789685b4b652e39c8475c3dfd90871e61b711945e961b0325b8b89be4d94d4e52e44e832736ca3f23da769b0f009dc8e99780a3e4f

\??\c:\Users\Admin\AppData\Local\Temp\CSC9B94.tmp

MD5 754b1dfc13c38cbec0eeffce8e1d3f5c
SHA1 16224f041b38906628679ec72d4742cef32c5f59
SHA256 be221aee260c6bda3f3312fd001ac3c3b6165dc289f46dec539da38aa755f684
SHA512 ca019f86a8e90c5978b82e6d74d88ab828ed35ce0c88d9fcdca510273ae51508bffa3afc7a6b405f1b3faf89607371ae152818f6ca0253c51309d624dd052ff8

memory/2068-27-0x0000000002610000-0x0000000002618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vz2iu_tp.dll

MD5 3074c9a63dea10d3c6ac425e876559a5
SHA1 c4902b516f3786ec81ef713d6ebb90fff63b8987
SHA256 b592d6a32919236afe93191baecd7c1277b6ec0b90d063179db8967ea58303d6
SHA512 4c37ccae5546a4b5667e7857ded0a41ce85d81237fe2510d061e288af957bb6688dbe5a11d8406c0d5d984e5df201d60939aa9a43407bb6e3ed4e894cb09eb17

C:\Users\Admin\AppData\Local\Temp\vz2iu_tp.pdb

MD5 2bd31b9e19b6a7aa40d5a05fb308455c
SHA1 a66cf55ba6b9cfa96fe1a2d1b2ce7e67c2e09cf8
SHA256 39f6bc049b4e8c0260bdf8c27dfcc9988812e4e4edac1181404a56b637fa1351
SHA512 c408fd389c88f02ee4b4dcd9d7e3a9125c751a4bc67918da52f558e6e4ec0ef39a5cf8ec677ee62e2ff9f1c1391ad87572fac25abcdc1f5cdeb4feda1a2e5c4f

memory/2724-25-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\9_zdx8iv.cmdline

MD5 30b913b8bd3a711a79aaab734652bd12
SHA1 491641593b63879b7c327bf4cfde6e79b826adb5
SHA256 10c78f9e33cb128b310119bd48beb8f2c03a27919c6770e3ef4d06138c23ae93
SHA512 ca26c799e93aa2dd75fd32a6f5c529dc95e041b1b9dde8a504d6852f4295ff9cabafb9a37bb8de25c93576251fa927ec46c55bbae10baae4501f43fe53f9238f

\??\c:\Users\Admin\AppData\Local\Temp\9_zdx8iv.0.cs

MD5 c893ff54420a206c4206af5107a02bbb
SHA1 8a90c410a55d545e71425c061973d566a52e1465
SHA256 efd3d07c27b013c8b5924d1ec0e58ed4315c38f8261169931f464de78ccf9b21
SHA512 8f9c695560994c9db400661ef183328559379c6d722527f9d01ae181dbc6a01984ac007d485cf029ed1be1990a36966d8c6b840623e851fd3a0a32ba7c447c27

\??\c:\Users\Admin\AppData\Local\Temp\CSC9E23.tmp

MD5 bf4eeaf35a2a8efd0175c85a2c748912
SHA1 ed22dd811a8f55a1f4d69a2f9f9b7dba04d0a9b9
SHA256 24ae40762d39ac4f748c75cd4f20943e2482cf9af4d3dafda43fba849a5d4b39
SHA512 5ddf8b30a159a0e3698652212911a0e09b3cd84054d3f0d9aa5e57db4f7769e857eaa299d75fefe1b71d269424d6edf7fb0a510ae108f83c03f95132a567faea

C:\Users\Admin\AppData\Local\Temp\9_zdx8iv.pdb

MD5 c040e0a648108dff6366839d5ae545ae
SHA1 9f3cabf580e56fc32a66dd1d3d1abb2d9ed44aae
SHA256 f94b06826fea1f48f2560574972646bc7a08710593c0d3b2e6b60c8e2d73aaa0
SHA512 6758ea0007d18bfa7bd23707cf2252141b5c9c7f76c99dece34dad45023870bb0872385e370a2a3eb0a7ad42cc2ceefdc50e7ac5ebecc24cc7e86636dd56aa4a

memory/2068-43-0x0000000002620000-0x0000000002628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9_zdx8iv.dll

MD5 96d92f424efd64316b501b51b267f80c
SHA1 788a17bc98f5047d4e575c6865803ad7db4bdc35
SHA256 c68f5728da15747bf97a65cbfed3a84e9baf8f29f658d30ff007309f8aa83e05
SHA512 252060d5b4c78a7c7728284fbe83f2b4f741d8b897996c7c04f9ccf3c4039e1ed1b0cef243acae2134af41f40e0178b41be46acbfa847be43fee0d446654e2e5

C:\Users\Admin\AppData\Local\Temp\RES9E24.tmp

MD5 be50bdaac88014c3f8e565fe70e79bf9
SHA1 c2ccd3ce73172739dcc81545762333ec91486ee9
SHA256 c0a3473f125b0b02e96872d68a836e7927aeeb1afc5728acda27303b2fe8175b
SHA512 46a9acf32481b3bf13e364bb6acaaef958a01c7a311de93bd39537e0edb4423c4e4e9707ff5d27e92ef8994201c8cb52251eeef483d0f05e869f85b758b44eb0

memory/2068-47-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-48-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-46-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-53-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-52-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-51-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-50-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-49-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-54-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-58-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2068-59-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

memory/2068-60-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2068-63-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-62-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-64-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-68-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-69-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-73-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-66-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-65-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-83-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-87-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-92-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-67-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-95-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-96-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-98-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-102-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-100-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-77-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-76-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-75-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-74-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-72-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-101-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-71-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-70-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-99-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-82-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-81-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-80-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-79-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-78-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-85-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-86-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-89-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-90-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-88-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-91-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-94-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-93-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-97-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-103-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-111-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-113-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-112-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-110-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-109-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-108-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-107-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-106-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-105-0x0000000002930000-0x0000000002952000-memory.dmp

memory/2068-104-0x0000000002930000-0x0000000002952000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\bin\2179CB-Readme.txt

MD5 0b386d64c6d733d4a5a1aa9faa76e11f
SHA1 4a8112197ef1bab84f4eab5cc117e400ee0ab9cb
SHA256 c5773b03764d463de67b6933a71d9c7176dc4738e42999994c90b1817abfac7a
SHA512 422625d9acf873e2f48d5b47acbfefcfb691c04bb6508fed5fe6a37e4783c796368f800b121f88d9d61f8c070e6890498d75e6a924e04c6230a5e73ed79c32e5

C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 01.wma.2179cb

MD5 1414aa643ded2e272b28a5979e35b99a
SHA1 2d38866724770f80e976ac9e3a3589b103757096
SHA256 ae4b4dd6371bf81d2526b3192fb1ca6079cb3028714989deeb49ecd0f09bfd51
SHA512 a26d779ab9d6cd0cd1a0a2ddf583cb7271913726acff1285d3bd7cb68135733da525ac06f36b15f1bcf67e8d3eb5dd3c6a3acd25249f7c3e676c2bbf4e7ade7e

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\SGRES.DLL.trx_dll.2179cb

MD5 8ebfff7bf07b4673847d6f6a0f0d3494
SHA1 3b9871100980d942c1f261af6faa0115f2d3b99e
SHA256 44c6b1c7498b98fc09a95cbde0e24aae56930b1bbe3ca4ab5b9b969d69c36f89
SHA512 4a4d8940e4dcc6ec9e15ec90e5d2f39c0e191396d3c464a5e31d5da17a5d4a59b68219ce6904c6fa5a3241bebccfab0c1e1c06f24c2753a98f6220b3ed2afd82

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H.2179cb

MD5 28e92916f97aa8ae490e5bb55be8662c
SHA1 723615e10e18f814730bc194cb5f750c5316cdf3
SHA256 7146b3017d1d217c04e22f5453f2188185783cd5900d6ff1a117c1dd20021786
SHA512 acc4042b0aa13967784ecc6ad11074b74b4eef548e895f5d3dbd948e3179b5b89604c9b55eb4d2e9a3b6bc1e13feef894a2938215e32e9b42b382defa55f3897

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.REST.trx_dll.2179cb

MD5 8cd9939bc522f87cdb9031435e820f15
SHA1 aa3f4d8b8a9ca9f1c15a4c174a1fb28405b18c98
SHA256 3c8983f4f230178f694892157bbf3a93357839df528cc58ce05ac0a6e28f9fc4
SHA512 169c6de8b7d75a9e0e1a2657729b6a139e730db2eee94e842a5e0f7d6b5ce4bcf89f07cb870f498b73387cf19082eb2f05f5cae3e42fbd00acd178458e724923

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\VISINTL.DLL.trx_dll.2179cb

MD5 2eb3b0c3ee20bcea2daf06d213626b06
SHA1 034da82dbc9911e45643a1fb6d5234df54d4bb33
SHA256 46729aaff5f9756cbd5753d6803e218d7794b01b69a0a699dcffc6be675bb35c
SHA512 c65f180c8cd65203b32e7b57cba31aa7e350ffa7e01dd9ba2316a5dca0508b4e4f31beef86ad28a9712ce78e0176888975fd82310fcbe7e57a066c1bd79841b2

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLSLICER.DLL.trx_dll.2179cb

MD5 55498eb5e9438446b237fcfbb8b349ae
SHA1 6619601b84e681aef1038d28c47a18da049645d6
SHA256 efa6b35d0a56cfb5024e07196c87c6545d47fa3900518ea5258878c69e177954
SHA512 a26a98ce68732111d6574ac4b651cb33d02fd96954f511cde9b991bed066ee91b5655cc3053a6d70fe947dd3dcf916f0b962502ebb2afb8c29bb45f16f50922a

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUBWZINT.REST.trx_dll.2179cb

MD5 48a16ea7c5b81241f3cf02b79651e90e
SHA1 e4294a7821d47e92ee27c2fb9308942b8edc02ad
SHA256 ab0e802e06d4ab77676991bfa3b51d7ca0ee3698a78628085b9e38211904b442
SHA512 014f2ab0ede6ff51bd4379b65aa55b85fba73333d5c058419f1a6b61d34937742a3294f79aed218e675339676fed87ba03017c338295b69606b6ef2c6f6f1450

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\STINTL.DLL.trx_dll.2179cb

MD5 dd625716b37cf0eefc25f2aa978292ac
SHA1 4e6de75249a172686640d148cbe2f96b1ef27203
SHA256 78c9e1cc995ea6c3b2e8afe017805f1145804601ee8d7c7df754cba9c6611259
SHA512 ef3cc198096ff061692bba00de7377a4a5da4b570738804dfa51e5e4b1dbdd7273b5bfd27fb4bce6211375dcb66282c25debe10ff82bb0a297b55bc159b40669

C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 03.wma.2179cb

MD5 73dfc2451aa47f4a149961ecc70fa62b
SHA1 1b60d71626b867807da4dc30d9bd13c81e4ab452
SHA256 6479057bbd38222c6763ff9984b2310daf8dfd7694aefda460613a8fb12cfe0b
SHA512 e363519b821095f98ad59a78e2b57a5cf1f26364f4bd602a575cb73752256017e80db6db98e1679537e475484ec7bf393449c0a2a0ec350e77c893035ffee4bb

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.REST.trx_dll.2179cb

MD5 a877cb3d7574de064ebae65e401a2f60
SHA1 b6231f2f2c4f494294c2bade03ee343293deaabe
SHA256 885d71f78f988fd76786ffb7411f2ceda86c1d2d1428f3b5f12311fece1e82c0
SHA512 6d086ad1a444f264e9a5ab940e667a55aa1d677005dfd72a03d5a63bd6e453b17242af1db554c99633ba48ddbaa95f888d9e843c666619329bb63526d899ccd2

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_BestBet.H1W.2179cb

MD5 91023df680f0a36f3a0d53e53e3ec068
SHA1 8f54c783c4eaf5efcae331f6541e9a7c004c1c6c
SHA256 3b95dd07e0e5e69962c9d40d058819538a0b489dd9852c6291dede4804686325
SHA512 b96e1dbe140714a803877d8fd6288087f6f1eb598bb472ce83fabdb9a751c808db0a8b0c3ef63dd849d0e773cb44ae7f00826491d5cf86a592529da4039e1298

C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help{92F2118A-E813-4A4D-9DE2-F96A9DC02C53}.H1Q.2179cb

MD5 d9a6a19959a91541df1bc8bad89635de
SHA1 18286ce7df74a243354973f1e8da4f8a8e5565af
SHA256 e602f9eb44aef08d889554b0080fc31128f4cb4df4c6fb0a23401212d6ee9e8d
SHA512 936b64e300c5d95f927028fe1a221e81345e37fefe0c13fad6a3530690574e32e9237f7b1832e2565fc92fc12aa1d3a9389541d3b1182e8feb26add3c0b43969

memory/2068-25637-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-21 05:42

Reported

2024-09-21 05:44

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

149s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ef2a52b9b2457045fefc4d5374b73261_JaffaCakes118.ps1

Signatures

Netwalker Ransomware

ransomware netwalker

Renames multiple (6786) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-125.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\77D69D-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-2x.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\es-419.pak C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\77D69D-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ExploreButtonGradientLight.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-down_32.svg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-400.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.winmd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-400.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Other.DATA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-72.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-125.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-125.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-48.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-100.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\40.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\77D69D-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\77D69D-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\77D69D-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-30_altform-unplated.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-125.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\77D69D-Readme.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\AppStore_icon.svg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated_contrast-high.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125_contrast-black.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.ELM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 2964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1068 wrote to memory of 2964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2964 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2964 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1068 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1068 wrote to memory of 1592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1592 wrote to memory of 1464 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1592 wrote to memory of 1464 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1068 wrote to memory of 5864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\notepad.exe
PID 1068 wrote to memory of 5864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\notepad.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ef2a52b9b2457045fefc4d5374b73261_JaffaCakes118.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oipcnkss\oipcnkss.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB853.tmp" "c:\Users\Admin\AppData\Local\Temp\oipcnkss\CSCD1F5FCFBA3CA4CC19D4D244A94848FA.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fqldaft4\fqldaft4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp" "c:\Users\Admin\AppData\Local\Temp\fqldaft4\CSCC4A36703DC9D4E34B08877A729C9E766.TMP"

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\77D69D-Readme.txt"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1068-0-0x00007FF8A7AD3000-0x00007FF8A7AD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iunzei4m.kgf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1068-1-0x00000275D6C00000-0x00000275D6C22000-memory.dmp

memory/1068-7-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

memory/1068-12-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

memory/1068-13-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

memory/1068-14-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\oipcnkss\oipcnkss.cmdline

MD5 b5ee11702b7cafa4ed7d55f8a5824130
SHA1 e935e382f1f5386ac62094c701cde784e178c41d
SHA256 30a266577da4627d62732ebc256a90201a4e011ab6f46c69fb2809d80161af05
SHA512 3797c428a5534859edf7b76f72559fe6b18ef789a68c053ba422fc5f32c58fdde8e75799666b6129c3026db59383b075a8372aa7845ce86d0b32d6fc34d39bec

\??\c:\Users\Admin\AppData\Local\Temp\oipcnkss\oipcnkss.0.cs

MD5 02a0899f755d28aa8ca5b6dbf9d79db8
SHA1 5cbb31d741541eb9a6ffff3b5ea404fd462d4d12
SHA256 c789d50f8fd9714067788f5f35199ac13157da910695570b7662beca2750d00b
SHA512 2d1dfaac2440f630bb391e3b3fe4bfccd4c91dfb6d6382201b8a14c419d89ac97ef52ad0a40490ee50879dd08e14cfd7a760978bd4921e1ac849877d84b5bcdb

\??\c:\Users\Admin\AppData\Local\Temp\oipcnkss\CSCD1F5FCFBA3CA4CC19D4D244A94848FA.TMP

MD5 97d26e8bead4d5b7a18301416c09e01c
SHA1 650b38bc074f628d248b0d687fe3663a72532840
SHA256 ed3b1504b764001fd3a4c7b275f0fee2c3eaea958f1c424b402803b21ca1c4f7
SHA512 c38696aa2455c553414a468ff27819e45e1e25ac22727311dcd7e14a8e3d5b45fb355714e5976269b4f8a4f9d67997cfbd05272d588b1b55a6db7d3ecbd104bb

C:\Users\Admin\AppData\Local\Temp\RESB853.tmp

MD5 0ccbef311fa1c7f19db83d8ca36e7ae1
SHA1 54af95d5052472c54a98eeda23d53411e82daa66
SHA256 40e4f4d479fb98e4f0e8b099feeabcde71c5d6a2f7cb79f9b6e967728538fcd0
SHA512 e0a7de95cd974a45086d023d336cd4a0ba5afb9f194583ee80e41ce3700fb0fcab3a00451842a70f4fee683c48390a53ca820bfd35f9350d5c82fe9b6d7259e1

memory/1068-27-0x00000275D6C30000-0x00000275D6C38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oipcnkss\oipcnkss.dll

MD5 e73069c4212c06d75cfac13bb12f377c
SHA1 6dde88f6923a6cf66cab6c2c28261a96a18521ca
SHA256 c905883b062800ba99053d0a181eb03b6344cfc5d9b5e1e4ea50faba5d6eeadb
SHA512 888a907df3176d86bdc97650105645890a636fad8aec2c2d8019a6de68a1d6d0101a326208a461adb0c0e6bd499793c3c8294959da4cbf95df0ed05a11ef18e1

\??\c:\Users\Admin\AppData\Local\Temp\fqldaft4\fqldaft4.cmdline

MD5 d5c69104c6d0fd577bd906769461bc16
SHA1 35a3ad85065def82005d049d47a8378fe7b6c0de
SHA256 e591b6239305db6ac87368f43f7267e7c7313d9d560d91ed1d79511f61a21919
SHA512 6b9b957fe6b95de00cff27bbf3134ada6c8af1841928d3b2c27c87ec87597cd97814475818758a70e6508fb31df738e3d3084cfa446ea825341bd3dc18899133

\??\c:\Users\Admin\AppData\Local\Temp\fqldaft4\fqldaft4.0.cs

MD5 c893ff54420a206c4206af5107a02bbb
SHA1 8a90c410a55d545e71425c061973d566a52e1465
SHA256 efd3d07c27b013c8b5924d1ec0e58ed4315c38f8261169931f464de78ccf9b21
SHA512 8f9c695560994c9db400661ef183328559379c6d722527f9d01ae181dbc6a01984ac007d485cf029ed1be1990a36966d8c6b840623e851fd3a0a32ba7c447c27

\??\c:\Users\Admin\AppData\Local\Temp\fqldaft4\CSCC4A36703DC9D4E34B08877A729C9E766.TMP

MD5 b0959788aabc9e9aeb4225e528a28655
SHA1 fd1659e4380d12f7d80fbee599c542f0f62d51d8
SHA256 95b845ffaf36479952785fe2a5b78010c1ed1800de86c7fcc386dbc8a716fd38
SHA512 80d594af4568587c2326ac8659308913e11e0803fcaf7b46f61d50cd618271fef16599b6e838951f929c470e96722951673cdb34f2205cf4dee1dc462e14796e

C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp

MD5 e45181dda9d08f9cdd5673c1d11524ce
SHA1 52aa62080f4c349bc9ac61b610effe6e44c87d4a
SHA256 016e7e774936d1d79bee06638ac923f2ccd2b0cac41732a208c7c531ea86baf7
SHA512 c873654daaea49017b9009e6aa90fe63719dd8c65896f0000c0d7561ec4bffa3f19dd7e627686ad36954dc7fca1cca2e216a702f9a63aaded108f8cc78182057

C:\Users\Admin\AppData\Local\Temp\fqldaft4\fqldaft4.dll

MD5 7acabe204b250c52bcc2cd148fc76213
SHA1 ddf5192d439cc3531e4243985a0a941f6610a3d9
SHA256 7bc838c3799f988d95f13ec8f6e3038e254d6d71096dbf06f98f269aa99a4dc8
SHA512 ca71fbf195c47ac06161bc53faf66a9e22e0b6660c5d8a23c56b55e043dd9a76ff30f5c77464c335d86ce1123e0962df5fa7cea0e5602c2bdedee8f99b057896

memory/1068-41-0x00000275D8EF0000-0x00000275D8EF8000-memory.dmp

memory/1068-43-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-44-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-48-0x00007FF8A7AD3000-0x00007FF8A7AD5000-memory.dmp

memory/1068-49-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

memory/1068-51-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-50-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-52-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-55-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-79-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-82-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-108-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-107-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-106-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-105-0x00000275D9180000-0x00000275D91A2000-memory.dmp

C:\Program Files\Microsoft Office\77D69D-Readme.txt

MD5 a3d136b39ce28b89bafa2ea1f625508f
SHA1 e77d31bfe36a5d2500d1f2f2bf1ddb4272430721
SHA256 238908c1f706310564f84e65e6ddc779d67cc38cb70b178a2a4adb34e55fb751
SHA512 b25c377a591ea358d7f45ee9de10dc7b6eb37211719fe6c8d67379abc057e78a3cbf1b55517e58d4dce98c4673f599fd25d245daa5ba7dfbc8db9ee44160150e

memory/1068-104-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-103-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-102-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-101-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-100-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-99-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-98-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-97-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-96-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-95-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-94-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-93-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-92-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-91-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-90-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-89-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-88-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-87-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-86-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-85-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-84-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-81-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-80-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-78-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-77-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-76-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-75-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-74-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-73-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-72-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-71-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-70-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-69-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-68-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-67-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-65-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-64-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-63-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-62-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-61-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-60-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-59-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-58-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-57-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-56-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-66-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-54-0x00000275D9180000-0x00000275D91A2000-memory.dmp

memory/1068-53-0x00000275D9180000-0x00000275D91A2000-memory.dmp

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

MD5 67c2b4823d7f9e57907e22071a81803c
SHA1 9ce16289ceaeb0f6e4ad5a24518206da889b1df3
SHA256 c14f0363691b2786d5f1fcd0237608003175da404089c8c8f6f7adf813db303c
SHA512 b94b0f7de479dc05703344210047127584131996baf9fa2f53d9bcd80de835fc6383401d4f7dc9869f85812efe5e01881f4dab4607f2c814d2f3393ccffe95d5

C:\ProgramData\Microsoft\Network\Downloader\edb.chk.77d69d

MD5 887f2b37098f43fae126b9adcaed7d17
SHA1 3882eb570268389c9f49cc26606d3b639e641d3f
SHA256 fdb016799c535b40741601a1fa487cd88142c48f10dacc45cb88d40710112eda
SHA512 2acac0961e5a934c5da41333992845276294315e7ab21641d15c215177f1f3def1247b10f0e99e7ae77cf0e1532d457caebfd252b6603f3cfa3088b85ab3afba

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml.77d69d

MD5 fbc337163f8ebeaea50735cb4d968b72
SHA1 3b0906d7afd677bbe8be28c23cd5b0dc6c9e2fb2
SHA256 e6615b8bf5c35ffc04fe0565917c6f77fee68442d41d19df3557c541a555e889
SHA512 320ede48033bba2e850ff2db6f77f52bbe2145ee9c3edd087be67cc8b1c86e82c9680df9ae23b24fcfe2c2b1729f3989c14ed49c152c2648744ecbfcaac5b77c

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml.77d69d

MD5 1401679b9604eb591816e3812e2681d1
SHA1 19fcd33665b9c557270ecb2ee65aa909c8934cfd
SHA256 4c2cb06aeba00d762a25740fb7cddff10aad379b11227cb6438347afd61cb778
SHA512 db4e37977484d6d27ddf3dfbdf1645f91d4d553b73b1ce874e14f639e9a257ca965b69fc4c36504bea60cc489cde05f2c756a65967a304128e3e295c2a771f2d

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A64CD22E-7976-4E35-AF61-1C7DBC1F5743\x-none.16\MasterDescriptor.x-none.xml.77d69d

MD5 5a7f65aee7d294db0a942cdccdcbe48a
SHA1 c181091f74743ea04f71bafb86d34aaa8ca96176
SHA256 f19f474e4fc478ea4f4d99d70c281b9751accf7f8b75c802c2a1c5ad7b996b1e
SHA512 257e9ba4108c1006ce8045f4dec407c34f2e1696ff58632ce0241f4b09f10609afea5aafbca6c00b6b4abe19400a034178a91ff5b8c37da20ba04d7420c28a1d

memory/1068-24414-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp