netwalker | 1899ff66b76a3f6302fea0afbc26c8452949345d2ea6d987b683c6a0037f22d0

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps1
Size

902KB
MD5

49b3ed4c73d8d5a6613b725d40172590
SHA1

07e30496992d7087674cf5542c78856f66ff7737
SHA256

1899ff66b76a3f6302fea0afbc26c8452949345d2ea6d987b683c6a0037f22d0
SHA512

026c0a58a56747cbb9efab721382924d6da48c65483325ec868c9c894ff601a0461fa3674f4fa01c570635521cc6e7e8c96efe8765fcf68aa7eb713df988e2a3
SSDEEP

12288:aeeKC+CqCJCqCwCqC7yH5A7+vEeJaZkeq06aQKLI1XqO/bYyoSWjUUFy55576GYj:J

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Program Files\Microsoft Office\FAACFA-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .faacfa -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_faacfa: AQrnPz7Alv67mn8L7GwX5O3XF9LgSXjOeHsqcd7Az/VNznbWQR hMg06g85UA0nJE/zwxhqnXBNs2+1/jL17FKGat4fU9H91+CB+0 ZzH6rPrcfNKJ/9DY/7+6INLO6XaRRWYFAMBpMogOGfF0QAVxm6 a+96uNl8AKpj49cTV98fr4fqiWnNKBT8XX5iHtIK3GgcnCkqCq woOtiIlZ43fmAogrgS7pKev8cJ7jm2UAuqeQ1g11x/FS5rrnpG M3kLtzYk5Gouw0WtGe+MCcB60woDls6GTqomZIRA==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (6692) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\officons.ttf	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\IrisProtocol.winmd	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-48.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkTransportControls.xbf	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\198.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\FAACFA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_SplashScreen.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_star_Loud.m4a	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-125_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-400.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\FAACFA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\es-419_get.svg	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoBeta.png.DATA	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymk.ttf	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\WinRTUtils.winmd	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-24_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-100_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-40_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\FAACFA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlFrontIndicator.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_File_Transfer_Failed.m4a	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-96.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-400.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\FAACFA-Readme.txt	Explorer.EXE
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\FAACFA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hedge.jpg	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\resources.pri	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\en-US.pak.DATA	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\FAACFA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT	Explorer.EXE
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\FAACFA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-32_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\FAACFA-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
720	powershell.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
720	powershell.exe
720	powershell.exe
720	powershell.exe
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	3476	Explorer.EXE
Token: SeImpersonatePrivilege	3476	Explorer.EXE
Token: SeBackupPrivilege	4868	vssvc.exe
Token: SeRestorePrivilege	4868	vssvc.exe
Token: SeAuditPrivilege	4868	vssvc.exe
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 1200	720	powershell.exe	84
PID 720 wrote to memory of 1200	720	powershell.exe	84
PID 1200 wrote to memory of 1984	1200	csc.exe	86
PID 1200 wrote to memory of 1984	1200	csc.exe	86
PID 720 wrote to memory of 4604	720	powershell.exe	90
PID 720 wrote to memory of 4604	720	powershell.exe	90
PID 4604 wrote to memory of 2212	4604	csc.exe	91
PID 4604 wrote to memory of 2212	4604	csc.exe	91
PID 720 wrote to memory of 3476	720	powershell.exe	55
PID 3476 wrote to memory of 3256	3476	Explorer.EXE	103
PID 3476 wrote to memory of 3256	3476	Explorer.EXE	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u5djfphb\u5djfphb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A76.tmp" "c:\Users\Admin\AppData\Local\Temp\u5djfphb\CSC672398843235458B83201CA5DA64E07C.TMP"
      4⤵
      PID:1984
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtdy4ien\jtdy4ien.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D74.tmp" "c:\Users\Admin\AppData\Local\Temp\jtdy4ien\CSC226402A9AC764C488E70A7C9DAF19D82.TMP"
      4⤵
      PID:2212
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\FAACFA-Readme.txt"
  2⤵
  PID:3256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\FAACFA-Readme.txt

Filesize
2KB

MD5
37b9c16e6e1279e1b82ba070a5c13b6d

SHA1
c2b8795128cac91557c812ae736f85ee34b0ca9a

SHA256
e8ea563949cd77b3cdef1f8dfc8a4239988100038bf1c4b589bd2cfcb3c5e168

SHA512
ea8d78cc22c49091b01fb30994dd0327fee364789baa0be6261aef4122eb6306f562caf965a2d27eb421e330759c9f77941495b93cd712c95cdaa1ca83cd15a7

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
db789de9d645867afabc34641150c6f6

SHA1
79188d97584f5f5e6c18ccf5e67f80bbfae82109

SHA256
f0870b670c3f056748361268bb843cc349869177ef170af35050b5d37f611d54

SHA512
32fef866c6f7805ea6a8cd829fa5ceeb463e38a3d4f906c01d444f264f658e0a89f04fe2fb9a1fd6df19603a7838725dca89274fa22a22e05a547bcd0b224de1

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml.faacfa

Filesize
2KB

MD5
0d2c3c001b2a2a601324a49f1ff776c9

SHA1
ead888bc43b0520f337a608b320223dd52e142d6

SHA256
b7b835950627635ec411d0f83a094097c405546c8885cb8c8e1003aabbb8d9e9

SHA512
9315b261ebc35f1d13ae773d0aa622abb3f3823bfec907251e1ae5f42bcbf74ad0e44c6f305b3af6e5b98e3f4bd54981b2b8a056a1fface8725a9ee1d3c48f85

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\cb692946-a9f3-639d-1064-a6d75a01b9c3.xml.faacfa

Filesize
3KB

MD5
c1e0559a6dfe85f44d5b168d3170403a

SHA1
83519e173f5b621bca2243aa92e3c979f3618090

SHA256
b650916c10e11d07b55e4209aebde855c2d226725e8a619abd7f438f0970df7b

SHA512
2070847fb27376b43610272f80b14ab39b2d4d7108ba3816dec34e23b7b01335d68d8e065141fd62f42ea80a804d32115c4ad9ad5fa74f8f910782294c78f83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A76.tmp

Filesize
1KB

MD5
fd833ebc0873744e5ee7b4605372980c

SHA1
54bc36efc5df068acf51e0ba2763910eb9dde7b6

SHA256
2c963bfae4e2c5887324541941f21d7f1ece1cda9e5b398dc962ca7f4745e5cf

SHA512
35336fbee660027910ebb449a729ed3cf56e4d60652988f1a9215196da7aa2efc9684560fecd1b4884d8ae0d2a4785b7933812cefb62bcfeb827e9122d54d87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D74.tmp

Filesize
1KB

MD5
c98ff4c5332b01b11e07de5112343299

SHA1
48bdfa454689a0eec28573b0bcdf7ca42621150a

SHA256
9f6409c181287a1dcfd3be3a74ca3bc85851440a0fed1c04478db48efe74c6ef

SHA512
0af6d389e1151dea92124eb25db8dfef69b34c4583129642b8f150a89a2d5f689b548481295f780f4420f5e2f46c0d4cc4a69a1685b81edd9a1aa33999a1f7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3byg1dl.jen.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtdy4ien\jtdy4ien.dll

Filesize
4KB

MD5
9603571bab7bb0231ec3e44a7d5aa5ac

SHA1
619163f114f03c7334b9ecb7ac41bf7c1ee1b2ac

SHA256
db5eee56ad0a76364e20e05113509c510c811e6557fb26e76e579ae3baad9747

SHA512
5eef8034d6bf6c218c05a73643600df331949bf32b654380cb59ab071e020357b55a90d9ed0f7ff4b287383ec91138deeb1ddb736f2ad4427ac119238943505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5djfphb\u5djfphb.dll

Filesize
6KB

MD5
809f4304dffbc93c59542e250ce6f8ef

SHA1
9be4a1de9e36ac19cdfd7cb2adbb275fd6d7c833

SHA256
e2ff9b394b3b17e27c0389dfd62e86adf87f50dedbee893f6256035aaf3752a8

SHA512
733e13f4cb1cbc72d9d6f2b76a8dd66ff107189c102ef1a4892b2e31b665aab4d18abe94ee3723aa68eedc68d81349e273bce402f464b4f0cf6a9efe219a1d36

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jtdy4ien\CSC226402A9AC764C488E70A7C9DAF19D82.TMP

Filesize
652B

MD5
eb3546583c56664e11bffecb07c03e40

SHA1
f30ef85033258c0cad7a2202fcf46c4890b0eb9f

SHA256
b158b49fd36faef58bea6e0caceea25660663f503f4cbe8bdac74b778a777d03

SHA512
053639cbb4f114dc4b899335b436e43c59e5627f8834ebd66b25114bcc1389c3e04d0554a02f34bdc8f6b5c3b5fe9e66c3d3e0ec2aad31c8e78e83155991b3aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jtdy4ien\jtdy4ien.0.cs

Filesize
2KB

MD5
a743f528f761e35ac1dc7a017c5da581

SHA1
e73fb085f518f6a5f673bc4714b976136bc21ef0

SHA256
f8b1b7b2ce8d8b2ca62f154a633bdebe0b3fd778786d084ec9191b333b3f9636

SHA512
373ef7d8ccfe75824e80fa7eac151021a4ca2e3e4ddb9aecbd01f61092179665e00216acd434c049bdf0d8c987fc3d9a570deb0017c71bd83e1f7a7a42038990

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jtdy4ien\jtdy4ien.cmdline

Filesize
369B

MD5
8741b42d41af11ceaf3f72398ccdc387

SHA1
d43f513bf44a73e36943d6b36802e81096b60b34

SHA256
06ad2c8e4a4bfc3e9e4f32918a968c7a0063bebbcf01382943c6c330a5550389

SHA512
95e9f2911777b354ab6c2d08ad25bb9cd1f3583184e11fc08c184c6f3bff0c8240efff306bb2f8d30f41a1749325476b4f91b46ede422ef76f7f43fcd0b7b5aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u5djfphb\CSC672398843235458B83201CA5DA64E07C.TMP

Filesize
652B

MD5
89bf2797863c97b5bd7b70ec05a10b63

SHA1
205aab38c3d64806d103365e17544b0d4b8a7328

SHA256
cf31e290fb7c1ac02533bc60c7a65996549c6356a8ef0509efce004560099ca8

SHA512
40473e8f5b8a577d965935c9ef6ca9ad9bf7c8fff018503cbdc68a03dfef036cbee1b35ed4ab42324191d61094ab4ad9bb5a8c94f6bf9647c0db5da70deb78bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u5djfphb\u5djfphb.0.cs

Filesize
8KB

MD5
a6fdb1be50d474af2e6256b67312df1c

SHA1
37e6afca5aed0ffe685f420c086b8deb5101cedb

SHA256
fed2ae961915149cef840afc3f89abd70494a58a4000748299f8a43581697cd4

SHA512
4e0ddf25074533850d0b0339dd4a447202b824b67a3ca949c87a270db0cb5d5bad1301f739afa1ee98075cf3e3e3abd57b9aa72db6b8cd479a77904ec42297a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u5djfphb\u5djfphb.cmdline

Filesize
369B

MD5
9ff6c2f7d96e339d47938e62c810978b

SHA1
82fc1bb9edcf861586429546c4ad44e34291ddfa

SHA256
74c05b85bc28aadfa2bcf0063b0a6f20497775befbf8eb0ab1165df078b8073e

SHA512
4295a3c9b0ebc059aaad03d6c97d63a303dce623e4651ecc4203c33187f174b5e920e6c9ac7a2b1eec34a5d5511f9ce879d2365d3a3fc6470b89cd30d6b09ca0

Download Submit
memory/720-10-0x00000229A0F00000-0x00000229A0F22000-memory.dmp

Filesize
136KB

Download
memory/720-27-0x00000229871F0000-0x00000229871F8000-memory.dmp

Filesize
32KB

Download
memory/720-14-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/720-41-0x00000229A1CC0000-0x00000229A1CC8000-memory.dmp

Filesize
32KB

Download
memory/720-13-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/720-12-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/720-11-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/720-10550-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/720-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

Filesize
8KB

Download
memory/3476-84-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-73-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-106-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-103-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-102-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-101-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-100-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-99-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-98-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-96-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-95-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-94-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-93-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-92-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-91-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-90-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-89-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-87-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-79-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-86-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-85-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-83-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-81-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-80-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-78-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-77-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-76-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-75-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-74-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-105-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-72-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-71-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-67-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-66-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-65-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-64-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-62-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-63-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-61-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-60-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-59-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-58-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-57-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-104-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-97-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-88-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-56-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-54-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-53-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-51-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-70-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-68-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-69-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-50-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-55-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-49-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-52-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-48-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-44-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3476-43-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download