netwalker | 71768f2099e7c880dfd25b5e20df9424d0967689abe6fd7cf4896941b8977cb0

Analysis

max time kernel
154s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71768f2099e7c880dfd25b5e20df9424d0967689abe6fd7cf4896941b8977cb0.ps1
Size

908KB
MD5

8f4a5516d10a163ec1421fdf39fba854
SHA1

c6c78a6af1ae01c1aa60f4e601fb97cdf7dcaa75
SHA256

71768f2099e7c880dfd25b5e20df9424d0967689abe6fd7cf4896941b8977cb0
SHA512

ac287b080b5b8683018da99840cb5e09267d57055da3edf54ee9d3b4a62d9c3c8c467c8e39aa1b9c48faf88fac821c1e59c139f1342282f113653cd30d9074a8

Score

10^/10

netwalker ransomware

Malware Config

Extracted

Path

C:\odt\5C93B1-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .5c93b1 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5c93b1: BtrBz9/37KHfoZyb4KfAv9vXVaFIdSiQIcUZ1f+h0KXQ+//8n0 19V0bEhllFPTDY2RX6HJfDNVzn3uEjrShfD1g21J/JMncSfZTp smDkMJsW+Pi4a41wkMeYnb6tJj3k/ldrfp1178U9NPjHTyMj4X VvlPmnthhFzcvJbH3Zl6sVgaQTgvxvLbndfOX7fW8v6uKxfh7D aOGAPTpEhdu8AG9IifXKtx3rArLvOJlpJh5xboktgOwnua6scg qbnZgbTwFa8zcIU9a+VuoupL6GWRJ6gAndX1s7hQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Explorer.EXE

description	ioc	process
File renamed	C:\Users\Admin\Pictures\WatchImport.png => C:\Users\Admin\Pictures\WatchImport.png.5c93b1	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\DenyResume.raw => C:\Users\Admin\Pictures\DenyResume.raw.5c93b1	Explorer.EXE
File opened for modification	C:\Users\Admin\Pictures\MovePublish.tiff	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\ApproveWrite.png => C:\Users\Admin\Pictures\ApproveWrite.png.5c93b1	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\MovePublish.tiff => C:\Users\Admin\Pictures\MovePublish.tiff.5c93b1	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\ClearComplete.png => C:\Users\Admin\Pictures\ClearComplete.png.5c93b1	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\ConfirmTrace.tif => C:\Users\Admin\Pictures\ConfirmTrace.tif.5c93b1	Explorer.EXE

Drops file in Program Files directory 64 IoCs

Processes:

Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.ce48eef1.pri	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-150.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-unplated_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\resources.pri	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ColorGeometryShader.cso	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-32_altform-unplated_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-24.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100_contrast-white.png	Explorer.EXE
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\5C93B1-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-400.png	Explorer.EXE
File created	C:\Program Files\Java\jdk1.8.0_66\bin\5C93B1-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.png	Explorer.EXE
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\5C93B1-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\46.jpg	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\ormma.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30_altform-lightunplated.png	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeExplorer.EXE

pid	process
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE
2084	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2084 Explorer.EXE

pid	process
2084	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exeExplorer.EXEvssvc.exe

description	pid	process
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2084	Explorer.EXE
Token: SeImpersonatePrivilege	2084	Explorer.EXE
Token: SeBackupPrivilege	2800	vssvc.exe
Token: SeRestorePrivilege	2800	vssvc.exe
Token: SeAuditPrivilege	2800	vssvc.exe
Token: SeShutdownPrivilege	2084	Explorer.EXE
Token: SeCreatePagefilePrivilege	2084	Explorer.EXE
Token: SeShutdownPrivilege	2084	Explorer.EXE
Token: SeCreatePagefilePrivilege	2084	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.execsc.execsc.exe

description	pid	process	target process
PID 2272 wrote to memory of 3352	2272	powershell.exe	csc.exe
PID 2272 wrote to memory of 3352	2272	powershell.exe	csc.exe
PID 3352 wrote to memory of 3480	3352	csc.exe	cvtres.exe
PID 3352 wrote to memory of 3480	3352	csc.exe	cvtres.exe
PID 2272 wrote to memory of 3240	2272	powershell.exe	csc.exe
PID 2272 wrote to memory of 3240	2272	powershell.exe	csc.exe
PID 3240 wrote to memory of 3208	3240	csc.exe	cvtres.exe
PID 3240 wrote to memory of 3208	3240	csc.exe	cvtres.exe
PID 2272 wrote to memory of 2084	2272	powershell.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\71768f2099e7c880dfd25b5e20df9424d0967689abe6fd7cf4896941b8977cb0.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hf0fvcm0\hf0fvcm0.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE709.tmp" "c:\Users\Admin\AppData\Local\Temp\hf0fvcm0\CSCC82C2C5291B4B15A8236248A68DC94E.TMP"
4⤵
PID:3480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ahcqffmo\ahcqffmo.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA93.tmp" "c:\Users\Admin\AppData\Local\Temp\ahcqffmo\CSC1B16E7F49234460EA18A78EE432220FA.TMP"
4⤵
PID:3208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE709.tmp
Filesize
1KB

MD5
ec8337ad2ad95fa03e2a1bf63c6337be

SHA1
1e2d5ff66fb26f686f6354350de10a6f1e0863c3

SHA256
d730d3672a69efda7b3ffc0ce391ec27015f66d463d39acdb93641e60eefa88b

SHA512
cb41457cfdc9145d043e8a1a8d96dd39f9fa98e65d0d8179474c7cbfe3076748073036ebfa4aad0e489b5e194ab8315d495bf089a9303920c85231072990d555

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA93.tmp
Filesize
1KB

MD5
26d2c0b84d168196fa6b6809bfc9f18d

SHA1
b2e896370727fd1b698d70e54ff743accb85d9c2

SHA256
ea5dd5192c7dbbf8e54b2ebd3d6cc4abfc332f2a347243d8d5c750a17ec10149

SHA512
c2e55d7defa6b0bd7b0b7a236cf5da5b3856eba31aa96aa1c12b44477d1ef327af6ea817e69203ec5cf1080e9415c6cec74d08d0e29a37dcfa13b43ed3089a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahcqffmo\ahcqffmo.dll
Filesize
4KB

MD5
bbbf5ff71e4d1ff159dbc1f75d6e9f52

SHA1
67e01638d6e1c88298b0e447a6e3f62d5cf672a1

SHA256
1bc4b9c2067104c570d59afc72902eaa34867bdcc4df8e5bcc9a8ae157c740aa

SHA512
ff4e909dcc1c1ddc3048fe0823087156df51a1c8c1b7934f9dbdeb60c8f1d1d7aeae81f81ec46dc2b6a8d2f9ab86c1952ed548510d2dbd4bda2b5cbf5597abb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hf0fvcm0\hf0fvcm0.dll
Filesize
6KB

MD5
400db1d4a9cc2696d0cedc8c0fedb86c

SHA1
3dce39f57b661474dbcbb36b4ffad085ccd96c2c

SHA256
25295eda4ea260d364e7074b320f4500b62ffc73899a6c098e2d03aad9a71cf9

SHA512
5ef108b51af8a18a0e671159dbe616970477368806e7e7bac21c3d6de516cf288b0e1092d382bf69e197b3a4906b4d51b1cc9e6a548b56580971d4053f7135de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahcqffmo\CSC1B16E7F49234460EA18A78EE432220FA.TMP
Filesize
652B

MD5
01e51ff147091ee6fb6f93f0a666399d

SHA1
2a4a42d4aa67599871b815a9cd40ca3cecec48cf

SHA256
3970d4c3b31802cadc40cf0dd8f74a68941e9d9f1064291a0ab0eb5833de1f20

SHA512
afe937cce17c57329ef7186a86c520389899e1dcfa0b4af285cb5d4bf3b19b357a05b2ad4514fa047b6c8d2dfcb075e4a1d6989b12115c9b9c9dd881f15dd038

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahcqffmo\ahcqffmo.0.cs
Filesize
2KB

MD5
0ca239cbec62e94b213a1ca43e4d7dc5

SHA1
89ad0219ce997632027ad68a4a7f658fc65d8d2a

SHA256
f1d897ad3a4997908626edf2613d5b0dadb81def969b86b89415c5c22668f290

SHA512
e493ee87470c954a4e1ea0db55eee20f7213987e6c5d2d994f38a1df901386d5514045f905c2ee8bebe532082f773394d1951042b5a3019380169002d70b8ddc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahcqffmo\ahcqffmo.cmdline
Filesize
369B

MD5
4de49e11855b164528bb8705aad515c9

SHA1
628ca640048c5d2129a95c11d012888616c3705d

SHA256
ca7a951b70219a6dc2bf812661db887c0afaa6eebbce989be360b7aa186ce421

SHA512
9df83874c61e48d41f0396f613dcb4f540b150fc8d97bfe9f197ee5a360f91993c5a1b075777b753aea335b720cfe11099889c45cf6bb32dc424d1cee4c90eab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hf0fvcm0\CSCC82C2C5291B4B15A8236248A68DC94E.TMP
Filesize
652B

MD5
af66492b5d10d383c4d059c18a63a6fa

SHA1
697595b7e1a7f1bf108b7ba3c7843ace4b3fc40d

SHA256
beeada735a61cecea7047cc0b6547a7e4e0c30780760ca7649ad5c335be8bb9c

SHA512
6d18366d9d3616c88c437c45e75af13c2535378af730115c8f11dff0c1c60651f0c1f6e576462ce0fce63365a8e7156c65f61d7fe1ee6068bbb08462ae37888e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hf0fvcm0\hf0fvcm0.0.cs
Filesize
8KB

MD5
72d3ae92240c4c86e2f4c5757af7b065

SHA1
964bc0d9cd94f7c34eee6ed9c2672cb206890299

SHA256
bc8a2f83e312cadd7d9186f77134632941585844ce9a3586321ec3d73a342813

SHA512
e8ebb6ba7579381aebbbc457c02cede3898becad3eb53e9d624764042f69377488ba4ff61bb31825a32d9fb91ecbdcea2f09ecb2c36fbf9e5cf50e37d9489e72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hf0fvcm0\hf0fvcm0.cmdline
Filesize
369B

MD5
a385f4ac09289f6402c1cb23612b3745

SHA1
552e2be3bf84d17c77aa4d26c6fde9401e2d9c8a

SHA256
f9b252f7136d9031ff144479a5f4d89255336cf4bdfd8d1c7b8169f7f2f4539b

SHA512
ec6561657f64002d3e124551462b29ba570f2a05d37fc1f2174a4a2788ca8c16ed4b655efdf10e087c83e71ea98b3faa2cacf39e6852fc5ebecb02bcd4a2744d

Download Submit
memory/2084-146-0x0000000000E60000-0x0000000000E82000-memory.dmp

Filesize
136KB

Download
memory/2272-130-0x0000014438FD0000-0x0000014438FF2000-memory.dmp

Filesize
136KB

Download
memory/2272-131-0x00007FF8657A0000-0x00007FF866261000-memory.dmp

Filesize
10.8MB

Download
memory/3208-142-0x0000000000000000-mapping.dmp

Download
memory/3240-139-0x0000000000000000-mapping.dmp

Download
memory/3352-132-0x0000000000000000-mapping.dmp

Download
memory/3480-135-0x0000000000000000-mapping.dmp

Download