Analysis Overview
SHA256
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994
Threat Level: Shows suspicious behavior
The file 74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-27 17:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-27 17:21
Reported
2023-11-27 17:25
Platform
win7-20231023-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\individ = "C:\\Users\\Admin\\AppData\\Local\\individ.exe" | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
"C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
"C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_AHLBRYJO.zip');"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_AHLBRYJO.zip');"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.212:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
Files
memory/2244-1-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/2244-0-0x0000000000360000-0x000000000056C000-memory.dmp
memory/2244-2-0x0000000004650000-0x0000000004690000-memory.dmp
memory/2244-3-0x0000000004EC0000-0x00000000050A2000-memory.dmp
memory/2244-4-0x00000000050A0000-0x0000000005280000-memory.dmp
memory/2244-5-0x00000000063E0000-0x00000000065C2000-memory.dmp
memory/2244-6-0x00000000065C0000-0x000000000678A000-memory.dmp
memory/2244-7-0x0000000006790000-0x0000000006958000-memory.dmp
memory/2244-8-0x0000000000700000-0x000000000074C000-memory.dmp
memory/2244-9-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/2244-10-0x0000000004650000-0x0000000004690000-memory.dmp
\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
| MD5 | 7b1c3df953e3da8ce48bbb7ca94213c8 |
| SHA1 | 6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15 |
| SHA256 | 28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382 |
| SHA512 | f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2 |
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
| MD5 | 7b1c3df953e3da8ce48bbb7ca94213c8 |
| SHA1 | 6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15 |
| SHA256 | 28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382 |
| SHA512 | f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2 |
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
| MD5 | 7b1c3df953e3da8ce48bbb7ca94213c8 |
| SHA1 | 6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15 |
| SHA256 | 28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382 |
| SHA512 | f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2 |
memory/2252-26-0x00000000001E0000-0x00000000001EA000-memory.dmp
memory/2252-25-0x00000000001E0000-0x00000000001EA000-memory.dmp
memory/804-52-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/804-53-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/804-54-0x0000000002590000-0x00000000025D0000-memory.dmp
memory/804-55-0x0000000002590000-0x00000000025D0000-memory.dmp
memory/804-57-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/2244-63-0x0000000073F10000-0x00000000745FE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IS2BN16O\ResultCMD[1].htm
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
memory/2252-74-0x00000000001E0000-0x00000000001EA000-memory.dmp
memory/2252-73-0x00000000001E0000-0x00000000001EA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SUYBBARZ\Heartbeat[1].htm
| MD5 | d6dc9501f65262c5398d9ed188bf351a |
| SHA1 | 4f6160ece6b535f3d1d33f0ef419ef4655bd52bb |
| SHA256 | 087bbf59d9f176de93872e0a8ff0892d2b1135f2f7ff3f8323fc2c66eb0eed37 |
| SHA512 | 7ce9cfe9599299a7e49832b282616c9a80eb2bde4e0e27d1d78fe68edc77a24c3fc6b94cbd7837bea2ed0eb0ef8b242d950c599cc81b4eb3638531faa40a1f3b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-27 17:21
Reported
2023-11-27 17:25
Platform
win10v2004-20231023-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\individ = "C:\\Users\\Admin\\AppData\\Local\\individ.exe" | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4616 set thread context of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
"C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
"C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_RPOQIDAP.zip');"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -A 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::CreateFromDirectory('C:\Users\Admin\AppData\Local\BunnyLogs', 'C:\Users\Admin\AppData\Local\BunnyLogs_RPOQIDAP.zip');"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Users\Admin\AppData\Local\Temp\74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.156:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
| US | 8.8.8.8:53 | 156.227.185.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.205.10.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
| RU | 195.10.205.23:80 | 195.10.205.23 | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/4616-1-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/4616-0-0x0000000000A00000-0x0000000000C0C000-memory.dmp
memory/4616-2-0x0000000005720000-0x0000000005730000-memory.dmp
memory/4616-3-0x0000000005730000-0x0000000005912000-memory.dmp
memory/4616-4-0x0000000005910000-0x0000000005AF0000-memory.dmp
memory/4616-5-0x0000000006BF0000-0x0000000006DD2000-memory.dmp
memory/4616-6-0x0000000006DD0000-0x0000000006F9A000-memory.dmp
memory/4616-7-0x0000000006FA0000-0x0000000007168000-memory.dmp
memory/4616-8-0x00000000056C0000-0x000000000570C000-memory.dmp
memory/4616-9-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/4616-10-0x0000000005720000-0x0000000005730000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
| MD5 | 7b1c3df953e3da8ce48bbb7ca94213c8 |
| SHA1 | 6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15 |
| SHA256 | 28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382 |
| SHA512 | f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2 |
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
| MD5 | 7b1c3df953e3da8ce48bbb7ca94213c8 |
| SHA1 | 6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15 |
| SHA256 | 28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382 |
| SHA512 | f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2 |
memory/4616-18-0x0000000008360000-0x0000000008904000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\626127266661616166161.exe
| MD5 | 7b1c3df953e3da8ce48bbb7ca94213c8 |
| SHA1 | 6c20db2aba0ceb8bb5816a7cd7d0211b9d551b15 |
| SHA256 | 28106da8785e10f9eed4f063da92faafddefe7dc74e2cb342a595d7542ede382 |
| SHA512 | f435ecc13e779e50ef1f45a82e26fc12dcbb00faf16f7ea4fcb4f882da7b98064a929b6afa6c77644af833bd873d22af2e6621d83dc1ee3f4d62db88911cc7d2 |
memory/1636-64-0x0000000001240000-0x0000000001276000-memory.dmp
memory/1636-65-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/1636-66-0x0000000001290000-0x00000000012A0000-memory.dmp
memory/1636-67-0x0000000001290000-0x00000000012A0000-memory.dmp
memory/1636-68-0x0000000005550000-0x0000000005B78000-memory.dmp
memory/1636-69-0x0000000005470000-0x0000000005492000-memory.dmp
memory/1636-71-0x0000000005CB0000-0x0000000005D16000-memory.dmp
memory/1636-70-0x0000000005C40000-0x0000000005CA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5pegd30.im0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1636-81-0x0000000005E20000-0x0000000006174000-memory.dmp
memory/1636-82-0x0000000006340000-0x000000000635E000-memory.dmp
memory/1636-83-0x0000000006380000-0x00000000063CC000-memory.dmp
memory/1636-85-0x0000000001290000-0x00000000012A0000-memory.dmp
memory/1636-86-0x0000000007990000-0x000000000800A000-memory.dmp
memory/5040-88-0x0000000000400000-0x00000000005AC000-memory.dmp
memory/1636-87-0x0000000006860000-0x000000000687A000-memory.dmp
memory/5040-91-0x0000000000400000-0x00000000005AC000-memory.dmp
memory/5040-90-0x0000000000400000-0x00000000005AC000-memory.dmp
memory/1636-94-0x0000000006920000-0x000000000692A000-memory.dmp
memory/5040-95-0x0000000000400000-0x00000000005AC000-memory.dmp
memory/1636-96-0x0000000007650000-0x0000000007662000-memory.dmp
memory/5040-93-0x0000000000400000-0x00000000005AC000-memory.dmp
memory/4616-92-0x0000000074FC0000-0x0000000075770000-memory.dmp
C:\Users\Admin\AppData\Local\BunnyLogs\Information.txt
| MD5 | 5239d9e8e12d1b70b09c69048188e912 |
| SHA1 | 2b5eb41cad7332b21affedbb2f34733850a32f25 |
| SHA256 | e1f1344673de836dcf2d4108be040f85de07be7aa5499c860a55a9cb6fa4f274 |
| SHA512 | 36cc51f1a970ac2790a852fa263f02bb5434d6fc29b56ceb9a8038718aaefff7b819ae3aa9ce0d2b18bdf1a07bcceb8487f3b400707b52e9505e7d540a881eaa |
C:\Users\Admin\AppData\Local\BunnyLogs\No RDP Login detected
| MD5 | 382b0f5185773fa0f67a8ed8056c7759 |
| SHA1 | 08d2e98e6754af941484848930ccbaddfefe13d6 |
| SHA256 | e2f79e5b60330bba4c289962231b6ba2957d0b14e7deb3110417003c79dea635 |
| SHA512 | 3d6fac2f8bc5bec0e79713cfd41962d5463349ff21010a28675b7535cd7e39cd19866428d772a0c57b4c29f623882fb6ff6613b6b16502b74aa204ac1acc084a |
C:\Users\Admin\AppData\Local\BunnyLogs\ngrok not found
| MD5 | 048a507e7cd987cc13b5bdff543b3076 |
| SHA1 | 24701c4f9bf4f7d0be73a5bae8fa94243a3a8ed6 |
| SHA256 | 307cff63c960749cb552660fe5987ea5bd7afdd7163a931db4af1db0148e013f |
| SHA512 | dead24b99dff03a532ca2a4bae65f3e16a64deff4cdf3d012877414c9ed3b543d162147499e76afe9d6b645d83c7c31523bbcea44533a6c7a115fad5a6c2e48d |
C:\Users\Admin\AppData\Local\BunnyLogs\No keystrokes found
| MD5 | 382b0f5185773fa0f67a8ed8056c7759 |
| SHA1 | 08d2e98e6754af941484848930ccbaddfefe13d6 |
| SHA256 | e2f79e5b60330bba4c289962231b6ba2957d0b14e7deb3110417003c79dea635 |
| SHA512 | 3d6fac2f8bc5bec0e79713cfd41962d5463349ff21010a28675b7535cd7e39cd19866428d772a0c57b4c29f623882fb6ff6613b6b16502b74aa204ac1acc084a |
memory/1636-105-0x0000000074FC0000-0x0000000075770000-memory.dmp
C:\Users\Admin\AppData\Local\BunnyLogs_RPOQIDAP.zip
| MD5 | 088ef465fb6d9f894576eb5262d7ac88 |
| SHA1 | a7ef9470efec00fb45701302407dd11772bae59a |
| SHA256 | 6dc2ea605d32f264b29d0a94bca829d19d4f45bba80bbb24b650ce752e6d33d4 |
| SHA512 | 11a2b26d277d6067844461e2b2184a1ccacf14e5fbb551e5706c1b0d03f43be11cca9abbd8fab0a8ef392ec6cd4793ef76892f453e1efc4a8c9415747f1050ea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\ResultCMD[1].htm
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FNC8FKXQ\Heartbeat[1].htm
| MD5 | d6dc9501f65262c5398d9ed188bf351a |
| SHA1 | 4f6160ece6b535f3d1d33f0ef419ef4655bd52bb |
| SHA256 | 087bbf59d9f176de93872e0a8ff0892d2b1135f2f7ff3f8323fc2c66eb0eed37 |
| SHA512 | 7ce9cfe9599299a7e49832b282616c9a80eb2bde4e0e27d1d78fe68edc77a24c3fc6b94cbd7837bea2ed0eb0ef8b242d950c599cc81b4eb3638531faa40a1f3b |