netwalker | b3dcd6e523ce44cf15638ca1f0de17554758f38ed8b7e7965b868fd28cb797dc

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118.ps1
Size

908KB
MD5

cb6cde58d5a246fcef6a2b1f9ad96dbb
SHA1

1c311562eee808d0af5270beb9cb077893efb066
SHA256

b3dcd6e523ce44cf15638ca1f0de17554758f38ed8b7e7965b868fd28cb797dc
SHA512

d2cd44fc69252fd3de34497d753ceb5db72e28cff920a2d649456abf98e57d232dedb982e09a5954532389f2cad5a0d986c1f1c0512b0a6f16a470110a5eec59
SSDEEP

6144:y/WXp13E8LFVy9KrE0zxiRgvLK9HvsG8todmCn4q/FVv4fTYnGu9TKC8+3KI:y2rbVvdtqzZdKC8+3KI

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Searches\4F7D92-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .4f7d92 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_4f7d92: tUlu75pQ73AZD2rSDbtZEJi3TXbPgfqyXqfIHlRaSbYCKDm9oE 20yFStWWRJD7uCH3zPQ8ia0oTh+e1jZ3JFR6x3Gnsoc/EkDDvF yLg7oUYSXNFJX/uLXyRykRos2ASk6+/JP7kbxldS4RCBCLSGnh vkgRAUOtGr+NQ5148XcRO+O7Z9jhMvvUOwtbJevyuUdGm1JTkB BC+zSEEPqs+PhxsHnbAaE+AvdlpV9Pno4Xtb0aL35MwHA0dJo8 RpA+eIlDWBsSif1NAosLQHgKHCBLxHlerD7e6lrA==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (6821) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

Explorer.EXE

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlInnerCircleHover.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\rachelVaughan.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_rename_18.svg	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsBadgeLogo.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\4F7D92-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Star.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-48_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_settings.targetsize-48.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\4F7D92-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-lightunplated.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Content.DATA	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Microsoft.Xaml.Interactions.winmd	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\SkypeAssets-Light.ttf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ja_135x40.svg	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxl	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\4F7D92-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\complete.contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview.svg	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
4104	powershell.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeExplorer.EXE

pid	Process
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exeExplorer.EXEvssvc.exe

description	pid	Process
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3516	Explorer.EXE
Token: SeImpersonatePrivilege	3516	Explorer.EXE
Token: SeBackupPrivilege	2380	vssvc.exe
Token: SeRestorePrivilege	2380	vssvc.exe
Token: SeAuditPrivilege	2380	vssvc.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

powershell.execsc.execsc.exeExplorer.EXE

description	pid	Process	procid_target
PID 4104 wrote to memory of 688	4104	powershell.exe	89
PID 4104 wrote to memory of 688	4104	powershell.exe	89
PID 688 wrote to memory of 2164	688	csc.exe	91
PID 688 wrote to memory of 2164	688	csc.exe	91
PID 4104 wrote to memory of 3252	4104	powershell.exe	92
PID 4104 wrote to memory of 3252	4104	powershell.exe	92
PID 3252 wrote to memory of 4136	3252	csc.exe	93
PID 3252 wrote to memory of 4136	3252	csc.exe	93
PID 4104 wrote to memory of 3516	4104	powershell.exe	56
PID 3516 wrote to memory of 21936	3516	Explorer.EXE	107
PID 3516 wrote to memory of 21936	3516	Explorer.EXE	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C4D.tmp" "c:\Users\Admin\AppData\Local\Temp\mjlz45fl\CSC9780523AB30E499EB1DBB7A5D13A313.TMP"
      4⤵
      PID:2164
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D18.tmp" "c:\Users\Admin\AppData\Local\Temp\0lc3qphp\CSCD8537F8769B74967A7C1E9A180B41142.TMP"
      4⤵
      PID:4136
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\4F7D92-Readme.txt"
  2⤵
  PID:21936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
54d65ef224e9ca201c74f6e2028c69d0

SHA1
226bbb450ca7f37b4438a6e57f07976be0f1dbb5

SHA256
8322279d5c05fae8e2b27581a9adee99b31f1bcae59384ee752335af23eecbe5

SHA512
4fe449d28b8315df20a89c869eb633ae4eed7464a2f7404d3d14f83a2291a43c45da2d4dc615f782ec53acfd777aec474677cf38ca2605ae0f6341979adbd66e

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8cfc804a-d777-2361-1670-4569e516397e.xml.4f7d92

Filesize
2KB

MD5
619e55d838cfd27c1df9ac3ca7420f5c

SHA1
425d55a3c805c9a7d7b9c80f63e471d4afde1915

SHA256
f7d94a51c9cad2a2e3c469a6d0424d5cd4baa9b0ffac79ec74c8e57dd9f9068a

SHA512
34f6438ce65334b6b6b235e1aebb6d18fde26576d9e9c1827a1d385813941360a76cc67b3c321113b617159c449ac62c90ead402e07c2e7db026dfac66bfced9

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml.4f7d92

Filesize
3KB

MD5
e7bced071a8e269f065fac9c39f85d91

SHA1
cae1c6201423337c4426e9ab9ba0db03782ab2fd

SHA256
492ca5767c7dd1aa6b2ce1bc1c5b1a0f01e72e897afeb722b94c4bb5005a7343

SHA512
a935f6e573bfd77752e7254fa7d656f05c28bfb77d80c728439d100faf0f96190a825fe66951458ba31f632fdceb5bf9295af83dd17acdc6bf8a46ea07f73c9c

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\f8dd0907-0dc8-3c5d-8345-cc7a1da52eb7.xml.4f7d92

Filesize
3KB

MD5
c8d8a81931c9960d4056702ca3673a05

SHA1
2892aca841ef186e5b393bbf6c666f8dbe09da6e

SHA256
7ddfe2ff850d52477548bc782f3b2815d7689e0b3a801d6b1cf912f729621ce4

SHA512
14503235fa5a9a376caf24e2ee5b60a5447e3dc9194ecad743059753e9060c41941a742b071d757831aeb7e7e445006cf2702e767dbb536b41495d6f6fa2c0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.dll

Filesize
4KB

MD5
0f3f2d7ca9f4583e83ca21df4c671b24

SHA1
3413b5314974f1fa55b911fa44eb2e4ebb7c839f

SHA256
05868865838d6b2d72156d49caa6c70ceac0b039a99be804304f0d40b87046f7

SHA512
26d13a6affbeab542e540236125e75077828726fc263f1b75206c096eff223536e31ff0a861cf6fce48d2ff243a162246517e58d1683a023d58d9ac9b0a36517

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C4D.tmp

Filesize
1KB

MD5
6e58f0e432687eda1c89066157871338

SHA1
c75629d51208f3aa4c4a9e4af304e50c49ad2c7f

SHA256
b982326a4def4a391d24ebb709adefecb0d5e5061963adc3b20bd19e1daa72f1

SHA512
9d10766424620fff2287af972fe58166d25b0c541ef78389556c60f0c6c68e088cb297195cb1cdcf92c3c8050aa26715512341da5fba5f1e4b11131d1fc07792

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D18.tmp

Filesize
1KB

MD5
ccbe5dd7fd4ace9b64fef0544439dd18

SHA1
0f6f77488bbf7a964dc570405d66ad4d5e805224

SHA256
fc32b5c5b83e983e3914162afa4efa312293eb188c5744efcfedefc3276cb876

SHA512
c5247e4bc95096765082ea108aefe98b14cb841b232ffe8e57184cc1e58a5ea53ba7e252ac1399639746d2ae5b8ba0101744c338193892ada24523115bce99d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obugjy5z.l3q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.dll

Filesize
6KB

MD5
3a97aef741c6d002f6722d4c4d9ed9b8

SHA1
b8c34edb0dc28362bf2db2a195300922a521feae

SHA256
cad4415d49a09dccf24181775591a5021df6ba74593f4746a5639f0e0314d770

SHA512
201bd8f3168a6d2a30e8ec2e19573512c10d949ba89449f3685c7c6089b59a50d4d08f17c3c8ffcf9bf9edb03b08868eb55dd4f83c6acaeeaaae8ba2094f0789

Download Submit
C:\Users\Admin\Searches\4F7D92-Readme.txt

Filesize
1KB

MD5
8998443a510ee7d3b26e2c2b2b4219e7

SHA1
e706049475f6dbcb08ebf0fd356e5508422e7966

SHA256
d43b3b68739b48897482b10b75d4e55246b1e8e86d23a11db0e5bf81adcb6741

SHA512
dc1b60c617dc627dd8f99d0f6a60f63a28faeb18f2d6089ba109e2900557146741f544d94d3870f1d7c6446cff8e43acd2d8a17532bf1009da1ea07b00b44f5f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.0.cs

Filesize
2KB

MD5
d491bc3537450532785880e98f087e97

SHA1
bf5a817e3776cff4554c03206159c54717ca09f2

SHA256
7e7bd87416a61d72128f5c5bdeb3b3054631393d22acfd84bc0a351e4cc6b491

SHA512
ebbd7f91049304640f30697cadea49eb8f69a26dc1581dc2e58fbf16421769ed5df67b4fe4bfc1dd6c58367adea0449c52aa26c0286e7ab153c6571b7fd59856

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.cmdline

Filesize
369B

MD5
465a3678c23652935c53357133914166

SHA1
f47681d3d8c3f42ae1139a23e9e204e3bcc729b2

SHA256
38ba95d21381200ca73402c819937b6e4b77dde7e4d39c97d15f31d9dced56ed

SHA512
5ba2776405e46c0bcf86b3418711ad5e0c8c342249dda03cde7ce2755951026e330577259b20650cb4fef68480c86f41a94a6d7a6f7d54a1a158fa54add6989a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0lc3qphp\CSCD8537F8769B74967A7C1E9A180B41142.TMP

Filesize
652B

MD5
e506bf8f2490b097b99ee5dec3473369

SHA1
5b102195e657c8764b72cfcf7a98b72549afbe66

SHA256
ff12e3ec5696fbc4ba4c5f5cd131db802250b9a6f308b5ae63067c2dd50d3442

SHA512
01ae5a476a02a903e737ec573c93f85db6a6eefd879cf0e530ac5add808235f6fe19594110ae1f4c5d73eef320f6dd955129d7400bab938bb7c086b626204940

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mjlz45fl\CSC9780523AB30E499EB1DBB7A5D13A313.TMP

Filesize
652B

MD5
26da31a1e2c49c042817f32c17994e62

SHA1
8fe459c720056728c2fde7916844c3ee5eb6bd9e

SHA256
13b16014ad66cc158434b960edf10b4ad9cd3633eac9ff314ae3623b5da683b8

SHA512
66b56be32967585e2d9a028497143517bafa7af09f78f30fef533d015f53521a73a2819ea60b8a1e0363932814e08049944b664fdf60e8f6745670300228fb74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.0.cs

Filesize
9KB

MD5
77db487c078b0fa51e7fcace9b258cf1

SHA1
f73dc69329586dd07c5f4e273c03ee9164dc4936

SHA256
20a335545d41bad6dd654205fe7e8e38c807634307edc4463661f172d8b575de

SHA512
471f92bfb9a32090fa925e4cea14b218a290560e27ec5726ae65b8999293eaf3bb0f7b1b45595076a93d1406d00a5b61a1aa0c2b79294f355ef6df0f25f36cac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.cmdline

Filesize
369B

MD5
625ffa4a69314e32b72d3b62b2460cbe

SHA1
d858d399317261a778dbc333b19dd0010f98392d

SHA256
0ede440ca7fbdff032cf875f2fb1b2f50260bd6529f95956400398f7e4a45809

SHA512
e1c0dc97dbf6e84842bb082ad7a2a7d6281cf4860e3134b6b9af0e734a94973f1810072468453546df4e90e8fdfc9986ee0c287808e25b42a1db5d9d009aa37e

Download Submit
memory/3516-94-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-84-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-55-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-43-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-44-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-56-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-52-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-51-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-109-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-107-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-57-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-106-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-58-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-105-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-104-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-103-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-102-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-101-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-100-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-99-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-98-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-97-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-96-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-95-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-108-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-93-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-91-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-90-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-89-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-88-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-87-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-86-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-85-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-53-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-83-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-82-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-81-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-80-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-79-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-78-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-77-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-76-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-75-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-74-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-73-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-71-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-70-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-69-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-68-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-67-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-66-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-65-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-63-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-62-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-61-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-60-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-59-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/3516-54-0x0000000003090000-0x00000000030B2000-memory.dmp

Filesize
136KB

Download
memory/4104-41-0x000002E0A5CB0000-0x000002E0A5CB8000-memory.dmp

Filesize
32KB

Download
memory/4104-12-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/4104-13-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/4104-17-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/4104-50-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/4104-27-0x000002E08D890000-0x000002E08D898000-memory.dmp

Filesize
32KB

Download
memory/4104-11-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/4104-1-0x000002E08D8B0000-0x000002E08D8D2000-memory.dmp

Filesize
136KB

Download
memory/4104-0-0x00007FF813C53000-0x00007FF813C55000-memory.dmp

Filesize
8KB

Download