Analysis Overview
SHA256
a4139a81c930ee6ae44004f4a5cfbe2e01561a21f1b24675829490db1239abed
Threat Level: Likely benign
The file Bruh.zip was found to be: Likely benign.
Malicious Activity Summary
Resource Forking
Unsigned PE
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 17:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 17:22
Reported
2024-06-15 17:28
Platform
win10v2004-20240611-en
Max time kernel
300s
Max time network
271s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Bruh\here.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 17:22
Reported
2024-06-15 17:28
Platform
macos-20240611-en
Max time kernel
263s
Max time network
285s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Bruh/here.txt"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Bruh/here.txt"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Bruh/here.txt]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pluginkit.pkd]
/usr/libexec/pkd
[/usr/libexec/pkd]
/bin/zsh
[/bin/zsh -c /Users/run/Bruh/here.txt]
/Users/run/Bruh/here.txt
[/Users/run/Bruh/here.txt]
/bin/sh
[sh /Users/run/Bruh/here.txt]
/bin/bash
[sh /Users/run/Bruh/here.txt]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nsurlstoraged]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/nsurlstoraged
[/usr/libexec/nsurlstoraged]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.suggestd]
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.knowledge-agent]
/usr/libexec/knowledge-agent
[/usr/libexec/knowledge-agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.siri.context.service]
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump]
/usr/sbin/spindump
[/usr/sbin/spindump]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bag-cdn.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| GB | 104.77.118.129:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| US | 8.8.8.8:53 | e10499.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | gsp64-ssl.ls-apple.com.akadns.net | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.13:443 | mobile.events.data.trafficmanager.net | tcp |
| AU | 40.79.173.40:443 | mobile.events.data.trafficmanager.net | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| US | 184.30.157.247:443 | help.apple.com | tcp |
| US | 184.30.157.247:443 | help.apple.com | tcp |
| US | 8.8.8.8:53 | gspe35-ssl.ls-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | gsp-ssl.ls.apple.com | udp |
| GB | 17.253.29.214:443 | gsp-ssl.ls.apple.com | tcp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 50e07abef86d4a0776feb952d0800e34 |
| SHA1 | 91d17a599f6e1af6c64993ab85afcf20d70344e1 |
| SHA256 | 5d9aedaa776f07c835e19b00483f7b0e5e31ffb5b0b3ca95b2a4b120f06e487a |
| SHA512 | 1492d435dac4bc5ab3395c8453a56e240b9d33a73eaa8040bfa8b542ab94432c6b1f41f9858020c693b936173edd44474537640acff344ac38a660eef1a3b8d8 |
/Users/run/Library/Cookies/HSTS.plist
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/Users/run/Library/Caches/GeoServices/Experiments.pbd
| MD5 | 9a638cbe5d0f49c1f5cea35c4c4ff069 |
| SHA1 | c01301d4ba4dd122cd40c2455890420833a1ebd1 |
| SHA256 | 862aae83467f810b2f496060de825102769001652405fde136ce4a09b2d84a4c |
| SHA512 | c2c2d2dba2cd5b7a35f1f998e9a9a1b3960e5d82dc5b11ad01500828435f81496a323abf8510b2c0228306036a7e8d12c6b066f2f5dd7a76061adaed47dd01f3 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-15 17:22
Reported
2024-06-15 17:28
Platform
win7-20240508-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe
"C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe"
Network
Files
memory/2044-0-0x000000007491E000-0x000000007491F000-memory.dmp
memory/2044-1-0x00000000009F0000-0x0000000000C58000-memory.dmp
memory/2044-2-0x0000000000200000-0x0000000000214000-memory.dmp
memory/2044-3-0x00000000003C0000-0x00000000003DA000-memory.dmp
memory/2044-4-0x00000000005A0000-0x00000000005D4000-memory.dmp
memory/2044-5-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2044-6-0x00000000050E0000-0x0000000005256000-memory.dmp
memory/2044-7-0x0000000000650000-0x0000000000682000-memory.dmp
memory/2044-9-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2044-8-0x0000000002290000-0x000000000229E000-memory.dmp
memory/2044-10-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2044-11-0x000000007491E000-0x000000007491F000-memory.dmp
memory/2044-12-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2044-13-0x0000000074910000-0x0000000074FFE000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-15 17:22
Reported
2024-06-15 17:28
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
59s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe
"C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4228-0-0x000000007532E000-0x000000007532F000-memory.dmp
memory/4228-1-0x0000000000BB0000-0x0000000000E18000-memory.dmp
memory/4228-2-0x0000000005DF0000-0x0000000006394000-memory.dmp
memory/4228-3-0x0000000005840000-0x00000000058D2000-memory.dmp
memory/4228-4-0x0000000005800000-0x0000000005814000-memory.dmp
memory/4228-6-0x0000000005900000-0x0000000005934000-memory.dmp
memory/4228-5-0x00000000058E0000-0x00000000058FA000-memory.dmp
memory/4228-7-0x0000000075320000-0x0000000075AD0000-memory.dmp
memory/4228-8-0x0000000005AB0000-0x0000000005ABA000-memory.dmp
memory/4228-9-0x0000000005AC0000-0x0000000005C36000-memory.dmp
memory/4228-10-0x0000000005DC0000-0x0000000005DF2000-memory.dmp
memory/4228-11-0x00000000075D0000-0x000000000766C000-memory.dmp
memory/4228-12-0x0000000075320000-0x0000000075AD0000-memory.dmp
memory/4228-13-0x0000000007190000-0x000000000719E000-memory.dmp
memory/4228-14-0x000000007532E000-0x000000007532F000-memory.dmp
memory/4228-15-0x0000000075320000-0x0000000075AD0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-15 17:22
Reported
2024-06-15 17:28
Platform
macos-20240611-en
Max time kernel
222s
Max time network
267s
Command Line
Signatures
Processes
/usr/libexec/xpcproxy
[xpcproxy com.apple.bsd.dirhelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.logkextloadsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.var-db-dslocal-backup]
/usr/bin/xar
[/usr/bin/xar -c -f dslocal-backup.xar dslocal]
/usr/libexec/xpcproxy
[xpcproxy com.apple.gkreport]
/usr/libexec/gkreport
[/usr/libexec/gkreport]
/usr/libexec/xpcproxy
[xpcproxy com.apple.systemstats.daily]
/usr/libexec/xpcproxy
[xpcproxy com.apple.newsyslog]
/usr/libexec/xpcproxy
[xpcproxy com.apple.csrutil.report]
/usr/bin/csrutil
[/usr/bin/csrutil report]
/usr/sbin/newsyslog
[/usr/sbin/newsyslog]
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Bruh/honeypot.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Bruh/honeypot.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Bruh/honeypot.exe]
/bin/zsh
[/bin/zsh -c /Users/run/Bruh/honeypot.exe]
/Users/run/Bruh/honeypot.exe
[/Users/run/Bruh/honeypot.exe]
/usr/libexec/dmd
[/usr/libexec/dmd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.213:443 | tcp | |
| GB | 17.250.81.65:443 | tcp | |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 23.59.171.27:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | gateway.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 52.182.143.215:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| US | 184.30.157.247:443 | help.apple.com | tcp |
| US | 184.30.157.247:443 | help.apple.com | tcp |
| US | 8.8.8.8:53 | gspe35-ssl.ls-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | gsp-ssl.ls.apple.com | udp |
| GB | 17.253.37.213:443 | gsp-ssl.ls.apple.com | tcp |
| US | 8.8.8.8:53 | gsp64-ssl.ls-apple.com.akadns.net | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/var/db/loadedkextmt.plist
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml
| MD5 | 9a43af57707d2fb460832049d1f217d1 |
| SHA1 | 056d813f8cb5198ca82072f7e3484f38ea5267f8 |
| SHA256 | 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c |
| SHA512 | 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | ad188f106309a54101397a88c1bb529b |
| SHA1 | a5ed08ddc3679c8655b3200da79af7a3c3579ab4 |
| SHA256 | 63cf3bbfae292c429a7f7944d77973f3320c85f05bc7bfe48f0049fd8d2bea5a |
| SHA512 | 75919f510c372f58a6a2cb656a9e041759fb1fe8d6fdf38fc3cc6044bc28e55e937821740d630ed71dd1b081bdea3fef13d6a48673335a5227199ab124bf7cbc |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | a6ef4856e99c9d8e1d9bb762c5a8503a |
| SHA1 | 25d5405ad91791b716ae5a56b37aa2b393854967 |
| SHA256 | 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa |
| SHA512 | 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 2f01f7a00c85e424f82b00b2bf794a7c |
| SHA1 | c75cb52aa31012888dd7c65373d5faba6048c425 |
| SHA256 | 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32 |
| SHA512 | 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
/Users/run/Library/Caches/GeoServices/Experiments.pbd
| MD5 | cafc1e06538577107a9846c2dda21be6 |
| SHA1 | 73bccc81554072d80452332c1d05e2d55ebd32ea |
| SHA256 | 717690761fd9623a00145bb41fc70dae049fbaf36702550322e6eefe67e76417 |
| SHA512 | 91c1376b1da04b8392929a33fa1eae0d0f3661dc84edfc1a9ed83b797d03141fb9d32eec21a6550215634fe5367f8791c28ee253ff3d2cc181cc506bcfcdde93 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 22c1336cce88205b0017bcdd303a657e |
| SHA1 | d874d6f10524856d773acbce0f605e1d9c8bf03c |
| SHA256 | 35052c4dda8451478feaf69a9610c54ea6ccd3095c70cd8e981aedba470cb2d1 |
| SHA512 | 8db2cb35932230381546dd7514d18006cd460f055c5050fc6545ba2d0202bab2c77910d485ecb6744c7475a7f1cd88023f8a2bcfceab3d59e98630f787eed2fc |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 17:22
Reported
2024-06-15 17:24
Platform
win7-20240611-en
Max time kernel
30s
Max time network
19s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Bruh\here.txt
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"