Malware Analysis Report

2024-10-16 03:03

Sample ID 240923-wewvqsyfmf
Target f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be
SHA256 f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be
Tags
netwalker execution ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be

Threat Level: Known bad

The file f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be was found to be: Known bad.

Malicious Activity Summary

netwalker execution ransomware

Netwalker Ransomware

Renames multiple (7389) files with added filename extension

Renames multiple (6765) files with added filename extension

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-23 17:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-23 17:50

Reported

2024-09-23 17:53

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Netwalker Ransomware

ransomware netwalker

Renames multiple (7389) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.DPV C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00586_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeFax.Dotx C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88 C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49F.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00735_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN111.XML C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanResume.Dotx C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\A0CD44-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.DPV C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01304G.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.HXS C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Sofia C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107450.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105384.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\powerpnt.exe.manifest C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyLetter.dotx C:\Windows\Explorer.EXE N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\A0CD44-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9 C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3EN.LEX C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195384.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00297_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART13.BDR C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF C:\Windows\Explorer.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2248 wrote to memory of 2968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2248 wrote to memory of 2968 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2968 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2968 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2968 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2248 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2248 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2248 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2692 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2692 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2692 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2248 wrote to memory of 1252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1252 wrote to memory of 2948 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe
PID 1252 wrote to memory of 2948 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe
PID 1252 wrote to memory of 2948 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be.ps1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zkf1lgul.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DDC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3DCB.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9hk-memy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40B9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC40B8.tmp"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\A0CD44-Readme.txt"

Network

N/A

Files

memory/2248-4-0x000007FEF621E000-0x000007FEF621F000-memory.dmp

memory/2248-5-0x000000001B340000-0x000000001B622000-memory.dmp

memory/2248-6-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

memory/2248-7-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-8-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-9-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-10-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-11-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-12-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-13-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-14-0x000007FEF621E000-0x000007FEF621F000-memory.dmp

memory/2248-15-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-16-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

memory/2248-17-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zkf1lgul.cmdline

MD5 37dc64e53a4698926334b1cb822764fe
SHA1 54bbd359b623bd025144c7f3827ff16d395a1ffa
SHA256 6d32370a30535c5b849078f8f4ead85cc2b3eeee51f8700586e913fad745cde9
SHA512 cc4950471efe5b62a3d0695d62c9031e5f6b8ca748ad520a15971f2b9a849f3953a38aa096c07c6b0f59aebb4f7c0174e01e6818c351b41afd91bcc2e9685f50

\??\c:\Users\Admin\AppData\Local\Temp\zkf1lgul.0.cs

MD5 220274c8b5ea2af3a7c625d0c4985fc2
SHA1 2f5228308d3808946552e53ef5b9829b8764b741
SHA256 b00f4040bfc94627cc06e351d43d4b6fdaa1161b20b702956b564e18c3a37ee1
SHA512 da40fd6d5a9daeb3c42cfa3d92df0fcb71b1b9ab00577afe165c539e95f26cba80958b74140067b93deb66807de60f0d533e232ec49d0a28b798f6d339037c69

memory/2968-23-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC3DCB.tmp

MD5 5456ed1cf47aa429ff2b02a409adbfd6
SHA1 5a644bd869e8eff13f1755d1f152e670cd31118f
SHA256 04c715ca6292c37703a87005ce92cee0bc0ec1e8308756d6eadfedd7b7affabd
SHA512 5da2f7033ef776c3d180cdd34405e5b655d408edd66321ef869aefac7ae19579e3e475ad2846e0dc286df2e3d3abf759a952d17fe42820cbb824a1c4a6451fe5

C:\Users\Admin\AppData\Local\Temp\RES3DDC.tmp

MD5 d7d6a4e35b7f47fe81496135a23f6729
SHA1 10ed72aaaf40b134a660bacdb71dbb45b08eff7f
SHA256 48acd202810f3f53baa575e340d035bae534435bff4552cafea864fb33ece1c5
SHA512 8dc5e94a8b0f03b006c42c7bc6d8f6dd76927586673e11508aa66f0ceebb4f3d36ddd915e7224729a766ed21430219a9df5229c86544217116f7fefd79c4930f

C:\Users\Admin\AppData\Local\Temp\zkf1lgul.dll

MD5 72122dbcf92254e677825c53a7e4de42
SHA1 f36b730e3e6eabc9c47990b2fb53e7698ffab6a5
SHA256 f0fee5af31e0a3d422f4c3a039284680db1469e42b90668881a049af6c0e462b
SHA512 ea2b43e9d8e8d25c770d482e009fd72d19fcce0766d044d63384c4b890b2b57567554c52cbfcc8ce08838b40b92ff8e9c6bd611fec1b02f300b043006888709d

memory/2968-31-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zkf1lgul.pdb

MD5 41dd31ee83cdba20a69fe9d45a71c048
SHA1 651759137793b39d1f2c39436ff44bf9a485b3f6
SHA256 36664efb0c035a587b3fd373b81338c3619101026caa27173cd0205a015d8f9b
SHA512 35b0de9d6d19db9c24d70197e464d09210352f401d67bb61ceb75a4a053aab83d48d79119aaf783cc860869986a7354e4cc829cde4e6b3e80260c6954a8666c0

memory/2248-33-0x0000000002930000-0x0000000002938000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\9hk-memy.cmdline

MD5 35fbc2894195ede92825361365b457ba
SHA1 688c4ba77c94f773ad2edc6cf3670cb438a18d19
SHA256 d3cd16882be5d59a0833767493c2789652bd9e2e31470eb560fc29d17ef10388
SHA512 430c243b2433a0fe5a0b0eecf4894d718c11bc89c4b4f2327d82c58f00502e3704264bf2b0312e18f35d18e1373dab81538528d0da7fc2d0db12e5a8216aaa7c

\??\c:\Users\Admin\AppData\Local\Temp\9hk-memy.0.cs

MD5 b1f397a0d765a49ba2554b815326cfd7
SHA1 511ef931b96f19ee08dec8763b606701147244a1
SHA256 d39f9608c7e9805f327550e7cd98ed2b716dc2a4549ca4123215fe5331a9b36d
SHA512 f34a8edb867d39f0dc53de1708a65570d1fd2d0a57e5908f3a222f0edb77d65f719a491b93e697a0233cf9a443c2387cb34549264befc100bc6a2d436cd0b254

memory/2248-49-0x0000000002940000-0x0000000002948000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9hk-memy.pdb

MD5 b97a4d700d85fd5e72a8e3f1d8016ef3
SHA1 97ce772da2866560e5d987639b4328a399689a75
SHA256 83a4e2d0b0bd7dbfc30c43b7259280bba30639868d19686a8916e2519ed3c132
SHA512 05e74d6406aba2d71df17000c1c087246c2f39e68ac6bffeca6db29b8ab546b60e4574a2c63765a8d9437ccd77f7cc3484d310e4877e9535e250e5684ed3a1b5

C:\Users\Admin\AppData\Local\Temp\9hk-memy.dll

MD5 72c380db6121cd92462af4abf78232b4
SHA1 a168303fb3fc05db160dd7dc148ade708ebce660
SHA256 d7e07f5096aceeca4e3ccd5b1ea3dff0b87da67573586eb9d48bb0a6fdec0a0b
SHA512 98de2377da2e9748a31251c4fb65a54f0943d4801d8bebaffa08a56c3441cfe596b7a537fa813699f7e8d5b59d400cb416e6601f7b579549b8cd1159854f687f

C:\Users\Admin\AppData\Local\Temp\RES40B9.tmp

MD5 2f65b0e97a1dbf4f1799aeb64d6465ce
SHA1 3b03e12d8550f22e2e1968a1e48fade9a82c3caa
SHA256 f41eecffd4d9f6992ae2c99be0f094262c654fe8cfaef98580dde58eae1256e9
SHA512 e9d9c338c2eb47a664e8367fcd74e4ef1c9d066a4d6a232d0f66562cb9dd4da9304bd737c2c94f9c5895e705e0cf0f6645072e295ead2ab0a3aa769f6883dfa7

\??\c:\Users\Admin\AppData\Local\Temp\CSC40B8.tmp

MD5 ad97a691ada838125713cf475c819d7b
SHA1 82e61d5fab404b337a484f0edfb925ad664f95eb
SHA256 81c43ed3640c334bed035e1d49ce0d32461113a5052435680c296bdb4e3f43d5
SHA512 884806a02c0540283ef7239a1da0aac25e6c52d9bbab34526862c6597ccf7ed38a97cabd38500c5a627098d6938f5f440b7ec6ce80608867b3b777de566117e0

memory/2248-52-0x0000000180000000-0x000000018001B000-memory.dmp

memory/2248-53-0x0000000180000000-0x000000018001B000-memory.dmp

memory/2248-54-0x0000000180000000-0x000000018001B000-memory.dmp

memory/2248-55-0x0000000180000000-0x000000018001B000-memory.dmp

memory/2248-56-0x0000000180000000-0x000000018001B000-memory.dmp

memory/2248-57-0x0000000180000000-0x000000018001B000-memory.dmp

memory/1252-61-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-65-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-64-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-66-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-63-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-62-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-102-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-104-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-103-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-101-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-100-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-99-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-98-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-97-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-96-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-105-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-95-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-94-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-93-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-92-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-91-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-109-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-108-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-106-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-90-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-89-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-88-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-107-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-115-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-114-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-113-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-112-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-111-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-87-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-86-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-84-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-83-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-82-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-81-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-80-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-79-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-78-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-77-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-76-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-75-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-74-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-73-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-72-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-71-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-70-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-69-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-68-0x00000000025C0000-0x00000000025DB000-memory.dmp

memory/1252-67-0x00000000025C0000-0x00000000025DB000-memory.dmp

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\A0CD44-Readme.txt

MD5 6b7ed793b96c75e44b9b0a4df95584d8
SHA1 2c4d944366d8608636f3f2ed9aec9d5687b61210
SHA256 00beb2b09aee67df095957d9c22ca8680dde22cfc372314b9d57cf4d607585dd
SHA512 63f05d649a857cd3adaf9e057974e2aed9e4e56cef682675d4bf40a245cd273fb0a377f1c57b5304985581fd85dda7042228cdf91f503583eb5ed2fd94f8d29b

memory/2248-7838-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 04.wma.a0cd44

MD5 11f76652851c919eee466a4b11e18d9c
SHA1 aab9eb49fbe7c00734404bfe2a4e314c6f4363cc
SHA256 c770dfd572f2ee10a89b19ee9b7de8969d4324c26d4eb3814f8ce9c40e74577b
SHA512 4d001d7a236543f9530ae7f845c3a45eb70fc839cb4efa72ac32e080c5714ce40362fb2f0630f28c6416278abdf720b212fb756f39c264e5cde82f5a874524bd

C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 05.wma.a0cd44

MD5 86c8d9452e62034194134646acb9b229
SHA1 d3bc2faf496442893f38e0c153ae7371ea936b15
SHA256 5902e5c136cb0121f4625c0edb52d97c13da112773a79193db0991709e6c4260
SHA512 a8fbd9118011c1f246e26b13a45ebc854991142845924682cdcb915f1c4bbc3c55f2e4615bd2c6914be3e359e01772040b38cf95ec5b6e941b271970c406ef3a

C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 06.wma.a0cd44

MD5 6fc3f3fccb5b06b9bbc18a806c6084d3
SHA1 e0dadcff154e55b1d2d8738dd3cbec9eb4760a9a
SHA256 01ce033910f6553f7b2ec7c73f3c6a396cf4f58fb5880a3452d360196e382c09
SHA512 e309d3afbf6e869bfe2feb330c8ca423b68d26e1b4fcaa570ef3d9dfb8c02b645fa764ce39edc7aae6d207b0f0959fa3fd9393164ebf2e15efccfe32cfc2a9c9

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-23 17:50

Reported

2024-09-23 17:53

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

130s

Command Line

C:\Windows\Explorer.EXE

Signatures

Netwalker Ransomware

ransomware netwalker

Renames multiple (6765) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-100.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\034FBF-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\ui-strings.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Zview.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-125.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe806.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-125.jpg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-100.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-black.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\ui-strings.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio_Model_CX.winmd C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\14.rsrc C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-250.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-high.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-100_contrast-black.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\ui-strings.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-400.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkToolbar.xbf C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\034FBF-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-200.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_AppList.scale-125.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\jconsole.jar C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bg.pak.DATA C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\034FBF-Readme.txt C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\034FBF-Readme.txt C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\034FBF-Readme.txt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\ui-strings.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-white.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-125.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-black.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-400.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-200.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\188.png C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js C:\Windows\Explorer.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1460 wrote to memory of 320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 320 wrote to memory of 4536 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 320 wrote to memory of 4536 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1460 wrote to memory of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1460 wrote to memory of 3116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3116 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3116 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1460 wrote to memory of 3476 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3476 wrote to memory of 4448 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe
PID 3476 wrote to memory of 4448 N/A C:\Windows\Explorer.EXE C:\Windows\system32\notepad.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2dnnj0h\u2dnnj0h.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2C1.tmp" "c:\Users\Admin\AppData\Local\Temp\u2dnnj0h\CSC1627F0DB4BCF48819872F3AEF969D3D7.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bylamoim\bylamoim.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD34E.tmp" "c:\Users\Admin\AppData\Local\Temp\bylamoim\CSC5E16C2547E74105937C2B72C99F96DF.TMP"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\034FBF-Readme.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1460-0-0x00007FFAD5833000-0x00007FFAD5835000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5bkxry3z.arr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1460-10-0x000001D7AFFC0000-0x000001D7AFFE2000-memory.dmp

memory/1460-11-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

memory/1460-12-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\u2dnnj0h\u2dnnj0h.cmdline

MD5 04a01a91df7ef77d340490f3ae3b5295
SHA1 a571894c797296f6676c07b60204280fcf4f8049
SHA256 2f7ad8133424031a94b72ffcbf650edb4f9672bf92dfb0ffb57ae0dca0cb2fa8
SHA512 2a72a615d00228275b67686a6da716cbeef0718125386809049a36dd4c996e29475254353d168a50e2d052f566e2ade15915dd14b63882f8d7c22e32a1e29329

\??\c:\Users\Admin\AppData\Local\Temp\u2dnnj0h\u2dnnj0h.0.cs

MD5 220274c8b5ea2af3a7c625d0c4985fc2
SHA1 2f5228308d3808946552e53ef5b9829b8764b741
SHA256 b00f4040bfc94627cc06e351d43d4b6fdaa1161b20b702956b564e18c3a37ee1
SHA512 da40fd6d5a9daeb3c42cfa3d92df0fcb71b1b9ab00577afe165c539e95f26cba80958b74140067b93deb66807de60f0d533e232ec49d0a28b798f6d339037c69

\??\c:\Users\Admin\AppData\Local\Temp\u2dnnj0h\CSC1627F0DB4BCF48819872F3AEF969D3D7.TMP

MD5 32cfc466fbc6cb8e39d282717c034c85
SHA1 8ada26bb651e0bdc540c7a2594ac0a7377f7adb5
SHA256 82ca392a650dd05d3892dcc83aefd70bb7cb3cc5f9549107b4e4e2d7045a812f
SHA512 9d40d39c55bc2d4d826c079d99f7e47c6514b5ad492c62f7c55f6c9ef7b2f99f79067223bf4112aca32ffe500231a59a2b7da34a383611b90fb47ae0f76c6484

C:\Users\Admin\AppData\Local\Temp\RESD2C1.tmp

MD5 98563b8c94d47d1b2658df07b31a6b31
SHA1 20986eece74f050aec48cd954af23d8c772217f4
SHA256 d1273c2c13322f12bda22608bdd78b305fff36efd3b70f001ad498962d2b3584
SHA512 1aeac9b1f8ed055f524121c65b0611eef9f4b47984c4e21589a812af01ea8097515d47014e90b05ae59fd33cf69b82cb8bffe521368e6a48c02f7647e9fe7408

memory/1460-25-0x000001D7B21B0000-0x000001D7B21B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2dnnj0h\u2dnnj0h.dll

MD5 0380796d88a4cfacc94c00e776c42a10
SHA1 2b411eee2b23e1dcc964e0c8792bc30f59ffcb69
SHA256 d324beb50af513a5d56f6b1d6a047063ce1b0f9f674814a4912d379282cacbe3
SHA512 6b0032ab4e6cb51f9e775b06c8f87032d816d7d8701444e6a0c08596d55c5dfe085447d23ab8f417f740007824507eb6feef513673c1918c615266891ae8c916

\??\c:\Users\Admin\AppData\Local\Temp\bylamoim\bylamoim.cmdline

MD5 2b0c40375698bac6509ac2f7cff4ab8b
SHA1 4a79a92aec275ab6ddff282747c7d150f67a19b2
SHA256 3abbb0a9e76a1dbcd66cfe99cef212b48bf1521990cd6c0f7ea80ba5c05af24d
SHA512 a8c4e8de9129cf6d7e37aa45770f070fc3bc08760e57558382228381b0b1c179a6f3c794d61bbc58b6ff415fe9929eb5a4a3ef0701368a351e182229e3d7192b

\??\c:\Users\Admin\AppData\Local\Temp\bylamoim\bylamoim.0.cs

MD5 b1f397a0d765a49ba2554b815326cfd7
SHA1 511ef931b96f19ee08dec8763b606701147244a1
SHA256 d39f9608c7e9805f327550e7cd98ed2b716dc2a4549ca4123215fe5331a9b36d
SHA512 f34a8edb867d39f0dc53de1708a65570d1fd2d0a57e5908f3a222f0edb77d65f719a491b93e697a0233cf9a443c2387cb34549264befc100bc6a2d436cd0b254

\??\c:\Users\Admin\AppData\Local\Temp\bylamoim\CSC5E16C2547E74105937C2B72C99F96DF.TMP

MD5 8bd8befe4021b77efdaa0783afa62c6f
SHA1 80b5092d8e51bfd87729ae885a70dcb5e7a9265c
SHA256 c45ad30558d23d82271739822569d5286143ef0397d6b0053d795c313812822f
SHA512 0e847a9e4ff31073ffeef536deaea337074b7d961a0c6adf02ad2693fbc08969fb78f3970ed0e3806ce2ff7f5b55c7e8330e65f6878e669f1cdd400fa0848be7

C:\Users\Admin\AppData\Local\Temp\RESD34E.tmp

MD5 182dab4676806ad35755972847422d8e
SHA1 4b0f7f9e579cc6d9c029a627643c95a3e701d9fa
SHA256 930d00e5a1e80cd6711555717aff3ff22bbe5eafd614175aacb7ad0a311ab0e6
SHA512 0ab90fb8c360c8809c41c8c0d4587f60b6ef4f2a1c369abbe1062e0369abca341c53f1dd434eb4dcccf64e02b23bb4fe014dfc8d32a2e021c5510806e74261a3

memory/1460-39-0x000001D7B23E0000-0x000001D7B23E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bylamoim\bylamoim.dll

MD5 53e3e0bec64bf9e854ade244e2c1c32c
SHA1 b4a30263d37171ab0ae4eedb2f7c2ab74b74d688
SHA256 6db359671ecf7ecee10bb2192b74c723a83dd50fe759cff99305e5f65d068430
SHA512 e5668ecc4e609b654c73b1f81e580225e08a7ddadf92e632ae76da1cf5375af170b9aca5e19327ebfdc117954237410a74d6adccf68224e30d74305482aeae34

memory/1460-41-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

memory/1460-42-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

memory/1460-43-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

memory/3476-44-0x0000000002410000-0x000000000242B000-memory.dmp

memory/1460-45-0x00007FFAD5833000-0x00007FFAD5835000-memory.dmp

memory/3476-47-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-50-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-77-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-108-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-106-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-102-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-105-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-104-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-103-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-100-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-99-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-98-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-97-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-95-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-93-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-92-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-90-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-89-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-88-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-87-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-86-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-84-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-82-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-81-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-79-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-78-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-76-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-75-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-74-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-73-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-72-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-70-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-69-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-68-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-66-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-65-0x0000000002410000-0x000000000242B000-memory.dmp

C:\Program Files\Crashpad\034FBF-Readme.txt

MD5 a01e818e75d4ed56870fc2d782dbb3e7
SHA1 9525abab8866783df75ce4aea9e8f5325ec89f3f
SHA256 dcbfa38bb2bb1cbe84541a23b3622055b51ad81585288b738e24d69250029d5e
SHA512 ca2b81c0b0d0d6b5bbcd145a29c3c4a96e9d048206020287c60629ae229f500066b463a48f40f317946966d66fc49ad21fc3db38fab1631cfe827986e167639d

memory/3476-64-0x0000000002410000-0x000000000242B000-memory.dmp

memory/1460-3563-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

memory/3476-63-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-61-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-60-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-59-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-58-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-57-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-56-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-107-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-101-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-96-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-94-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-91-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-85-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-54-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-53-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-52-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-51-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-49-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-71-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-67-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-62-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-55-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-48-0x0000000002410000-0x000000000242B000-memory.dmp

memory/3476-46-0x0000000002410000-0x000000000242B000-memory.dmp

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

MD5 31ccd80c9e091d3ce3d6a2718ea38b60
SHA1 2bb3965b3a20cdc2da97b22a9fc0fb7036c1fc34
SHA256 47d8c39f4b8d76c236fab48baced5967c73539f8fd45aaa900d0449fa0cde960
SHA512 d4c7935e277f7a55c3e77b467499302c3531fff1d7297dc66e7933af9878d82097e4fe73878c73844e30b3cda6de1ed644d3ce4c4218d20af02a1f0b31f233d0

memory/1460-6137-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url.034fbf

MD5 baf8aae8e760d79b61b430898528d52e
SHA1 c3208f291222ef328251bc2fd4ec94b2250c07bf
SHA256 27a66b83a27fcb128db67cdffb0d10f2992dbd0d4c21fed0ea6505b9d6ceef1b
SHA512 30a1fcbf5b67f816e0e65dcbf4bb6a3bdb6060d50c4015353ec973ec062a0b95fef67d7ba1321214f6a98f8a3cadecfa35fb3c51125626e738366d0f93702412

C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch.034fbf

MD5 ead3281c94cc3898402405516263aec2
SHA1 1c3e863fef112dac8d744b35ab075b24eaba9666
SHA256 8dd0128e36d34dc777af8fb46d0744ef610604565db40f8db25876ea5cff39b5
SHA512 62cd15e985373bac6b11667b89c8bec0a1883375b980acfdd8c7d88ab0844be1d2f7c51c9b256ee46f60e6abc2eb35fd8ef998dc050acfffe9093fb269febad8

C:\ProgramData\Microsoft\Diagnosis\osver.txt.034fbf

MD5 255636abb58f35ca074aca0156b2e1bc
SHA1 b4ba1757a060f9f97a3d971fedd9edfd0ea0458d
SHA256 802277fc2dfd4efdf92d7bad4185af2ecafe0a228a78221902e2bf14a6d0e9a6
SHA512 eed60ecf844f9ca031f0a3bdb6d6de62f9cdc8b51e099b754a4d191fa04d2ea17c714f83f2c175966097998fd5fe9cdfb16fa11799ecbe216e2bab84ab695950

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.034fbf

MD5 acc23f3da4434183fb3e39ac3f0a0b9d
SHA1 9e5e6d4e9586b58f48050319200fcfe05273ca30
SHA256 eef0e9f386515a079f7d91698e4bc4686a33bae372502e8b9323a8852e8a0906
SHA512 e756f9e5ad4dca3ec878f0cb55601d8fd57f00465700cf2dda4a4db9d2e86cbfd4bb3ef243dd4e0d30afc274319b26f0969eeeaa5f122005c4be46fd3c5b294d

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2e267d1c-9ef4-8ee3-57be-e11f61eb9d03.xml.034fbf

MD5 5465146601e0ba768ad2ad119b1d676f
SHA1 ec30dfaf430f7be05bbb732c4de5cef537c20046
SHA256 03b0909a566042b913fe651735bbe16c98d740cb4d798d0787bb59aa0d7dd79e
SHA512 ef4ec00da63f81ad32bf54227a99073fd85ed83b9ae8f2d25ff7aed86783ba5c601f53cf20fe34a03069f0b3ca014e79675a03d7eb1fa55a4da263f00c5ab0c7

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man.034fbf

MD5 b78d818d1da5d4f37e744e2e61c6a543
SHA1 ceaf0a8d4df6ca0c6804bf8ac26e269a78a35fc0
SHA256 baa05cf4f74ff26909f2f3bca9d58f76e809bc145978a24fbf6d2380c882e079
SHA512 14e39faf1d295f9bc47ccf8aed2d2fa14fdceafb1c5e7dee8622bcb170f522e0ea270616edd5a3f307133081187efcdb6c53380bfc59fa759d471eb181318e35

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.034fbf

MD5 cab63e44f85f8316bd588eb345cc2c67
SHA1 441dbe845254ffc62620ee411fbd55cc3da6608c
SHA256 bc5ba1dfc731124c5286c0ae9ed40f1580d04bc809a2c7f92b547d30ceb7656e
SHA512 f5aaa29cc8c1f1b4e1907dca8f124067ee095e4b756bbb32d88d6461535fcffcc8806ea711ddd1b79cbb9520dae2630986a560024dfc4b96fe547c9aa7c180f8

C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_8_2_12_27_22.etl.034fbf

MD5 521a722b7f65bad07a967b9cbd94575b
SHA1 a9bbbdcf86ce1c767715e37302b4e69bbd0db540
SHA256 9cf044dfad3bcf42ee5eb862b0476b01faa76a7645aa9ec85020c4e2ea5bb12b
SHA512 27db684a3c583821c102d71ff3f32898ac9358ee911aa9c326bcc0a0c23f9fb2d14a91dd10cfa989b4a825b632e29771530e9274d87bd2762564c1289de9853d

C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml.034fbf

MD5 4223f172a213fd41b5f3d5dd1dbce448
SHA1 c56172c55dffa57225a9fc2bd5b632ad0cfdcf2b
SHA256 c34d2e0a0427e073e90bf0be34b7aefd63da98ff7a94ccdca98312db81b46d53
SHA512 f706f3f908ea34e538bfb863bed3c1ba6e2b168e559f3258436efa6accefcc489547f8ba9a4cc48e205c1dce63c3ff36090b37bb645bde60eead93f6621fc8ea

C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml.034fbf

MD5 122eb0f502cd1cb8759d9911a648c972
SHA1 9f70f3f3d01852146a7cdb90c9669c259a6a3cf0
SHA256 945eb8cf3911e1899b09837356e08cfefbbd39e53e15fdc99d72a68e270cd260
SHA512 88d83ef0886199025a4f0b5af9af61b7f99a42d7998131d83ae8f01e18e8c75cf14e28a7d3a10c3684c71b52854714b1121f127f1975d05f915660e1c8618d30

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.034fbf

MD5 1548077e5f9dbae0243d88257a550974
SHA1 3f3c8ee402acde9ef01425e74778556414c62c65
SHA256 11c59bbb8e13600b47862f27092cd14cc84246ce5f74a80c893f3fc089b20766
SHA512 a74990416190ab471ac9709cfcbab624fa447aaf0dc08684202437855fb6bcb4df7023df97fd2e7ccf034e7e1faa9d1cae9ac2ac3c780d4586bd9111a2cc9a0e

C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml.034fbf

MD5 75283e54be02050a141dd1da4e0a47a8
SHA1 5152586aa5dcbd8f6eae65ffb5db5dd7b4850139
SHA256 2376a81d36d8eba6454d5d6d8ebb2971e06f63c07a395198bfc12ffd08fbd96f
SHA512 f0e60663f90f9fecbfc282ff9fde62fb8030ac153a01ce93c304453153c60bcbd7ad34ed2c07a4d85cce116d0c4d4a58a0ceb26e777f3b494df767299716a9cf