Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
27-11-2023 17:21
Static task
static1
Behavioral task
behavioral1
Sample
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
Resource
win10v2004-20231023-en
General
-
Target
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
-
Size
2.0MB
-
MD5
2f05a56a349dce85119e7fda9e8047ac
-
SHA1
2f5afa9af299cba599c57fd99319268db803b31b
-
SHA256
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994
-
SHA512
fe85ed5b4702c60770dca17790e826a64cbb028fd0ee6d325cac90e3040efe9700eb7db0d11c71f7dfab20d283acb036e6c8cb3de61ca7e583c28026acf08d0b
-
SSDEEP
49152:13NvRA0BjE8tCpIQontgzhDeGN8HHA7twVJ6M7Qzio1/Hzwo7L:13Q0BnkpiCzhjNaHA7M7Qz/bh7L
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
626127266661616166161.exepid process 2252 626127266661616166161.exe -
Loads dropped DLL 1 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exepid process 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\individ = "C:\\Users\\Admin\\AppData\\Local\\individ.exe" 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2392 ipconfig.exe 2924 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exepowershell.exepid process 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 804 powershell.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe Token: SeIncreaseQuotaPrivilege 2936 WMIC.exe Token: SeSecurityPrivilege 2936 WMIC.exe Token: SeTakeOwnershipPrivilege 2936 WMIC.exe Token: SeLoadDriverPrivilege 2936 WMIC.exe Token: SeSystemProfilePrivilege 2936 WMIC.exe Token: SeSystemtimePrivilege 2936 WMIC.exe Token: SeProfSingleProcessPrivilege 2936 WMIC.exe Token: SeIncBasePriorityPrivilege 2936 WMIC.exe Token: SeCreatePagefilePrivilege 2936 WMIC.exe Token: SeBackupPrivilege 2936 WMIC.exe Token: SeRestorePrivilege 2936 WMIC.exe Token: SeShutdownPrivilege 2936 WMIC.exe Token: SeDebugPrivilege 2936 WMIC.exe Token: SeSystemEnvironmentPrivilege 2936 WMIC.exe Token: SeRemoteShutdownPrivilege 2936 WMIC.exe Token: SeUndockPrivilege 2936 WMIC.exe Token: SeManageVolumePrivilege 2936 WMIC.exe Token: 33 2936 WMIC.exe Token: 34 2936 WMIC.exe Token: 35 2936 WMIC.exe Token: SeIncreaseQuotaPrivilege 2936 WMIC.exe Token: SeSecurityPrivilege 2936 WMIC.exe Token: SeTakeOwnershipPrivilege 2936 WMIC.exe Token: SeLoadDriverPrivilege 2936 WMIC.exe Token: SeSystemProfilePrivilege 2936 WMIC.exe Token: SeSystemtimePrivilege 2936 WMIC.exe Token: SeProfSingleProcessPrivilege 2936 WMIC.exe Token: SeIncBasePriorityPrivilege 2936 WMIC.exe Token: SeCreatePagefilePrivilege 2936 WMIC.exe Token: SeBackupPrivilege 2936 WMIC.exe Token: SeRestorePrivilege 2936 WMIC.exe Token: SeShutdownPrivilege 2936 WMIC.exe Token: SeDebugPrivilege 2936 WMIC.exe Token: SeSystemEnvironmentPrivilege 2936 WMIC.exe Token: SeRemoteShutdownPrivilege 2936 WMIC.exe Token: SeUndockPrivilege 2936 WMIC.exe Token: SeManageVolumePrivilege 2936 WMIC.exe Token: 33 2936 WMIC.exe Token: 34 2936 WMIC.exe Token: 35 2936 WMIC.exe Token: SeIncreaseQuotaPrivilege 2540 WMIC.exe Token: SeSecurityPrivilege 2540 WMIC.exe Token: SeTakeOwnershipPrivilege 2540 WMIC.exe Token: SeLoadDriverPrivilege 2540 WMIC.exe Token: SeSystemProfilePrivilege 2540 WMIC.exe Token: SeSystemtimePrivilege 2540 WMIC.exe Token: SeProfSingleProcessPrivilege 2540 WMIC.exe Token: SeIncBasePriorityPrivilege 2540 WMIC.exe Token: SeCreatePagefilePrivilege 2540 WMIC.exe Token: SeBackupPrivilege 2540 WMIC.exe Token: SeRestorePrivilege 2540 WMIC.exe Token: SeShutdownPrivilege 2540 WMIC.exe Token: SeDebugPrivilege 2540 WMIC.exe Token: SeSystemEnvironmentPrivilege 2540 WMIC.exe Token: SeRemoteShutdownPrivilege 2540 WMIC.exe Token: SeUndockPrivilege 2540 WMIC.exe Token: SeManageVolumePrivilege 2540 WMIC.exe Token: 33 2540 WMIC.exe Token: 34 2540 WMIC.exe Token: 35 2540 WMIC.exe Token: SeIncreaseQuotaPrivilege 2540 WMIC.exe Token: SeSecurityPrivilege 2540 WMIC.exe Token: SeTakeOwnershipPrivilege 2540 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.execmd.exe626127266661616166161.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2244 wrote to memory of 2208 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 2244 wrote to memory of 2208 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 2244 wrote to memory of 2208 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 2244 wrote to memory of 2208 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 2208 wrote to memory of 2392 2208 cmd.exe ipconfig.exe PID 2208 wrote to memory of 2392 2208 cmd.exe ipconfig.exe PID 2208 wrote to memory of 2392 2208 cmd.exe ipconfig.exe PID 2208 wrote to memory of 2392 2208 cmd.exe ipconfig.exe PID 2244 wrote to memory of 2252 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 626127266661616166161.exe PID 2244 wrote to memory of 2252 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 626127266661616166161.exe PID 2244 wrote to memory of 2252 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 626127266661616166161.exe PID 2244 wrote to memory of 2252 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 626127266661616166161.exe PID 2252 wrote to memory of 2724 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2724 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2724 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2724 2252 626127266661616166161.exe cmd.exe PID 2244 wrote to memory of 2660 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 2244 wrote to memory of 2660 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 2244 wrote to memory of 2660 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 2244 wrote to memory of 2660 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 2724 wrote to memory of 2936 2724 cmd.exe WMIC.exe PID 2724 wrote to memory of 2936 2724 cmd.exe WMIC.exe PID 2724 wrote to memory of 2936 2724 cmd.exe WMIC.exe PID 2724 wrote to memory of 2936 2724 cmd.exe WMIC.exe PID 2660 wrote to memory of 2924 2660 cmd.exe ipconfig.exe PID 2660 wrote to memory of 2924 2660 cmd.exe ipconfig.exe PID 2660 wrote to memory of 2924 2660 cmd.exe ipconfig.exe PID 2660 wrote to memory of 2924 2660 cmd.exe ipconfig.exe PID 2252 wrote to memory of 2508 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2508 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2508 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2508 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2524 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2524 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2524 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 2524 2252 626127266661616166161.exe cmd.exe PID 2524 wrote to memory of 2540 2524 cmd.exe WMIC.exe PID 2524 wrote to memory of 2540 2524 cmd.exe WMIC.exe PID 2524 wrote to memory of 2540 2524 cmd.exe WMIC.exe PID 2524 wrote to memory of 2540 2524 cmd.exe WMIC.exe PID 2252 wrote to memory of 528 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 528 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 528 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 528 2252 626127266661616166161.exe cmd.exe PID 528 wrote to memory of 804 528 cmd.exe powershell.exe PID 528 wrote to memory of 804 528 cmd.exe powershell.exe PID 528 wrote to memory of 804 528 cmd.exe powershell.exe PID 528 wrote to memory of 804 528 cmd.exe powershell.exe PID 2252 wrote to memory of 1332 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 1332 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 1332 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 1332 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 1552 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 1552 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 1552 2252 626127266661616166161.exe cmd.exe PID 2252 wrote to memory of 1552 2252 626127266661616166161.exe cmd.exe PID 2244 wrote to memory of 644 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 2244 wrote to memory of 644 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 2244 wrote to memory of 644 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 2244 wrote to memory of 644 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 2244 wrote to memory of 940 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 2244 wrote to memory of 940 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 2244 wrote to memory of 940 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 2244 wrote to memory of 940 2244 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe"C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe"C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_AHLBRYJO.zip');"3⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_AHLBRYJO.zip');"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1828
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:596
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IS2BN16O\ResultCMD[1].htm
Filesize2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SUYBBARZ\Heartbeat[1].htm
Filesize13B
MD5d6dc9501f65262c5398d9ed188bf351a
SHA14f6160ece6b535f3d1d33f0ef419ef4655bd52bb
SHA256087bbf59d9f176de93872e0a8ff0892d2b1135f2f7ff3f8323fc2c66eb0eed37
SHA5127ce9cfe9599299a7e49832b282616c9a80eb2bde4e0e27d1d78fe68edc77a24c3fc6b94cbd7837bea2ed0eb0ef8b242d950c599cc81b4eb3638531faa40a1f3b
-
Filesize
1.7MB
MD57b1c3df953e3da8ce48bbb7ca94213c8
SHA16c20db2aba0ceb8bb5816a7cd7d0211b9d551b15
SHA25628106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382
SHA512f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2
-
Filesize
1.7MB
MD57b1c3df953e3da8ce48bbb7ca94213c8
SHA16c20db2aba0ceb8bb5816a7cd7d0211b9d551b15
SHA25628106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382
SHA512f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2
-
Filesize
1.7MB
MD57b1c3df953e3da8ce48bbb7ca94213c8
SHA16c20db2aba0ceb8bb5816a7cd7d0211b9d551b15
SHA25628106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382
SHA512f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2