netwalker | 489c7b7ee9ae9d46261f547b45d7b1dcce3c06e351217647b024603eee673046

Analysis

max time kernel
146s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f5c1b02db3e7c002e7a706b410e62b6_JaffaCakes118.ps1
Size

783KB
MD5

1f5c1b02db3e7c002e7a706b410e62b6
SHA1

d09236b586997b3fc4f464cbe622eb57be759949
SHA256

489c7b7ee9ae9d46261f547b45d7b1dcce3c06e351217647b024603eee673046
SHA512

05ec966bf53e96aa82eea602705216acda51b9f2837ca3fdb883947d8ccf950afe69201026ff988265cbe8ed4730ff88163daa61b807b3ad6c10f464e662553c
SSDEEP

12288:hlh4g0ku6gV76xW5TevBIeMBZ9viXPK3EJFa:fBIeMBZ9viXPK3Eu

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\8AB976-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .8ab976 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ab976: pnOUZMXPXrlnMmmWATx23lZfFblIVyM+odezDtNipcDl7zMQov KxJm2Oi2cSWQ1Bmabj4FpUEIcIw73Fc4ClC251KB642LtZsEsr MKATPSOVreJGCbxFzCdihn4naWwNC2ybuZILYkw/3uyHZJYOy9 DzxKyGz+mtY3DgQayPdOBHrPL63NKoGfx3+2JErpTQ75NjG+ki 51HVU8h6I9sDFR0aGNuCZiEkYm8Xx+2HE8/nNoNhCvAr8fMT0V jxNF2Jh2u0E+1YPu82XMso36O6o0KqJGlgh2tu1w==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (6782) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-48_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-40.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\hu_get.svg	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-32_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.scale-125_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxManifest.xml	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\logo.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoteToolbox-dark.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-40_altform-lightunplated.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\8AB976-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FlagToastQuickAction.scale-80.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\50.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-60.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-200_contrast-white.png	Explorer.EXE
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\8AB976-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-72_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\YahooPromoTile.scale-200.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\8AB976-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-400.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\8AB976-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-24_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-150.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\UndoUnblock.mp2v	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected]	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4576	powershell.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4576	powershell.exe
4576	powershell.exe
4576	powershell.exe
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE
3504	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	3504	Explorer.EXE
Token: SeImpersonatePrivilege	3504	Explorer.EXE
Token: SeBackupPrivilege	4628	vssvc.exe
Token: SeRestorePrivilege	4628	vssvc.exe
Token: SeAuditPrivilege	4628	vssvc.exe
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3504	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 5040	4576	powershell.exe	86
PID 4576 wrote to memory of 5040	4576	powershell.exe	86
PID 5040 wrote to memory of 432	5040	csc.exe	87
PID 5040 wrote to memory of 432	5040	csc.exe	87
PID 4576 wrote to memory of 3524	4576	powershell.exe	88
PID 4576 wrote to memory of 3524	4576	powershell.exe	88
PID 3524 wrote to memory of 4868	3524	csc.exe	90
PID 3524 wrote to memory of 4868	3524	csc.exe	90
PID 4576 wrote to memory of 3504	4576	powershell.exe	57
PID 3504 wrote to memory of 20268	3504	Explorer.EXE	110
PID 3504 wrote to memory of 20268	3504	Explorer.EXE	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1f5c1b02db3e7c002e7a706b410e62b6_JaffaCakes118.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jf2g1fy0\jf2g1fy0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4093.tmp" "c:\Users\Admin\AppData\Local\Temp\jf2g1fy0\CSC96A678774170421EAD3D72E114334D5C.TMP"
      4⤵
      PID:432
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5igxhra5\5igxhra5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES417D.tmp" "c:\Users\Admin\AppData\Local\Temp\5igxhra5\CSC28883829AEFA4AFFAA28747833649543.TMP"
      4⤵
      PID:4868
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\8AB976-Readme.txt"
  2⤵
  PID:20268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\8AB976-Readme.txt

Filesize
1KB

MD5
cf770d1d5ed45a41a44a712b72735fe4

SHA1
fab93d03f2b3dc5e4bc1f08f9ed377eb22604ca3

SHA256
4d4676138a8e4628411a987009678c2c79b22fd5779d0d7bc3213d04641e0998

SHA512
65a8c6f6807dbb5d57e2e61b5474d24981e79796ac71804d4ee0da4e303761acdf51351c5abeff32f09a97ee7400c002fc67dd3fbf04afb56918278964fe2b77

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
7af15e0944e23667d1ab610a4afdec31

SHA1
13ec569a9da7438f8159046aa09020917711eaf2

SHA256
10c90e8cb1c85324c52822626a26db74887f02fc12496682fb70a44ccc128071

SHA512
05dd847b1cc7ff48d08be8614eefeb7a65d634909e25a027c77dc494f672401fb00929cc1d26b9916fa27f1621fc580eab00da0311385e698ee1c56d9964a3e5

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm.8ab976

Filesize
1KB

MD5
e1b4013f4f111188bc6dbee890cba756

SHA1
675549fc881dad795f0be9c0d1897e6dc444ed0a

SHA256
1b99b40d9a4471a37d987517ad0bc4063e44402557f566768b045bb815b2601a

SHA512
ed81122576ba0bf1749ba2ffb61196b9c9595420658d9528ea743ccce9b47e5225e2c71d047006f925b31404cbddc000da10af57f5a97c623457e313770cfd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5igxhra5\5igxhra5.dll

Filesize
4KB

MD5
72a54d0605511652b0f139b5eebade15

SHA1
bb9fcbccb088e249bdbc6c39b26371db521d6992

SHA256
721cd0a81588113795a9c0821e16c9a4737aaa6fc82ec1b8108dc7173849c22f

SHA512
2beaa05d80d6dbbdbe92ca77e623f9d387fd16d9de0137975bca583eafbe18992b48cfa7c2379c6c9eaf12d7a2bd62bf685a22f604c73c1049f2c4ab00883c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4093.tmp

Filesize
1KB

MD5
849a5c68868ce9711cbac956e669848b

SHA1
6c05fe0c66970ae426d8e378ccadfb4c84571049

SHA256
db5124ffe1907013869ab65e313c008d1bfc31f2d738e14b06c3dde4391d3777

SHA512
893f98f6a9643033764467d90e73fc956eb23cde033b78ac146160541d1bdfa0111a342378b7ef2c44b4c262bc64dc906664afbfb442d2a54afd23128d41d8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES417D.tmp

Filesize
1KB

MD5
64e29f8e2c91eaa93a51bd43170791d1

SHA1
385bfe837de3bf8d5cccef094b285ecc82a562d9

SHA256
c7ee4efd40d5611422e66f4905c3fb7c86f8d9fb563e4e7427cde5b498ad801b

SHA512
ffe4e5ebefaeedd9e7e352deb197705e7161bc24cc41652cc550929476fa66093dc2b90903b310b9fe28bf1254ff5204611ea44d8a4c42c72f8df3b8c40b2dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_inn5ikwb.jp2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jf2g1fy0\jf2g1fy0.dll

Filesize
6KB

MD5
9ef4ca03a65076bbb170de56b667ed84

SHA1
5a5334d6a50a3a3139f14b88451ee310fc2c746c

SHA256
a11ba66d20f38be4f1036d8aedd333da78f777b56f4227e9e51ef1d9779a995f

SHA512
fd157398fc73e8ea994a2836393ac6dfdd8e399934da350ecb830322214391554175c45885e4ab5c6dcd222d419071f60a6622830a385507cdf1ef50678e3861

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5igxhra5\5igxhra5.0.cs

Filesize
2KB

MD5
a94bbced7809803c150aaffaec718dc2

SHA1
ddcd7f4271c76d143dab01c67e24032bc5d2d9bc

SHA256
856f43b0452528a5f588c1aaa15c401ad4595d71d9d20f53e5680b3a3f5b3e8b

SHA512
8556a5ee0ff799760a85074702b013c328ec58dbf60dd9087f4752f8475f956fd889cb493315360717e866edcda66812cec21914cb3d7be12cb8dff45848c3b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5igxhra5\5igxhra5.cmdline

Filesize
369B

MD5
e2da9f81ee424831f290f69eff3be27f

SHA1
99eb1f315775e257ae85aac0bdfed0f33193bf43

SHA256
9335ca7960663578d9d7b650eb162c8af49ab3dd12e03f198805158854cd72ac

SHA512
adefbeaf3b73138548c2b94820c75c58011b1ac8a96ae6384a40eeb459b77446668f68b8992bf595b9dcbc4b568f44fc1b33bc5638e71657afec22360619372c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5igxhra5\CSC28883829AEFA4AFFAA28747833649543.TMP

Filesize
652B

MD5
f0b578d6e45ff4c43ca06c088b5424c8

SHA1
cf5e272730ad8424c40e2789e2f52398547cc3e6

SHA256
0322c041df7d38fc84a6eb195cdb42c36384023aedb2bbd3819277464b0fa4d1

SHA512
2d8176cc8f7c16aae5a4daef124cef1df7de60d03d57b89b1a50f30ccf9901d7af80a3e66af4d70cb95767dafdfe92195f5f8148530f1836985ce7fe9d40d53d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jf2g1fy0\CSC96A678774170421EAD3D72E114334D5C.TMP

Filesize
652B

MD5
2f6010a67fe6ea97b893d56530783509

SHA1
4751f73886bb897f5d1be98cb85c6559a2c6ad61

SHA256
7f43d3e3259fe8b114990aba59e7788ecd67b62d7569b51c4ceca1f48ef2cf35

SHA512
2135660b5657ddaee7d8368cdd101a30110c462a1e0b137c034f9906f7609ab02031d01cef1ba560d42271bb257ee2d475a2807286be8996ddfba5395b735486

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jf2g1fy0\jf2g1fy0.0.cs

Filesize
9KB

MD5
a26b857dd810c9e7a28cafb5a7e07785

SHA1
b8913e30d66ee752e52abdfe754ce8e16e8622a2

SHA256
8c48992bd621c6ff6cabf30a17fe2cc01619ffb95bba1bd6353ef80483eee693

SHA512
47714a16dc9e3e071d5da9f93b804be0ed5c593a4b57e507f111c98fe9fcb9e206618dc3de206aaf50c912d9c2a523051ba40dde28a09c74e85126ecebbab3cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jf2g1fy0\jf2g1fy0.cmdline

Filesize
369B

MD5
a452fd51d8b48fa78820d3b3978aee17

SHA1
56cccfec7eec5080c54e39dc553c454af61ef214

SHA256
741364c84885b064c6d00e13b4558ea36e406d07eb0b8c7759b5a1bf72c6953f

SHA512
2f805710f7f84232bc9f94fe18dbb2f659dfe18d7bab21d88bb39b1fcd8e71dcbe290eeb311bb241fe6fef56027e90a344526a20faa38b2ed5390e9d8fb35892

Download Submit
memory/3504-106-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-92-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-102-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-53-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-57-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-43-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-45-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-44-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-46-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-48-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-90-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-86-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-81-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-52-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-51-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-50-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-49-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-74-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-67-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-64-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-63-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-61-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-60-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-56-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-55-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-47-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-54-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-100-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-58-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-105-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-104-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-59-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-103-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-101-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-99-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-62-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-98-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-97-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-96-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-95-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-94-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-93-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-91-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-89-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-88-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-87-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-85-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-84-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-83-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-82-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-80-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-79-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-77-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-76-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-75-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-70-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-73-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-72-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-71-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-69-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-68-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-66-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/3504-65-0x0000000003210000-0x000000000322B000-memory.dmp

Filesize
108KB

Download
memory/4576-27-0x0000018377F50000-0x0000018377F58000-memory.dmp

Filesize
32KB

Download
memory/4576-11-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-12-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-13-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-41-0x0000018377F70000-0x0000018377F78000-memory.dmp

Filesize
32KB

Download
memory/4576-14-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-10502-0x00007FFFE41E0000-0x00007FFFE4CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-1-0x0000018375920000-0x0000018375942000-memory.dmp

Filesize
136KB

Download
memory/4576-0-0x00007FFFE41E3000-0x00007FFFE41E5000-memory.dmp

Filesize
8KB

Download