4bcd6da5ab848ad96b85a945e4ea28a74fdb0203d87b75bc310e2d42f4fa3277

Analysis

max time kernel
1s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geller.bat
Size

94B
MD5

c346ebca4df10d691764d4eab3553b56
SHA1

7a15b33ac8b5765008551c32fd603aae7275d201
SHA256

4bcd6da5ab848ad96b85a945e4ea28a74fdb0203d87b75bc310e2d42f4fa3277
SHA512

e86ba0282c81aca1b0d7f5741d12027be805131e169fecd8aac57917a055d184862c09305e15aea9432aa2790129c6fb8da6f833853c203c359928633dd0cf33

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 64 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1516	ipconfig.exe
1672	ipconfig.exe
1396	ipconfig.exe
1972	ipconfig.exe
4016	ipconfig.exe
1364	ipconfig.exe
2540	ipconfig.exe
1640	ipconfig.exe
3036	ipconfig.exe
4500	ipconfig.exe
1584	ipconfig.exe
1352	ipconfig.exe
3396	ipconfig.exe
5104	ipconfig.exe
2928	ipconfig.exe
936	ipconfig.exe
1272	ipconfig.exe
2008	ipconfig.exe
3536	ipconfig.exe
3020	ipconfig.exe
852	ipconfig.exe
2696	ipconfig.exe
3360	ipconfig.exe
3096	ipconfig.exe
3704	ipconfig.exe
1256	ipconfig.exe
2400	ipconfig.exe
644	ipconfig.exe
3036	ipconfig.exe
3180	ipconfig.exe
3592	ipconfig.exe
3844	ipconfig.exe
4976	ipconfig.exe
2592	ipconfig.exe
3260	ipconfig.exe
1204	ipconfig.exe
2696	ipconfig.exe
2884	ipconfig.exe
1712	ipconfig.exe
2744	ipconfig.exe
2632	ipconfig.exe
3180	ipconfig.exe
4456	ipconfig.exe
2756	ipconfig.exe
2416	ipconfig.exe
2944	ipconfig.exe
3868	ipconfig.exe
2572	ipconfig.exe
1564	ipconfig.exe
3796	ipconfig.exe
3132	ipconfig.exe
2712	ipconfig.exe
3448	ipconfig.exe
320	ipconfig.exe
4864	ipconfig.exe
2204	ipconfig.exe
2476	ipconfig.exe
1976	ipconfig.exe
1948	ipconfig.exe
2012	ipconfig.exe
3484	ipconfig.exe
1116	ipconfig.exe
1788	ipconfig.exe
2208	ipconfig.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2828	1936	cmd.exe	25
PID 1936 wrote to memory of 2828	1936	cmd.exe	25
PID 1936 wrote to memory of 2828	1936	cmd.exe	25
PID 1936 wrote to memory of 2696	1936	cmd.exe	24
PID 1936 wrote to memory of 2696	1936	cmd.exe	24
PID 1936 wrote to memory of 2696	1936	cmd.exe	24
PID 2828 wrote to memory of 1440	2828	cmd.exe	55
PID 2828 wrote to memory of 1440	2828	cmd.exe	55
PID 2828 wrote to memory of 1440	2828	cmd.exe	55
PID 2828 wrote to memory of 2620	2828	cmd.exe	54
PID 2828 wrote to memory of 2620	2828	cmd.exe	54
PID 2828 wrote to memory of 2620	2828	cmd.exe	54
PID 1936 wrote to memory of 2660	1936	cmd.exe	34
PID 1936 wrote to memory of 2660	1936	cmd.exe	34
PID 1936 wrote to memory of 2660	1936	cmd.exe	34
PID 2828 wrote to memory of 2772	2828	cmd.exe	115
PID 2828 wrote to memory of 2772	2828	cmd.exe	115
PID 2828 wrote to memory of 2772	2828	cmd.exe	115
PID 1440 wrote to memory of 2804	1440	cmd.exe	33
PID 1440 wrote to memory of 2804	1440	cmd.exe	33
PID 1440 wrote to memory of 2804	1440	cmd.exe	33
PID 1440 wrote to memory of 2756	1440	cmd.exe	28
PID 1440 wrote to memory of 2756	1440	cmd.exe	28
PID 1440 wrote to memory of 2756	1440	cmd.exe	28
PID 1440 wrote to memory of 2404	1440	cmd.exe	29
PID 1440 wrote to memory of 2404	1440	cmd.exe	29
PID 1440 wrote to memory of 2404	1440	cmd.exe	29
PID 2804 wrote to memory of 636	2804	cmd.exe	32
PID 2804 wrote to memory of 636	2804	cmd.exe	32
PID 2804 wrote to memory of 636	2804	cmd.exe	32
PID 2804 wrote to memory of 2540	2804	cmd.exe	122
PID 2804 wrote to memory of 2540	2804	cmd.exe	122
PID 2804 wrote to memory of 2540	2804	cmd.exe	122
PID 636 wrote to memory of 2568	636	cmd.exe	36
PID 636 wrote to memory of 2568	636	cmd.exe	36
PID 636 wrote to memory of 2568	636	cmd.exe	36
PID 636 wrote to memory of 2252	636	cmd.exe	35
PID 636 wrote to memory of 2252	636	cmd.exe	35
PID 636 wrote to memory of 2252	636	cmd.exe	35
PID 2804 wrote to memory of 2632	2804	cmd.exe	170
PID 2804 wrote to memory of 2632	2804	cmd.exe	170
PID 2804 wrote to memory of 2632	2804	cmd.exe	170
PID 636 wrote to memory of 2980	636	cmd.exe	38
PID 636 wrote to memory of 2980	636	cmd.exe	38
PID 636 wrote to memory of 2980	636	cmd.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Geller.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K geller.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\msg.exe
    msg * "You've just got GELLER'D"
    3⤵
    PID:2772
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K geller.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
- C:\Windows\system32\msg.exe
  msg * "You've just got GELLER'D"
  2⤵
  PID:2660

C:\Windows\system32\ipconfig.exe
ipconfig
1⤵
- Gathers network information
PID:2756

C:\Windows\system32\msg.exe
msg * "You've just got GELLER'D"
1⤵
PID:2404

C:\Windows\system32\ipconfig.exe
ipconfig
1⤵
- Gathers network information
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K geller.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K geller.bat
  2⤵
  PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K geller.bat
    3⤵
    PID:1052
  - - C:\Windows\system32\ipconfig.exe
      ipconfig
      4⤵
      PID:604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K geller.bat
      4⤵
      PID:524
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        5⤵
        
        PID:2412
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        6⤵
        
        PID:2164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        6⤵
        
        PID:2040
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        
        PID:2552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        7⤵
        
        PID:1664
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        8⤵
        
        PID:1272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        8⤵
        
        PID:1040
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        9⤵
        Gathers network information
        
        PID:1256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        9⤵
        
        PID:764
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        10⤵
        Gathers network information
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        10⤵
        
        PID:2108
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        11⤵
        Gathers network information
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        11⤵
        
        PID:2920
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        12⤵
        Gathers network information
        
        PID:852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        12⤵
        
        PID:1792
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        13⤵
        Gathers network information
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        13⤵
        
        PID:2408
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        14⤵
        Gathers network information
        
        PID:1788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        14⤵
        
        PID:1560
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        15⤵
        Gathers network information
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        15⤵
        
        PID:2024
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        16⤵
        Gathers network information
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        16⤵
        
        PID:2300
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        17⤵
        Gathers network information
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        17⤵
        
        PID:884
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        18⤵
        Gathers network information
        
        PID:2696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        18⤵
        
        PID:2120
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        19⤵
        
        PID:2692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        19⤵
        
        PID:2900
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        20⤵
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        20⤵
        
        PID:2512
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        21⤵
        Gathers network information
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        21⤵
        
        PID:472
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        22⤵
        Gathers network information
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        22⤵
        
        PID:1704
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        23⤵
        Gathers network information
        
        PID:1672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        23⤵
        
        PID:1472
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        24⤵
        Gathers network information
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        24⤵
        
        PID:2172
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        25⤵
        Gathers network information
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        25⤵
        
        PID:1816
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        26⤵
        Gathers network information
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        26⤵
        
        PID:1692
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        27⤵
        Gathers network information
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        27⤵
        
        PID:2128
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        28⤵
        Gathers network information
        
        PID:1396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        28⤵
        
        PID:1280
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        29⤵
        Gathers network information
        
        PID:936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        29⤵
        
        PID:1644
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        30⤵
        Gathers network information
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        30⤵
        
        PID:2932
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        31⤵
        Gathers network information
        
        PID:2744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        31⤵
        
        PID:1588
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        32⤵
        Gathers network information
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        32⤵
        
        PID:2812
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        33⤵
        Gathers network information
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        33⤵
        
        PID:1804
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        34⤵
        Gathers network information
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        34⤵
        
        PID:2688
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        35⤵
        Gathers network information
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        35⤵
        
        PID:3064
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        36⤵
        Gathers network information
        
        PID:1272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        36⤵
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        37⤵
        
        PID:2100
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        38⤵
        Gathers network information
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        38⤵
        
        PID:2636
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        39⤵
        Gathers network information
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        39⤵
        
        PID:2188
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        40⤵
        Gathers network information
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        40⤵
        
        PID:2020
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        41⤵
        Gathers network information
        
        PID:3096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        41⤵
        
        PID:3088
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        42⤵
        Gathers network information
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        42⤵
        
        PID:3172
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        43⤵
        Gathers network information
        
        PID:3260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        43⤵
        
        PID:3252
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        44⤵
        
        PID:3332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        44⤵
        
        PID:3324
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        45⤵
        Gathers network information
        
        PID:3396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        45⤵
        
        PID:3388
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        46⤵
        Gathers network information
        
        PID:3484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        46⤵
        
        PID:3476
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        47⤵
        Gathers network information
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        47⤵
        
        PID:3528
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        48⤵
        Gathers network information
        
        PID:3592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        48⤵
        
        PID:3584
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        49⤵
        Gathers network information
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        49⤵
        
        PID:3696
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        50⤵
        Gathers network information
        
        PID:3796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        50⤵
        
        PID:3788
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        51⤵
        
        PID:3912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        51⤵
        
        PID:3904
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        52⤵
        Gathers network information
        
        PID:4016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        52⤵
        
        PID:4008
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        53⤵
        Gathers network information
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        53⤵
        
        PID:4084
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        54⤵
        
        PID:2196
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        54⤵
        Gathers network information
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        54⤵
        
        PID:3220
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        55⤵
        
        PID:1832
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        53⤵
        
        PID:3472
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        52⤵
        
        PID:704
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        51⤵
        
        PID:1944
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        50⤵
        
        PID:2576
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        49⤵
        
        PID:3992
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        48⤵
        
        PID:3264
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        47⤵
        
        PID:2384
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        46⤵
        
        PID:3216
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        45⤵
        
        PID:3156
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        44⤵
        
        PID:3868
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        43⤵
        
        PID:3680
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        42⤵
        
        PID:3448
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        41⤵
        
        PID:3432
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        40⤵
        
        PID:3280
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        39⤵
        
        PID:3232
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        38⤵
        
        PID:3196
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        37⤵
        Gathers network information
        
        PID:2400
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        37⤵
        
        PID:2984
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        36⤵
        
        PID:2196
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        35⤵
        
        PID:2972
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        34⤵
        
        PID:1312
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        33⤵
        
        PID:3040
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        32⤵
        
        PID:1976
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        31⤵
        
        PID:1340
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        30⤵
        
        PID:1672
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        29⤵
        
        PID:1620
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        28⤵
        
        PID:1736
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        27⤵
        
        PID:584
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        26⤵
        
        PID:1788
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        25⤵
        
        PID:1928
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        24⤵
        
        PID:2324
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        23⤵
        
        PID:1276
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        22⤵
        
        PID:2320
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        21⤵
        
        PID:1832
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        20⤵
        
        PID:1356
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        19⤵
        
        PID:1056
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        18⤵
        
        PID:2540
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        17⤵
        
        PID:3020
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        16⤵
        
        PID:1608
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        15⤵
        
        PID:2424
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        14⤵
        
        PID:2428
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        13⤵
        
        PID:1372
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        12⤵
        
        PID:2196
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        11⤵
        
        PID:616
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        10⤵
        
        PID:1836
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        9⤵
        
        PID:1972
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        8⤵
        
        PID:2084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/geller
        8⤵
        
        PID:2012
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        7⤵
        
        PID:816
      - C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        6⤵
        
        PID:1504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/geller
        6⤵
        
        PID:1744
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
        7⤵
        
        PID:1396
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:5518337 /prefetch:2
        7⤵
        
        PID:4296
    - - C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        5⤵
        
        PID:1976
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/geller
        5⤵
        
        PID:2480
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:1632
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:4207618 /prefetch:2
        6⤵
        
        PID:2444
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:5780482 /prefetch:2
        6⤵
        
        PID:3776
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:11744257 /prefetch:2
        6⤵
        
        PID:2540
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:11613185 /prefetch:2
        6⤵
        
        PID:3260
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:11482113 /prefetch:2
        6⤵
        
        PID:3640
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:11351041 /prefetch:2
        6⤵
        
        PID:3664
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:11219970 /prefetch:2
        6⤵
        
        PID:928
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:5387266 /prefetch:2
        6⤵
        
        PID:968
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:5518338 /prefetch:2
        6⤵
        
        PID:3432
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:5649410 /prefetch:2
        6⤵
        
        PID:2356
  - - C:\Windows\system32\msg.exe
      msg * "You've just got GELLER'D"
      4⤵
      PID:1824
- - C:\Windows\system32\msg.exe
    msg * "You've just got GELLER'D"
    3⤵
    PID:1952
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:2416
- C:\Windows\system32\msg.exe
  msg * "You've just got GELLER'D"
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K geller.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\msg.exe
  msg * "You've just got GELLER'D"
  2⤵
  PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/geller
1⤵
PID:1328
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:406530 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:10564609 /prefetch:2
  2⤵
  PID:3768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:9450498 /prefetch:2
  2⤵
  PID:3760

C:\Windows\system32\ipconfig.exe
ipconfig
1⤵
- Gathers network information
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K geller.bat
1⤵
PID:2448
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K geller.bat
  2⤵
  PID:3364
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K geller.bat
    3⤵
    PID:2816
  - - C:\Windows\system32\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:1364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K geller.bat
      4⤵
      PID:3424
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:3020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        5⤵
        
        PID:3924
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        6⤵
        Gathers network information
        
        PID:3036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        6⤵
        
        PID:3724
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        7⤵
        
        PID:1176
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        8⤵
        Gathers network information
        
        PID:1116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        8⤵
        
        PID:3740
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        9⤵
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        9⤵
        
        PID:2384
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        10⤵
        Gathers network information
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        10⤵
        
        PID:3500
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        11⤵
        Gathers network information
        
        PID:1352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        11⤵
        
        PID:3360
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        12⤵
        Gathers network information
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        12⤵
        
        PID:3684
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        13⤵
        Gathers network information
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        13⤵
        
        PID:2984
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        14⤵
        Gathers network information
        
        PID:320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        14⤵
        
        PID:3824
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        15⤵
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        15⤵
        
        PID:4216
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        16⤵
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        16⤵
        
        PID:4344
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        17⤵
        Gathers network information
        
        PID:4456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        17⤵
        
        PID:4448
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        18⤵
        Gathers network information
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        18⤵
        
        PID:4492
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        19⤵
        
        PID:4560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        19⤵
        
        PID:4552
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        20⤵
        
        PID:4748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        20⤵
        
        PID:4740
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        21⤵
        Gathers network information
        
        PID:4864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        21⤵
        
        PID:4856
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        22⤵
        Gathers network information
        
        PID:4976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        22⤵
        
        PID:4968
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        23⤵
        Gathers network information
        
        PID:5104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K geller.bat
        23⤵
        
        PID:5096
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        12⤵
        
        PID:4904
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        11⤵
        
        PID:4708
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        10⤵
        
        PID:4652
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        9⤵
        
        PID:4700
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        8⤵
        
        PID:3800
        
        C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        7⤵
        
        PID:3300
      - C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        6⤵
        
        PID:3668
    - - C:\Windows\system32\msg.exe
        
        msg * "You've just got GELLER'D"
        5⤵
        
        PID:3932
  - - C:\Windows\system32\msg.exe
      msg * "You've just got GELLER'D"
      4⤵
      PID:3736
- - C:\Windows\system32\msg.exe
    msg * "You've just got GELLER'D"
    3⤵
    PID:3280
- C:\Windows\system32\msg.exe
  msg * "You've just got GELLER'D"
  2⤵
  PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
56718d736c39277804e39afa908cc7dc

SHA1
32559e5a45e714440b7d173a64fc3541b99db90d

SHA256
ab1d70d2bb241831588da8080f448cfd84cadf437f460b3a9fa3a5428a2b9bca

SHA512
3a464692f8ebe419edf376dd96296acddc451f720aee6f957cee39282b7edcbfb750bdcb1dd576286110ae065595c93d61ebb7e917e2e293a950700bb190c575

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
7db4f76640defeb3c04a8928e6f8fa07

SHA1
f5f64a5e70cbb326b1c948662f9d683375749451

SHA256
7ebaf44ff6e1dde5995a79e6eef18f426453d4b4b163cdeb25f52841b0323c8f

SHA512
42b3d1ac3c8d0d01e531cb396df105c011a14238c21653267bd623e5a8d368c581b0d88a9af21dfc6fb2ae796a10227af3e2305bb18428064fab09754a322f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
7db4f76640defeb3c04a8928e6f8fa07

SHA1
f5f64a5e70cbb326b1c948662f9d683375749451

SHA256
7ebaf44ff6e1dde5995a79e6eef18f426453d4b4b163cdeb25f52841b0323c8f

SHA512
42b3d1ac3c8d0d01e531cb396df105c011a14238c21653267bd623e5a8d368c581b0d88a9af21dfc6fb2ae796a10227af3e2305bb18428064fab09754a322f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
14011a6570396be097fca3d0a9b9f9a3

SHA1
b487767ed66c97fd50be52d6c36ce4470436fc02

SHA256
e9173392cbcf79be7603d161e603f0ac61c1d01b5aa8482e98f64ba25f393ba5

SHA512
2cf8a91fa810daabe287fa5cae86233e4de215999dc6d2b47178eee4cbc25ad9cafe0ecaeedf0b25b2fcdbd91f2358f1c7358f2e406323e3976c9fa4f18f7fcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
1a0c220b6a70121d8c6af885dd2b5e62

SHA1
3c8250bbe4ce0ccebed3261e9a6b6ed42620716f

SHA256
358cdb41b506e23734219643fa09103cde9ee562135369a19700bca4f32c69ac

SHA512
68f2a3e726f832ee36399d47a9e75ae92594809ba90527e6bbf623d8ccbf646ba905f269db0e30f6da99a3130e7612739335e5278810954a05c5bf5351f8539e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FEAC390-68F4-11EE-B57E-DE7401637261}.dat

Filesize
3KB

MD5
a7d71de0e569a1b28dfd9bc06e819783

SHA1
769057dc4b523daa37768a42144d83da9718fe66

SHA256
23bb73fd4b28f3ed21c7210851b20b2979ac333c135ca0af80429a2a06501106

SHA512
b37c18a040053be07f9f9a4bec3c7b4199b9bb100b666e486956981f8d65e23f946d1a230f332dfe30ab52f9a37ec6bef3b3a5dfda0baf865ab8b9a282170689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6004F2B0-68F4-11EE-B57E-DE7401637261}.dat

Filesize
5KB

MD5
a3453ab5be78e6dbf37afbd19e361b78

SHA1
eed0e1c762ac1a99972ca988d45ff79bc5bd09b8

SHA256
084bd595be15550052fcbf120aa960e260152ff8a25d1bc2677c052c78ec4f79

SHA512
7e3ef5d526fc1f2b3f1591da91aa109caecfd8d74fe340aa8483c38f056b4fda5d6d1dc9b5b50c78cab909156a93070a78e6c46879fc9ffb0a797f45371e86fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab961A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar47F9.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit