asyncrat | 8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42f972925508a82236e8533567487761.exe
Size

3.7MB
MD5

9d2a888ca79e1ff3820882ea1d88d574
SHA1

112c38d80bf2c0d48256249bbabe906b834b1f66
SHA256

8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
SHA512

17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Score

10^/10

asyncrat darkcomet warzonerat 2020nov1 evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

sandyclark255.hopto.org:5200

Extracted

Family

darkcomet

Botnet

2020NOV1

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes

InstallPath
excelsl.exe
gencode
n7asq0Dbu7D2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
office

Extracted

Family

asyncrat

Version

0.5.6A

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Mutex

adweqsds56332

Attributes

aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds56332
pastebin_config
null
port
6606,8808,7707
version
0.5.6A

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svuhost.exeKhzfezpMpG3lnWZs.exesvbhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\KIT5yZgCv2C8.exe\",explorer.exe"	KhzfezpMpG3lnWZs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\TLZrXjLLrqNJ.exe\",explorer.exe"	svbhost.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-72-0x00000000003D0000-0x00000000003DD000-memory.dmp	asyncrat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1312-42-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1312-43-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1312-54-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

svuhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts svuhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svuhost.exe

Executes dropped EXE 22 IoCs

Processes:

iLFJlWovt3sawSak.exeKhzfezpMpG3lnWZs.exe4aWJrAmUT0XfQ5Bb.exe0Zha4QcBxDplMnTf.exeKF4GVecsQJvMIpxj.exeSs0jaf8dLyvF0zM1.exesvthost.exesvthost.exesvrhost.exeeridjeht.exesvuhost.exesvuhost.exesvbhost.exesvbhost.exesvbhost.exesvbhost.exesvehosts.exeexcelsl.exesvbhost.exesvbhost.exesvuhost.exeprndrvest.exe

pid	process
1068	iLFJlWovt3sawSak.exe
1376	KhzfezpMpG3lnWZs.exe
1136	4aWJrAmUT0XfQ5Bb.exe
268	0Zha4QcBxDplMnTf.exe
1476	KF4GVecsQJvMIpxj.exe
1624	Ss0jaf8dLyvF0zM1.exe
1648	svthost.exe
1156	svthost.exe
672	svrhost.exe
1312	eridjeht.exe
1784	svuhost.exe
1516	svuhost.exe
1348	svbhost.exe
1616	svbhost.exe
2044	svbhost.exe
2016	svbhost.exe
1600	svehosts.exe
1912	excelsl.exe
1148	svbhost.exe
288	svbhost.exe
284	svuhost.exe
1092	prndrvest.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

svehosts.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe	svehosts.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe	svehosts.exe

Loads dropped DLL 21 IoCs

Processes:

42f972925508a82236e8533567487761.exeKF4GVecsQJvMIpxj.exeSs0jaf8dLyvF0zM1.exe4aWJrAmUT0XfQ5Bb.exeKhzfezpMpG3lnWZs.exesvbhost.exesvuhost.exesvbhost.exeexcelsl.execmd.exe

pid	process
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
1476	KF4GVecsQJvMIpxj.exe
1624	Ss0jaf8dLyvF0zM1.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
2044	svbhost.exe
1516	svuhost.exe
2016	svbhost.exe
2016	svbhost.exe
1912	excelsl.exe
1692	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svehosts.exesvuhost.exesvuhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .."	svehosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .."	svehosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

42f972925508a82236e8533567487761.exeSs0jaf8dLyvF0zM1.exeKF4GVecsQJvMIpxj.exe4aWJrAmUT0XfQ5Bb.exeKhzfezpMpG3lnWZs.exesvbhost.exeexcelsl.exe

description	pid	process	target process
PID 240 set thread context of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 1624 set thread context of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1476 set thread context of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1136 set thread context of 1516	1136	4aWJrAmUT0XfQ5Bb.exe	svuhost.exe
PID 1376 set thread context of 2044	1376	KhzfezpMpG3lnWZs.exe	svbhost.exe
PID 2016 set thread context of 288	2016	svbhost.exe	svbhost.exe
PID 1912 set thread context of 284	1912	excelsl.exe	svuhost.exe

Drops file in Windows directory 1 IoCs

Processes:

iLFJlWovt3sawSak.exe

description ioc process

File created C:\Windows\svehosts.exe iLFJlWovt3sawSak.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1316 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1344 timeout.exe

description	ioc	process
File created	C:\Windows\svehosts.exe	iLFJlWovt3sawSak.exe

pid	process
1316	schtasks.exe

pid	process
1344	timeout.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

42f972925508a82236e8533567487761.exeSs0jaf8dLyvF0zM1.exeKF4GVecsQJvMIpxj.exe4aWJrAmUT0XfQ5Bb.exeKhzfezpMpG3lnWZs.exesvbhost.exeexcelsl.exe0Zha4QcBxDplMnTf.exeprndrvest.exe

pid	process
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
240	42f972925508a82236e8533567487761.exe
1624	Ss0jaf8dLyvF0zM1.exe
1624	Ss0jaf8dLyvF0zM1.exe
1476	KF4GVecsQJvMIpxj.exe
1476	KF4GVecsQJvMIpxj.exe
1624	Ss0jaf8dLyvF0zM1.exe
1476	KF4GVecsQJvMIpxj.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1136	4aWJrAmUT0XfQ5Bb.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
1376	KhzfezpMpG3lnWZs.exe
2016	svbhost.exe
2016	svbhost.exe
2016	svbhost.exe
2016	svbhost.exe
2016	svbhost.exe
2016	svbhost.exe
1912	excelsl.exe
1912	excelsl.exe
1912	excelsl.exe
268	0Zha4QcBxDplMnTf.exe
1092	prndrvest.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svrhost.exesvbhost.exe

pid process

672 svrhost.exe
2044 svbhost.exe

pid	process
672	svrhost.exe
2044	svbhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

42f972925508a82236e8533567487761.exeiLFJlWovt3sawSak.exeKF4GVecsQJvMIpxj.exeSs0jaf8dLyvF0zM1.exe4aWJrAmUT0XfQ5Bb.exeKhzfezpMpG3lnWZs.exesvuhost.exe0Zha4QcBxDplMnTf.exesvbhost.exesvbhost.exesvehosts.exesvbhost.exeexcelsl.exesvuhost.exe

description	pid	process
Token: SeDebugPrivilege	240	42f972925508a82236e8533567487761.exe
Token: SeDebugPrivilege	240	42f972925508a82236e8533567487761.exe
Token: SeDebugPrivilege	1068	iLFJlWovt3sawSak.exe
Token: SeDebugPrivilege	1068	iLFJlWovt3sawSak.exe
Token: SeDebugPrivilege	1476	KF4GVecsQJvMIpxj.exe
Token: SeDebugPrivilege	1624	Ss0jaf8dLyvF0zM1.exe
Token: SeDebugPrivilege	1136	4aWJrAmUT0XfQ5Bb.exe
Token: SeDebugPrivilege	1376	KhzfezpMpG3lnWZs.exe
Token: SeDebugPrivilege	1376	KhzfezpMpG3lnWZs.exe
Token: SeIncreaseQuotaPrivilege	1516	svuhost.exe
Token: SeSecurityPrivilege	1516	svuhost.exe
Token: SeTakeOwnershipPrivilege	1516	svuhost.exe
Token: SeLoadDriverPrivilege	1516	svuhost.exe
Token: SeSystemProfilePrivilege	1516	svuhost.exe
Token: SeSystemtimePrivilege	1516	svuhost.exe
Token: SeProfSingleProcessPrivilege	1516	svuhost.exe
Token: SeIncBasePriorityPrivilege	1516	svuhost.exe
Token: SeCreatePagefilePrivilege	1516	svuhost.exe
Token: SeBackupPrivilege	1516	svuhost.exe
Token: SeRestorePrivilege	1516	svuhost.exe
Token: SeShutdownPrivilege	1516	svuhost.exe
Token: SeDebugPrivilege	1516	svuhost.exe
Token: SeSystemEnvironmentPrivilege	1516	svuhost.exe
Token: SeChangeNotifyPrivilege	1516	svuhost.exe
Token: SeRemoteShutdownPrivilege	1516	svuhost.exe
Token: SeUndockPrivilege	1516	svuhost.exe
Token: SeManageVolumePrivilege	1516	svuhost.exe
Token: SeImpersonatePrivilege	1516	svuhost.exe
Token: SeCreateGlobalPrivilege	1516	svuhost.exe
Token: 33	1516	svuhost.exe
Token: 34	1516	svuhost.exe
Token: 35	1516	svuhost.exe
Token: SeDebugPrivilege	268	0Zha4QcBxDplMnTf.exe
Token: SeShutdownPrivilege	2044	svbhost.exe
Token: SeDebugPrivilege	2044	svbhost.exe
Token: SeTcbPrivilege	2044	svbhost.exe
Token: SeDebugPrivilege	2016	svbhost.exe
Token: SeDebugPrivilege	2016	svbhost.exe
Token: SeDebugPrivilege	1600	svehosts.exe
Token: SeDebugPrivilege	1600	svehosts.exe
Token: SeShutdownPrivilege	288	svbhost.exe
Token: SeDebugPrivilege	288	svbhost.exe
Token: SeTcbPrivilege	288	svbhost.exe
Token: SeDebugPrivilege	1912	excelsl.exe
Token: SeIncreaseQuotaPrivilege	284	svuhost.exe
Token: SeSecurityPrivilege	284	svuhost.exe
Token: SeTakeOwnershipPrivilege	284	svuhost.exe
Token: SeLoadDriverPrivilege	284	svuhost.exe
Token: SeSystemProfilePrivilege	284	svuhost.exe
Token: SeSystemtimePrivilege	284	svuhost.exe
Token: SeProfSingleProcessPrivilege	284	svuhost.exe
Token: SeIncBasePriorityPrivilege	284	svuhost.exe
Token: SeCreatePagefilePrivilege	284	svuhost.exe
Token: SeBackupPrivilege	284	svuhost.exe
Token: SeRestorePrivilege	284	svuhost.exe
Token: SeShutdownPrivilege	284	svuhost.exe
Token: SeDebugPrivilege	284	svuhost.exe
Token: SeSystemEnvironmentPrivilege	284	svuhost.exe
Token: SeChangeNotifyPrivilege	284	svuhost.exe
Token: SeRemoteShutdownPrivilege	284	svuhost.exe
Token: SeUndockPrivilege	284	svuhost.exe
Token: SeManageVolumePrivilege	284	svuhost.exe
Token: SeImpersonatePrivilege	284	svuhost.exe
Token: SeCreateGlobalPrivilege	284	svuhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svbhost.exesvuhost.exe

pid process

2044 svbhost.exe
284 svuhost.exe

pid	process
2044	svbhost.exe
284	svuhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42f972925508a82236e8533567487761.exeSs0jaf8dLyvF0zM1.exeKF4GVecsQJvMIpxj.exe

description	pid	process	target process
PID 240 wrote to memory of 1068	240	42f972925508a82236e8533567487761.exe	iLFJlWovt3sawSak.exe
PID 240 wrote to memory of 1068	240	42f972925508a82236e8533567487761.exe	iLFJlWovt3sawSak.exe
PID 240 wrote to memory of 1068	240	42f972925508a82236e8533567487761.exe	iLFJlWovt3sawSak.exe
PID 240 wrote to memory of 1068	240	42f972925508a82236e8533567487761.exe	iLFJlWovt3sawSak.exe
PID 240 wrote to memory of 1376	240	42f972925508a82236e8533567487761.exe	KhzfezpMpG3lnWZs.exe
PID 240 wrote to memory of 1376	240	42f972925508a82236e8533567487761.exe	KhzfezpMpG3lnWZs.exe
PID 240 wrote to memory of 1376	240	42f972925508a82236e8533567487761.exe	KhzfezpMpG3lnWZs.exe
PID 240 wrote to memory of 1376	240	42f972925508a82236e8533567487761.exe	KhzfezpMpG3lnWZs.exe
PID 240 wrote to memory of 1136	240	42f972925508a82236e8533567487761.exe	4aWJrAmUT0XfQ5Bb.exe
PID 240 wrote to memory of 1136	240	42f972925508a82236e8533567487761.exe	4aWJrAmUT0XfQ5Bb.exe
PID 240 wrote to memory of 1136	240	42f972925508a82236e8533567487761.exe	4aWJrAmUT0XfQ5Bb.exe
PID 240 wrote to memory of 1136	240	42f972925508a82236e8533567487761.exe	4aWJrAmUT0XfQ5Bb.exe
PID 240 wrote to memory of 268	240	42f972925508a82236e8533567487761.exe	0Zha4QcBxDplMnTf.exe
PID 240 wrote to memory of 268	240	42f972925508a82236e8533567487761.exe	0Zha4QcBxDplMnTf.exe
PID 240 wrote to memory of 268	240	42f972925508a82236e8533567487761.exe	0Zha4QcBxDplMnTf.exe
PID 240 wrote to memory of 268	240	42f972925508a82236e8533567487761.exe	0Zha4QcBxDplMnTf.exe
PID 240 wrote to memory of 1476	240	42f972925508a82236e8533567487761.exe	KF4GVecsQJvMIpxj.exe
PID 240 wrote to memory of 1476	240	42f972925508a82236e8533567487761.exe	KF4GVecsQJvMIpxj.exe
PID 240 wrote to memory of 1476	240	42f972925508a82236e8533567487761.exe	KF4GVecsQJvMIpxj.exe
PID 240 wrote to memory of 1476	240	42f972925508a82236e8533567487761.exe	KF4GVecsQJvMIpxj.exe
PID 240 wrote to memory of 1624	240	42f972925508a82236e8533567487761.exe	Ss0jaf8dLyvF0zM1.exe
PID 240 wrote to memory of 1624	240	42f972925508a82236e8533567487761.exe	Ss0jaf8dLyvF0zM1.exe
PID 240 wrote to memory of 1624	240	42f972925508a82236e8533567487761.exe	Ss0jaf8dLyvF0zM1.exe
PID 240 wrote to memory of 1624	240	42f972925508a82236e8533567487761.exe	Ss0jaf8dLyvF0zM1.exe
PID 240 wrote to memory of 1648	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1648	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1648	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1648	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 240 wrote to memory of 1156	240	42f972925508a82236e8533567487761.exe	svthost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1624 wrote to memory of 672	1624	Ss0jaf8dLyvF0zM1.exe	svrhost.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe
PID 1476 wrote to memory of 1312	1476	KF4GVecsQJvMIpxj.exe	eridjeht.exe

C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe
"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Local\Temp\iLFJlWovt3sawSak.exe
"C:\Users\Admin\AppData\Local\Temp\iLFJlWovt3sawSak.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\svehosts.exe
"C:\Windows\svehosts.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE
4⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\KhzfezpMpG3lnWZs.exe
"C:\Users\Admin\AppData\Local\Temp\KhzfezpMpG3lnWZs.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
3⤵
- Executes dropped EXE
PID:1348

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
3⤵
- Executes dropped EXE
PID:1616

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 2044
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
5⤵
- Executes dropped EXE
PID:1148

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Users\Admin\AppData\Local\Temp\4aWJrAmUT0XfQ5Bb.exe
"C:\Users\Admin\AppData\Local\Temp\4aWJrAmUT0XfQ5Bb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
3⤵
- Executes dropped EXE
PID:1784

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:1460

C:\Users\Admin\Documents\excelsl.exe
"C:\Users\Admin\Documents\excelsl.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:284

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\0Zha4QcBxDplMnTf.exe
"C:\Users\Admin\AppData\Local\Temp\0Zha4QcBxDplMnTf.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'
3⤵
- Creates scheduled task(s)
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1564.tmp.bat""
3⤵
- Loads dropped DLL
PID:1692

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1344

C:\Users\Admin\AppData\Roaming\prndrvest.exe
"C:\Users\Admin\AppData\Roaming\prndrvest.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Users\Admin\AppData\Local\Temp\KF4GVecsQJvMIpxj.exe
"C:\Users\Admin\AppData\Local\Temp\KF4GVecsQJvMIpxj.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"
3⤵
- Executes dropped EXE
PID:1312

C:\Users\Admin\AppData\Local\Temp\Ss0jaf8dLyvF0zM1.exe
"C:\Users\Admin\AppData\Local\Temp\Ss0jaf8dLyvF0zM1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:672

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
2⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
2⤵
- Executes dropped EXE
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0Zha4QcBxDplMnTf.exe
MD5
590acb5fa6b5c3001ebce3d67242aac4

SHA1
5df39906dc4e60f01b95783fc55af6128402d611

SHA256
7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509

SHA512
4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Zha4QcBxDplMnTf.exe
MD5
590acb5fa6b5c3001ebce3d67242aac4

SHA1
5df39906dc4e60f01b95783fc55af6128402d611

SHA256
7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509

SHA512
4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aWJrAmUT0XfQ5Bb.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aWJrAmUT0XfQ5Bb.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
MD5
9d2a888ca79e1ff3820882ea1d88d574

SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
MD5
9d2a888ca79e1ff3820882ea1d88d574

SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
MD5
e87459f61fd1f017d4bd6b0a1a1fc86a

SHA1
30838d010aad8c9f3fd0fc302e71b4cbe6f138c0

SHA256
ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727

SHA512
dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KF4GVecsQJvMIpxj.exe
MD5
f07d2c33e4afe36ec6f6f14f9a56e84a

SHA1
3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

SHA256
309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

SHA512
b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KF4GVecsQJvMIpxj.exe
MD5
f07d2c33e4afe36ec6f6f14f9a56e84a

SHA1
3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

SHA256
309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

SHA512
b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KhzfezpMpG3lnWZs.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KhzfezpMpG3lnWZs.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ss0jaf8dLyvF0zM1.exe
MD5
e87459f61fd1f017d4bd6b0a1a1fc86a

SHA1
30838d010aad8c9f3fd0fc302e71b4cbe6f138c0

SHA256
ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727

SHA512
dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ss0jaf8dLyvF0zM1.exe
MD5
e87459f61fd1f017d4bd6b0a1a1fc86a

SHA1
30838d010aad8c9f3fd0fc302e71b4cbe6f138c0

SHA256
ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727

SHA512
dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
MD5
f07d2c33e4afe36ec6f6f14f9a56e84a

SHA1
3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

SHA256
309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

SHA512
b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
MD5
f07d2c33e4afe36ec6f6f14f9a56e84a

SHA1
3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

SHA256
309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

SHA512
b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iLFJlWovt3sawSak.exe
MD5
2819e45588024ba76f248a39d3e232ba

SHA1
08a797b87ecfbee682ce14d872177dae1a5a46a2

SHA256
b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93

SHA512
a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iLFJlWovt3sawSak.exe
MD5
2819e45588024ba76f248a39d3e232ba

SHA1
08a797b87ecfbee682ce14d872177dae1a5a46a2

SHA256
b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93

SHA512
a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1564.tmp.bat
MD5
39a97db66eabbb2382363fddf1fd36f9

SHA1
28e90726d0b060e38dea4738c6b023ea9a46cb14

SHA256
3c4d446c503b19b622afcabb572a2a7105be043878a3c109561843e91745bf6d

SHA512
ed4060cba5bff77b35d5b9e08f55fc730dced6483ab6461f391675b3309d572465972e1dc7a9aadba1d7dc25e8ecc2878fb223b2bf9da8272ac246d21200ffce

Download Submit
C:\Users\Admin\AppData\Roaming\prndrvest.exe
MD5
7029487b43ca4538131a1d41e40b9ce3

SHA1
eb1576ae21a1bacc411a317d20bf99e3d7f002ed

SHA256
d3bc6719eadae7473c7ac47365c28419c385e095afa6c56d1a4b7d592e8fa0fa

SHA512
a6cae2ee7f71f458a1d9f13398820dce022e0d9b836924e8d8f24ca95c411b6b6c3ac76302751dc9457b0d14f424b3563999f75d4dafd0ee9bd2a35b15df27a0

Download Submit
C:\Users\Admin\AppData\Roaming\prndrvest.exe
MD5
7029487b43ca4538131a1d41e40b9ce3

SHA1
eb1576ae21a1bacc411a317d20bf99e3d7f002ed

SHA256
d3bc6719eadae7473c7ac47365c28419c385e095afa6c56d1a4b7d592e8fa0fa

SHA512
a6cae2ee7f71f458a1d9f13398820dce022e0d9b836924e8d8f24ca95c411b6b6c3ac76302751dc9457b0d14f424b3563999f75d4dafd0ee9bd2a35b15df27a0

Download Submit
C:\Users\Admin\Documents\excelsl.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Users\Admin\Documents\excelsl.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
C:\Windows\svehosts.exe
MD5
2819e45588024ba76f248a39d3e232ba

SHA1
08a797b87ecfbee682ce14d872177dae1a5a46a2

SHA256
b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93

SHA512
a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

Download Submit
C:\Windows\svehosts.exe
MD5
2819e45588024ba76f248a39d3e232ba

SHA1
08a797b87ecfbee682ce14d872177dae1a5a46a2

SHA256
b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93

SHA512
a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

Download Submit
\Users\Admin\AppData\Local\Temp\0Zha4QcBxDplMnTf.exe
MD5
590acb5fa6b5c3001ebce3d67242aac4

SHA1
5df39906dc4e60f01b95783fc55af6128402d611

SHA256
7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509

SHA512
4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba

Download Submit
\Users\Admin\AppData\Local\Temp\4aWJrAmUT0XfQ5Bb.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
MD5
9d2a888ca79e1ff3820882ea1d88d574

SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Download Submit
\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
MD5
9d2a888ca79e1ff3820882ea1d88d574

SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Download Submit
\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
MD5
e87459f61fd1f017d4bd6b0a1a1fc86a

SHA1
30838d010aad8c9f3fd0fc302e71b4cbe6f138c0

SHA256
ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727

SHA512
dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

Download Submit
\Users\Admin\AppData\Local\Temp\KF4GVecsQJvMIpxj.exe
MD5
f07d2c33e4afe36ec6f6f14f9a56e84a

SHA1
3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

SHA256
309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

SHA512
b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

Download Submit
\Users\Admin\AppData\Local\Temp\KhzfezpMpG3lnWZs.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
\Users\Admin\AppData\Local\Temp\Ss0jaf8dLyvF0zM1.exe
MD5
e87459f61fd1f017d4bd6b0a1a1fc86a

SHA1
30838d010aad8c9f3fd0fc302e71b4cbe6f138c0

SHA256
ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727

SHA512
dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

Download Submit
\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
MD5
f07d2c33e4afe36ec6f6f14f9a56e84a

SHA1
3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

SHA256
309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

SHA512
b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

Download Submit
\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
\Users\Admin\AppData\Local\Temp\iLFJlWovt3sawSak.exe
MD5
2819e45588024ba76f248a39d3e232ba

SHA1
08a797b87ecfbee682ce14d872177dae1a5a46a2

SHA256
b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93

SHA512
a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

Download Submit
\Users\Admin\AppData\Roaming\prndrvest.exe
MD5
7029487b43ca4538131a1d41e40b9ce3

SHA1
eb1576ae21a1bacc411a317d20bf99e3d7f002ed

SHA256
d3bc6719eadae7473c7ac47365c28419c385e095afa6c56d1a4b7d592e8fa0fa

SHA512
a6cae2ee7f71f458a1d9f13398820dce022e0d9b836924e8d8f24ca95c411b6b6c3ac76302751dc9457b0d14f424b3563999f75d4dafd0ee9bd2a35b15df27a0

Download Submit
\Users\Admin\Documents\excelsl.exe
MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
memory/268-72-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/268-27-0x00000000718A0000-0x0000000071F8E000-memory.dmp

Filesize
6.9MB

Download
memory/268-13-0x0000000000000000-mapping.dmp

Download
memory/268-55-0x00000000009A0000-0x00000000009BD000-memory.dmp

Filesize
116KB

Download
memory/268-31-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/284-103-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/284-101-0x000000000048F888-mapping.dmp

Download
memory/288-93-0x000000000046A08C-mapping.dmp

Download
memory/672-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/672-38-0x000000000040715C-mapping.dmp

Download
memory/672-41-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1068-1-0x0000000000000000-mapping.dmp

Download
memory/1092-119-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1092-115-0x0000000000000000-mapping.dmp

Download
memory/1092-116-0x0000000000000000-mapping.dmp

Download
memory/1092-118-0x00000000711B0000-0x000000007189E000-memory.dmp

Filesize
6.9MB

Download
memory/1136-9-0x0000000000000000-mapping.dmp

Download
memory/1136-39-0x0000000008BC0000-0x0000000008BC2000-memory.dmp

Filesize
8KB

Download
memory/1136-33-0x0000000005940000-0x0000000005942000-memory.dmp

Filesize
8KB

Download
memory/1156-29-0x000000000048F888-mapping.dmp

Download
memory/1156-28-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1312-43-0x0000000000405CE2-mapping.dmp

Download
memory/1312-42-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1312-54-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-109-0x0000000000000000-mapping.dmp

Download
memory/1344-112-0x0000000000000000-mapping.dmp

Download
memory/1376-5-0x0000000000000000-mapping.dmp

Download
memory/1460-58-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1460-59-0x0000000000000000-mapping.dmp

Download
memory/1460-57-0x0000000000000000-mapping.dmp

Download
memory/1476-16-0x0000000000000000-mapping.dmp

Download
memory/1516-51-0x000000000048F888-mapping.dmp

Download
memory/1516-53-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1516-50-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1600-79-0x0000000000000000-mapping.dmp

Download
memory/1624-21-0x0000000000000000-mapping.dmp

Download
memory/1648-108-0x0000000000000000-mapping.dmp

Download
memory/1684-106-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1684-107-0x0000000000000000-mapping.dmp

Download
memory/1684-105-0x0000000000000000-mapping.dmp

Download
memory/1692-110-0x0000000000000000-mapping.dmp

Download
memory/1912-83-0x0000000000000000-mapping.dmp

Download
memory/2016-76-0x0000000000000000-mapping.dmp

Download
memory/2044-78-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2044-68-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2044-71-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2044-69-0x000000000046A08C-mapping.dmp

Download