7eafd43c18f9613d762567cb5e00d58df71208d6b94c23d634daec42170e0d6c

Analysis

max time kernel
80s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16/10/2022, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

578KB
MD5

533d78fdd538bbeee31fb0b72a8cfb7c
SHA1

cb0e46804e784525f5bece40d51772bbdd9a5dc4
SHA256

b7a4fcc7f474c091edc09349af5e53915d23f14071d78a3026c92c49d2467989
SHA512

85e393cbdd2b20da8892173c7951ddf8e75dbfa29cf81fa725a2da56e606b848ea8a6636528d4fe26eca5e6b251406ec870242fe0d44e7863bf22c739d7759d5
SSDEEP

12288:BE6fwX07rBFHkzeG54YEp0l87vVGt+mj9kvoTvI8S:BE6QG9FqGp0M0D9kvo9S

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1944	[email protected]

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1944	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1316	1944	[email protected]	27
PID 1944 wrote to memory of 1316	1944	[email protected]	27
PID 1944 wrote to memory of 1316	1944	[email protected]	27
PID 1944 wrote to memory of 1316	1944	[email protected]	27
PID 1944 wrote to memory of 1312	1944	[email protected]	29
PID 1944 wrote to memory of 1312	1944	[email protected]	29
PID 1944 wrote to memory of 1312	1944	[email protected]	29
PID 1944 wrote to memory of 1312	1944	[email protected]	29
PID 1944 wrote to memory of 944	1944	[email protected]	31
PID 1944 wrote to memory of 944	1944	[email protected]	31
PID 1944 wrote to memory of 944	1944	[email protected]	31
PID 1944 wrote to memory of 944	1944	[email protected]	31
PID 1944 wrote to memory of 1900	1944	[email protected]	33
PID 1944 wrote to memory of 1900	1944	[email protected]	33
PID 1944 wrote to memory of 1900	1944	[email protected]	33
PID 1944 wrote to memory of 1900	1944	[email protected]	33
PID 1944 wrote to memory of 468	1944	[email protected]	36
PID 1944 wrote to memory of 468	1944	[email protected]	36
PID 1944 wrote to memory of 468	1944	[email protected]	36
PID 1944 wrote to memory of 468	1944	[email protected]	36
PID 1312 wrote to memory of 1204	1312	net.exe	35
PID 1312 wrote to memory of 1204	1312	net.exe	35
PID 1312 wrote to memory of 1204	1312	net.exe	35
PID 1312 wrote to memory of 1204	1312	net.exe	35
PID 1944 wrote to memory of 2004	1944	[email protected]	44
PID 1944 wrote to memory of 2004	1944	[email protected]	44
PID 1944 wrote to memory of 2004	1944	[email protected]	44
PID 1944 wrote to memory of 2004	1944	[email protected]	44
PID 1316 wrote to memory of 1404	1316	net1.exe	42
PID 1316 wrote to memory of 1404	1316	net1.exe	42
PID 1316 wrote to memory of 1404	1316	net1.exe	42
PID 1316 wrote to memory of 1404	1316	net1.exe	42
PID 944 wrote to memory of 1176	944	Process not Found	37
PID 944 wrote to memory of 1176	944	Process not Found	37
PID 944 wrote to memory of 1176	944	Process not Found	37
PID 944 wrote to memory of 1176	944	Process not Found	37
PID 1944 wrote to memory of 1632	1944	[email protected]	41
PID 1944 wrote to memory of 1632	1944	[email protected]	41
PID 1944 wrote to memory of 1632	1944	[email protected]	41
PID 1944 wrote to memory of 1632	1944	[email protected]	41
PID 1944 wrote to memory of 1344	1944	[email protected]	40
PID 1944 wrote to memory of 1344	1944	[email protected]	40
PID 1944 wrote to memory of 1344	1944	[email protected]	40
PID 1944 wrote to memory of 1344	1944	[email protected]	40
PID 1944 wrote to memory of 520	1944	[email protected]	90
PID 1944 wrote to memory of 520	1944	[email protected]	90
PID 1944 wrote to memory of 520	1944	[email protected]	90
PID 1944 wrote to memory of 520	1944	[email protected]	90
PID 1944 wrote to memory of 1144	1944	[email protected]	157
PID 1944 wrote to memory of 1144	1944	[email protected]	157
PID 1944 wrote to memory of 1144	1944	[email protected]	157
PID 1944 wrote to memory of 1144	1944	[email protected]	157
PID 1944 wrote to memory of 956	1944	[email protected]	50
PID 1944 wrote to memory of 956	1944	[email protected]	50
PID 1944 wrote to memory of 956	1944	[email protected]	50
PID 1944 wrote to memory of 956	1944	[email protected]	50
PID 1900 wrote to memory of 560	1900	Process not Found	51
PID 1900 wrote to memory of 560	1900	Process not Found	51
PID 1900 wrote to memory of 560	1900	Process not Found	51
PID 1900 wrote to memory of 560	1900	Process not Found	51
PID 520 wrote to memory of 1912	520	net1.exe	56
PID 520 wrote to memory of 1912	520	net1.exe	56
PID 520 wrote to memory of 1912	520	net1.exe	56
PID 520 wrote to memory of 1912	520	net1.exe	56

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user1 /add
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user1 /add
    3⤵
    PID:1404
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user2 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user2 /add
    3⤵
    PID:1204
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user3 /add
  2⤵
  PID:944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user3 /add
    3⤵
    PID:1176
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user4 /add
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user4 /add
    3⤵
    PID:560
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user5 /add
  2⤵
  PID:468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user5 /add
    3⤵
    PID:1964
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user8 /add
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user8 /add
    3⤵
    PID:1500
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user7 /add
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user7 /add
    3⤵
    PID:788
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user6 /add
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user6 /add
    3⤵
    PID:996
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user9 /add
  2⤵
  PID:520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user9 /add
    3⤵
    PID:1912
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user10 /add
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user10 /add
    3⤵
    PID:1648
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user11 /add
  2⤵
  PID:956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user11 /add
    3⤵
    PID:284
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user12 /add
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user12 /add
    3⤵
    PID:1240
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user13 /add
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user13 /add
    3⤵
    PID:1204
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user14 /add
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user14 /add
    3⤵
    PID:1628
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user15 /add
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user15 /add
    3⤵
    PID:1140
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user16 /add
  2⤵
  PID:948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user16 /add
    3⤵
    PID:1616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user17 /add
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user17 /add
    3⤵
    PID:1576
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user18 /add
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user18 /add
    3⤵
    PID:920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user19 /add
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user19 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user20 /add
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user20 /add
    3⤵
    PID:1544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user21 /add
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user21 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:520
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user22 /add
  2⤵
  PID:892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user22 /add
    3⤵
    PID:2108
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user23 /add
  2⤵
  PID:468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user23 /add
    3⤵
    PID:2132
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user24 /add
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user24 /add
    3⤵
    PID:2244
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user25 /add
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user25 /add
    3⤵
    PID:2224
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user26 /add
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user26 /add
    3⤵
    PID:2368
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user28 /add
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user28 /add
    3⤵
    PID:2508
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user27 /add
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user27 /add
    3⤵
    PID:2408
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user29 /add
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user29 /add
    3⤵
    PID:2552
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user30 /add
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user30 /add
    3⤵
    PID:2620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user32 /add
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user32 /add
    3⤵
    PID:2728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user34 /add
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user34 /add
    3⤵
    PID:2872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user33 /add
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user33 /add
    3⤵
    PID:2744
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user31 /add
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user31 /add
    3⤵
    PID:2632
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user35 /add
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user35 /add
    3⤵
    PID:2892
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user36 /add
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user36 /add
    3⤵
    PID:2976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user37 /add
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user37 /add
    3⤵
    PID:2944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user38 /add
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user38 /add
    3⤵
    PID:2956
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user40 /add
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user40 /add
    3⤵
    PID:268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user41 /add
  2⤵
  PID:2900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user41 /add
    3⤵
    PID:1644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user39 /add
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user39 /add
    3⤵
    PID:2080
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user42 /add
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user42 /add
    3⤵
    PID:1648
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user43 /add
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user43 /add
    3⤵
    PID:2316
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user44 /add
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user44 /add
    3⤵
    PID:2380
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user45 /add
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user45 /add
    3⤵
    PID:2604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user46 /add
  2⤵
  PID:996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user46 /add
    3⤵
    PID:2336
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user50 /add
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user50 /add
    3⤵
    PID:2804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user51 /add
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user51 /add
    3⤵
    PID:1720
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user54 /add
  2⤵
  PID:884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user54 /add
    3⤵
    PID:920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user56 /add
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user56 /add
    3⤵
    PID:948
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user55 /add
  2⤵
  PID:2936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user55 /add
    3⤵
    PID:756
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user53 /add
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user53 /add
    3⤵
    PID:1604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user52 /add
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user52 /add
    3⤵
    PID:1344
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user49 /add
  2⤵
  PID:536
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user48 /add
  2⤵
  PID:2232
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user57 /add
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user57 /add
    3⤵
    PID:1576
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user47 /add
  2⤵
  PID:2236
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user59 /add
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user59 /add
    3⤵
    PID:3040
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user58 /add
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user58 /add
    3⤵
    PID:1984
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user60 /add
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user60 /add
    3⤵
    PID:3176
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user61 /add
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user61 /add
    3⤵
    PID:3088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user62 /add
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user62 /add
    3⤵
    PID:3104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user63 /add
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user63 /add
    3⤵
    PID:3096
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user65 /add
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user65 /add
    3⤵
    PID:3676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user66 /add
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user66 /add
    3⤵
    PID:3780
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user64 /add
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user64 /add
    3⤵
    PID:3428
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user68 /add
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user68 /add
    3⤵
    PID:3820
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user67 /add
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user67 /add
    3⤵
    PID:3800
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user69 /add
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user69 /add
    3⤵
    PID:3828
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user70 /add
  2⤵
  PID:3196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user70 /add
    3⤵
    PID:3852
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user71 /add
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user71 /add
    3⤵
    PID:3860
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user72 /add
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user72 /add
    3⤵
    PID:3868
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user73 /add
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user73 /add
    3⤵
    PID:3844
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user74 /add
  2⤵
  PID:3304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user74 /add
    3⤵
    PID:3908
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user75 /add
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user75 /add
    3⤵
    PID:3884
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user76 /add
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user76 /add
    3⤵
    PID:3916
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user77 /add
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user77 /add
    3⤵
    PID:4000
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user78 /add
  2⤵
  PID:3404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user78 /add
    3⤵
    PID:3892
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user79 /add
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user79 /add
    3⤵
    PID:3900
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user80 /add
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user80 /add
    3⤵
    PID:3932
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user81 /add
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user81 /add
    3⤵
    PID:3924
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user82 /add
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user82 /add
    3⤵
    PID:3940
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user83 /add
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user83 /add
    3⤵
    PID:3948
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user84 /add
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user84 /add
    3⤵
    PID:3956
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user85 /add
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user85 /add
    3⤵
    PID:3964
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user86 /add
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user86 /add
    3⤵
    PID:3992
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user87 /add
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user87 /add
    3⤵
    PID:3980
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user88 /add
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user88 /add
    3⤵
    PID:4040
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user89 /add
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user89 /add
    3⤵
    PID:4012
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user90 /add
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user90 /add
    3⤵
    PID:2500
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user91 /add
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user91 /add
    3⤵
    PID:2712
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user92 /add
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user92 /add
    3⤵
    PID:2932
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user93 /add
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user93 /add
    3⤵
    PID:2680
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user94 /add
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user94 /add
    3⤵
    PID:2348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user95 /add
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user95 /add
    3⤵
    PID:2820
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user96 /add
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user96 /add
    3⤵
    PID:2388
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user97 /add
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user97 /add
    3⤵
    PID:2428
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user98 /add
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user98 /add
    3⤵
    PID:2060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user99 /add
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user99 /add
    3⤵
    PID:1472
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user user100 /add
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user user100 /add
    3⤵
    PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10429562571130589817-19945288501119874697-2034482544-1002354132-1401495797-418378238"
1⤵
PID:1144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user47 /add
1⤵
PID:1892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user48 /add
1⤵
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user user49 /add
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-63-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/1944-56-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1944-55-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1944-139-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/1944-140-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1944-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download