Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2023 17:21
Static task
static1
Behavioral task
behavioral1
Sample
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
Resource
win10v2004-20231023-en
General
-
Target
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
-
Size
2.0MB
-
MD5
2f05a56a349dce85119e7fda9e8047ac
-
SHA1
2f5afa9af299cba599c57fd99319268db803b31b
-
SHA256
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994
-
SHA512
fe85ed5b4702c60770dca17790e826a64cbb028fd0ee6d325cac90e3040efe9700eb7db0d11c71f7dfab20d283acb036e6c8cb3de61ca7e583c28026acf08d0b
-
SSDEEP
49152:13NvRA0BjE8tCpIQontgzhDeGN8HHA7twVJ6M7Qzio1/Hzwo7L:13Q0BnkpiCzhjNaHA7M7Qz/bh7L
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe -
Executes dropped EXE 1 IoCs
Processes:
626127266661616166161.exepid process 4084 626127266661616166161.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\individ = "C:\\Users\\Admin\\AppData\\Local\\individ.exe" 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 api.ipify.org 33 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exedescription pid process target process PID 4616 set thread context of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 1844 ipconfig.exe 3292 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exepowershell.exepid process 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 1636 powershell.exe 1636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe Token: SeIncreaseQuotaPrivilege 1128 WMIC.exe Token: SeSecurityPrivilege 1128 WMIC.exe Token: SeTakeOwnershipPrivilege 1128 WMIC.exe Token: SeLoadDriverPrivilege 1128 WMIC.exe Token: SeSystemProfilePrivilege 1128 WMIC.exe Token: SeSystemtimePrivilege 1128 WMIC.exe Token: SeProfSingleProcessPrivilege 1128 WMIC.exe Token: SeIncBasePriorityPrivilege 1128 WMIC.exe Token: SeCreatePagefilePrivilege 1128 WMIC.exe Token: SeBackupPrivilege 1128 WMIC.exe Token: SeRestorePrivilege 1128 WMIC.exe Token: SeShutdownPrivilege 1128 WMIC.exe Token: SeDebugPrivilege 1128 WMIC.exe Token: SeSystemEnvironmentPrivilege 1128 WMIC.exe Token: SeRemoteShutdownPrivilege 1128 WMIC.exe Token: SeUndockPrivilege 1128 WMIC.exe Token: SeManageVolumePrivilege 1128 WMIC.exe Token: 33 1128 WMIC.exe Token: 34 1128 WMIC.exe Token: 35 1128 WMIC.exe Token: 36 1128 WMIC.exe Token: SeIncreaseQuotaPrivilege 1128 WMIC.exe Token: SeSecurityPrivilege 1128 WMIC.exe Token: SeTakeOwnershipPrivilege 1128 WMIC.exe Token: SeLoadDriverPrivilege 1128 WMIC.exe Token: SeSystemProfilePrivilege 1128 WMIC.exe Token: SeSystemtimePrivilege 1128 WMIC.exe Token: SeProfSingleProcessPrivilege 1128 WMIC.exe Token: SeIncBasePriorityPrivilege 1128 WMIC.exe Token: SeCreatePagefilePrivilege 1128 WMIC.exe Token: SeBackupPrivilege 1128 WMIC.exe Token: SeRestorePrivilege 1128 WMIC.exe Token: SeShutdownPrivilege 1128 WMIC.exe Token: SeDebugPrivilege 1128 WMIC.exe Token: SeSystemEnvironmentPrivilege 1128 WMIC.exe Token: SeRemoteShutdownPrivilege 1128 WMIC.exe Token: SeUndockPrivilege 1128 WMIC.exe Token: SeManageVolumePrivilege 1128 WMIC.exe Token: 33 1128 WMIC.exe Token: 34 1128 WMIC.exe Token: 35 1128 WMIC.exe Token: 36 1128 WMIC.exe Token: SeIncreaseQuotaPrivilege 4456 WMIC.exe Token: SeSecurityPrivilege 4456 WMIC.exe Token: SeTakeOwnershipPrivilege 4456 WMIC.exe Token: SeLoadDriverPrivilege 4456 WMIC.exe Token: SeSystemProfilePrivilege 4456 WMIC.exe Token: SeSystemtimePrivilege 4456 WMIC.exe Token: SeProfSingleProcessPrivilege 4456 WMIC.exe Token: SeIncBasePriorityPrivilege 4456 WMIC.exe Token: SeCreatePagefilePrivilege 4456 WMIC.exe Token: SeBackupPrivilege 4456 WMIC.exe Token: SeRestorePrivilege 4456 WMIC.exe Token: SeShutdownPrivilege 4456 WMIC.exe Token: SeDebugPrivilege 4456 WMIC.exe Token: SeSystemEnvironmentPrivilege 4456 WMIC.exe Token: SeRemoteShutdownPrivilege 4456 WMIC.exe Token: SeUndockPrivilege 4456 WMIC.exe Token: SeManageVolumePrivilege 4456 WMIC.exe Token: 33 4456 WMIC.exe Token: 34 4456 WMIC.exe Token: 35 4456 WMIC.exe Token: 36 4456 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.execmd.exe626127266661616166161.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4616 wrote to memory of 4388 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 4616 wrote to memory of 4388 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 4616 wrote to memory of 4388 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 4388 wrote to memory of 1844 4388 cmd.exe ipconfig.exe PID 4388 wrote to memory of 1844 4388 cmd.exe ipconfig.exe PID 4388 wrote to memory of 1844 4388 cmd.exe ipconfig.exe PID 4616 wrote to memory of 4084 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 626127266661616166161.exe PID 4616 wrote to memory of 4084 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 626127266661616166161.exe PID 4616 wrote to memory of 4084 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 626127266661616166161.exe PID 4084 wrote to memory of 4832 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4832 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4832 4084 626127266661616166161.exe cmd.exe PID 4616 wrote to memory of 4016 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 4616 wrote to memory of 4016 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 4616 wrote to memory of 4016 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe cmd.exe PID 4832 wrote to memory of 1128 4832 cmd.exe WMIC.exe PID 4832 wrote to memory of 1128 4832 cmd.exe WMIC.exe PID 4832 wrote to memory of 1128 4832 cmd.exe WMIC.exe PID 4016 wrote to memory of 3292 4016 cmd.exe ipconfig.exe PID 4016 wrote to memory of 3292 4016 cmd.exe ipconfig.exe PID 4016 wrote to memory of 3292 4016 cmd.exe ipconfig.exe PID 4084 wrote to memory of 4448 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4448 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4448 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 928 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 928 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 928 4084 626127266661616166161.exe cmd.exe PID 928 wrote to memory of 4456 928 cmd.exe WMIC.exe PID 928 wrote to memory of 4456 928 cmd.exe WMIC.exe PID 928 wrote to memory of 4456 928 cmd.exe WMIC.exe PID 4084 wrote to memory of 4012 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4012 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4012 4084 626127266661616166161.exe cmd.exe PID 4012 wrote to memory of 1636 4012 cmd.exe powershell.exe PID 4012 wrote to memory of 1636 4012 cmd.exe powershell.exe PID 4012 wrote to memory of 1636 4012 cmd.exe powershell.exe PID 4084 wrote to memory of 3208 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 3208 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 3208 4084 626127266661616166161.exe cmd.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4616 wrote to memory of 5040 4616 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe PID 4084 wrote to memory of 1832 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 1832 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 1832 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 1764 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 1764 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 1764 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 5108 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 5108 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 5108 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 3388 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 3388 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 3388 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4896 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4896 4084 626127266661616166161.exe cmd.exe PID 4084 wrote to memory of 4896 4084 626127266661616166161.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe"C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe"C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_RPOQIDAP.zip');"3⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_RPOQIDAP.zip');"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:5108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:3040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:5036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:1832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:4212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:5092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c3⤵PID:2752
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exeC:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe2⤵PID:5040
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release1⤵
- Gathers network information
PID:1844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356B
MD55239d9e8e12d1b70b09c69048188e912
SHA12b5eb41cad7332b21affedbb2f34733850a32f25
SHA256e1f1344673de836dcf2d4108be040f85de07be7aa5499c860a55a9cb6fa4f274
SHA51236cc51f1a970ac2790a852fa263f02bb5434d6fc29b56ceb9a8038718aaefff7b819ae3aa9ce0d2b18bdf1a07bcceb8487f3b400707b52e9505e7d540a881eaa
-
Filesize
3B
MD5382b0f5185773fa0f67a8ed8056c7759
SHA108d2e98e6754af941484848930ccbaddfefe13d6
SHA256e2f79e5b60330bba4c289962231b6ba2957d0b14e7deb3110417003c79dea635
SHA5123d6fac2f8bc5bec0e79713cfd41962d5463349ff21010a28675b7535cd7e39cd19866428d772a0c57b4c29f623882fb6ff6613b6b16502b74aa204ac1acc084a
-
Filesize
3B
MD5382b0f5185773fa0f67a8ed8056c7759
SHA108d2e98e6754af941484848930ccbaddfefe13d6
SHA256e2f79e5b60330bba4c289962231b6ba2957d0b14e7deb3110417003c79dea635
SHA5123d6fac2f8bc5bec0e79713cfd41962d5463349ff21010a28675b7535cd7e39cd19866428d772a0c57b4c29f623882fb6ff6613b6b16502b74aa204ac1acc084a
-
Filesize
19B
MD5048a507e7cd987cc13b5bdff543b3076
SHA124701c4f9bf4f7d0be73a5bae8fa94243a3a8ed6
SHA256307cff63c960749cb552660fe5987ea5bd7afdd7163a931db4af1db0148e013f
SHA512dead24b99dff03a532ca2a4bae65f3e16a64deff4cdf3d012877414c9ed3b543d162147499e76afe9d6b645d83c7c31523bbcea44533a6c7a115fad5a6c2e48d
-
Filesize
1KB
MD5088ef465fb6d9f894576eb5262d7ac88
SHA1a7ef9470efec00fb45701302407dd11772bae59a
SHA2566dc2ea605d32f264b29d0a94bca829d19d4f45bba80bbb24b650ce752e6d33d4
SHA51211a2b26d277d6067844461e2b2184a1ccacf14e5fbb551e5706c1b0d03f43be11cca9abbd8fab0a8ef392ec6cd4793ef76892f453e1efc4a8c9415747f1050ea
-
Filesize
13B
MD5d6dc9501f65262c5398d9ed188bf351a
SHA14f6160ece6b535f3d1d33f0ef419ef4655bd52bb
SHA256087bbf59d9f176de93872e0a8ff0892d2b1135f2f7ff3f8323fc2c66eb0eed37
SHA5127ce9cfe9599299a7e49832b282616c9a80eb2bde4e0e27d1d78fe68edc77a24c3fc6b94cbd7837bea2ed0eb0ef8b242d950c599cc81b4eb3638531faa40a1f3b
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
1.7MB
MD57b1c3df953e3da8ce48bbb7ca94213c8
SHA16c20db2aba0ceb8bb5816a7cd7d0211b9d551b15
SHA25628106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382
SHA512f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2
-
Filesize
1.7MB
MD57b1c3df953e3da8ce48bbb7ca94213c8
SHA16c20db2aba0ceb8bb5816a7cd7d0211b9d551b15
SHA25628106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382
SHA512f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2
-
Filesize
1.7MB
MD57b1c3df953e3da8ce48bbb7ca94213c8
SHA16c20db2aba0ceb8bb5816a7cd7d0211b9d551b15
SHA25628106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382
SHA512f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82