asyncrat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58 UTC

250301-xmhhrayp15 10

01/03/2025, 18:55 UTC

250301-xkqrcaypx7 10

Analysis

max time kernel
158s
max time network
185s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/02/2025, 06:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42f972925508a82236e8533567487761.exe
Size

3.7MB
MD5

9d2a888ca79e1ff3820882ea1d88d574
SHA1

112c38d80bf2c0d48256249bbabe906b834b1f66
SHA256

8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
SHA512

17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840
SSDEEP

98304:Nn1CVf+y/EFc7DvOUxlpq2JdnQ+O2M7hlXKUmkbtT2TMI:A/EqaUFqItO2M7PXKUmkbtT2T

Score

10^/10

asyncrat darkcomet njrat warzonerat 2020nov1 null defense_evasion discovery infostealer persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

1
#KCMDDC51#-�890

rc4.plain

1
#KCMDDC51#-890

Extracted

Family

darkcomet

Botnet

2020NOV1

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes

InstallPath
excelsl.exe
gencode
n7asq0Dbu7D2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
office

rc4.plain

1
#KCMDDC51#-890

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Mutex

adweqsds56332

Attributes

delay
5
install
true
install_file
prndrvest.exe
install_folder
%AppData%

aes.plain

1
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\6N1zDtwtzTP1.exe\",explorer.exe"	5UR6FsWeRvbKN4Gc.exe

Njrat family
njrat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral15/memory/2736-295-0x0000000000410000-0x0000000000422000-memory.dmp	family_asyncrat
behavioral15/memory/2736-296-0x0000000000590000-0x00000000005A2000-memory.dmp	family_asyncrat

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svuhost.exe

Disables Task Manager via registry modification
defense_evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svuhost.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2676	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe	svehosts.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe	svehosts.exe

Executes dropped EXE 22 IoCs

pid	Process
920	GXsJb60byMh1ZwNP.exe
2300	5UR6FsWeRvbKN4Gc.exe
2524	mMA1fIJTZtNJvMAP.exe
2728	q2woKxkSzDoHqQ2A.exe
2736	Wy5dCjEEEt87yXhN.exe
3008	Dj8EYwuUy6blqkFA.exe
2012	svthost.exe
2340	svrhost.exe
2400	svuhost.exe
2120	svehosts.exe
2432	eridjeht.exe
1560	excelsl.exe
2756	svbhost.exe
2932	svbhost.exe
1532	svbhost.exe
2836	svbhost.exe
2680	svbhost.exe
2740	svbhost.exe
996	svuhost.exe
1952	svuhost.exe
2000	svuhost.exe
1008	prndrvest.exe

Loads dropped DLL 22 IoCs

pid	Process
2860	42f972925508a82236e8533567487761.exe
2860	42f972925508a82236e8533567487761.exe
2860	42f972925508a82236e8533567487761.exe
2860	42f972925508a82236e8533567487761.exe
2860	42f972925508a82236e8533567487761.exe
2860	42f972925508a82236e8533567487761.exe
2860	42f972925508a82236e8533567487761.exe
3008	Dj8EYwuUy6blqkFA.exe
2524	mMA1fIJTZtNJvMAP.exe
2728	q2woKxkSzDoHqQ2A.exe
2400	svuhost.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2104	dw20.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1692	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .."	svehosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .."	svehosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe"	svuhost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 3008 set thread context of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 2524 set thread context of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2728 set thread context of 2432	2728	q2woKxkSzDoHqQ2A.exe	41
PID 1560 set thread context of 2000	1560	excelsl.exe	52

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svehosts.exe	GXsJb60byMh1ZwNP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GXsJb60byMh1ZwNP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q2woKxkSzDoHqQ2A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42f972925508a82236e8533567487761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svuhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svuhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prndrvest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mMA1fIJTZtNJvMAP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dj8EYwuUy6blqkFA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wy5dCjEEEt87yXhN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eridjeht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5UR6FsWeRvbKN4Gc.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2420	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2860	42f972925508a82236e8533567487761.exe
2860	42f972925508a82236e8533567487761.exe
2860	42f972925508a82236e8533567487761.exe
3008	Dj8EYwuUy6blqkFA.exe
3008	Dj8EYwuUy6blqkFA.exe
3008	Dj8EYwuUy6blqkFA.exe
2524	mMA1fIJTZtNJvMAP.exe
2524	mMA1fIJTZtNJvMAP.exe
2524	mMA1fIJTZtNJvMAP.exe
2728	q2woKxkSzDoHqQ2A.exe
2728	q2woKxkSzDoHqQ2A.exe
2728	q2woKxkSzDoHqQ2A.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
2300	5UR6FsWeRvbKN4Gc.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
1560	excelsl.exe
2736	Wy5dCjEEEt87yXhN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2340	svrhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	42f972925508a82236e8533567487761.exe
Token: SeDebugPrivilege	2860	42f972925508a82236e8533567487761.exe
Token: SeDebugPrivilege	920	GXsJb60byMh1ZwNP.exe
Token: SeDebugPrivilege	920	GXsJb60byMh1ZwNP.exe
Token: SeDebugPrivilege	3008	Dj8EYwuUy6blqkFA.exe
Token: SeDebugPrivilege	2524	mMA1fIJTZtNJvMAP.exe
Token: SeDebugPrivilege	2728	q2woKxkSzDoHqQ2A.exe
Token: SeIncreaseQuotaPrivilege	2400	svuhost.exe
Token: SeSecurityPrivilege	2400	svuhost.exe
Token: SeTakeOwnershipPrivilege	2400	svuhost.exe
Token: SeLoadDriverPrivilege	2400	svuhost.exe
Token: SeSystemProfilePrivilege	2400	svuhost.exe
Token: SeSystemtimePrivilege	2400	svuhost.exe
Token: SeProfSingleProcessPrivilege	2400	svuhost.exe
Token: SeIncBasePriorityPrivilege	2400	svuhost.exe
Token: SeCreatePagefilePrivilege	2400	svuhost.exe
Token: SeBackupPrivilege	2400	svuhost.exe
Token: SeRestorePrivilege	2400	svuhost.exe
Token: SeShutdownPrivilege	2400	svuhost.exe
Token: SeDebugPrivilege	2400	svuhost.exe
Token: SeSystemEnvironmentPrivilege	2400	svuhost.exe
Token: SeChangeNotifyPrivilege	2400	svuhost.exe
Token: SeRemoteShutdownPrivilege	2400	svuhost.exe
Token: SeUndockPrivilege	2400	svuhost.exe
Token: SeManageVolumePrivilege	2400	svuhost.exe
Token: SeImpersonatePrivilege	2400	svuhost.exe
Token: SeCreateGlobalPrivilege	2400	svuhost.exe
Token: 33	2400	svuhost.exe
Token: 34	2400	svuhost.exe
Token: 35	2400	svuhost.exe
Token: SeDebugPrivilege	2300	5UR6FsWeRvbKN4Gc.exe
Token: SeDebugPrivilege	2300	5UR6FsWeRvbKN4Gc.exe
Token: SeDebugPrivilege	2120	svehosts.exe
Token: SeDebugPrivilege	2120	svehosts.exe
Token: SeDebugPrivilege	1560	excelsl.exe
Token: SeDebugPrivilege	2736	Wy5dCjEEEt87yXhN.exe
Token: SeIncreaseQuotaPrivilege	2000	svuhost.exe
Token: SeSecurityPrivilege	2000	svuhost.exe
Token: SeTakeOwnershipPrivilege	2000	svuhost.exe
Token: SeLoadDriverPrivilege	2000	svuhost.exe
Token: SeSystemProfilePrivilege	2000	svuhost.exe
Token: SeSystemtimePrivilege	2000	svuhost.exe
Token: SeProfSingleProcessPrivilege	2000	svuhost.exe
Token: SeIncBasePriorityPrivilege	2000	svuhost.exe
Token: SeCreatePagefilePrivilege	2000	svuhost.exe
Token: SeBackupPrivilege	2000	svuhost.exe
Token: SeRestorePrivilege	2000	svuhost.exe
Token: SeShutdownPrivilege	2000	svuhost.exe
Token: SeDebugPrivilege	2000	svuhost.exe
Token: SeSystemEnvironmentPrivilege	2000	svuhost.exe
Token: SeChangeNotifyPrivilege	2000	svuhost.exe
Token: SeRemoteShutdownPrivilege	2000	svuhost.exe
Token: SeUndockPrivilege	2000	svuhost.exe
Token: SeManageVolumePrivilege	2000	svuhost.exe
Token: SeImpersonatePrivilege	2000	svuhost.exe
Token: SeCreateGlobalPrivilege	2000	svuhost.exe
Token: 33	2000	svuhost.exe
Token: 34	2000	svuhost.exe
Token: 35	2000	svuhost.exe
Token: 33	2120	svehosts.exe
Token: SeIncBasePriorityPrivilege	2120	svehosts.exe
Token: 33	2120	svehosts.exe
Token: SeIncBasePriorityPrivilege	2120	svehosts.exe
Token: 33	2120	svehosts.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2000	svuhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 920	2860	42f972925508a82236e8533567487761.exe	30
PID 2860 wrote to memory of 920	2860	42f972925508a82236e8533567487761.exe	30
PID 2860 wrote to memory of 920	2860	42f972925508a82236e8533567487761.exe	30
PID 2860 wrote to memory of 920	2860	42f972925508a82236e8533567487761.exe	30
PID 2860 wrote to memory of 2300	2860	42f972925508a82236e8533567487761.exe	31
PID 2860 wrote to memory of 2300	2860	42f972925508a82236e8533567487761.exe	31
PID 2860 wrote to memory of 2300	2860	42f972925508a82236e8533567487761.exe	31
PID 2860 wrote to memory of 2300	2860	42f972925508a82236e8533567487761.exe	31
PID 2860 wrote to memory of 2524	2860	42f972925508a82236e8533567487761.exe	32
PID 2860 wrote to memory of 2524	2860	42f972925508a82236e8533567487761.exe	32
PID 2860 wrote to memory of 2524	2860	42f972925508a82236e8533567487761.exe	32
PID 2860 wrote to memory of 2524	2860	42f972925508a82236e8533567487761.exe	32
PID 2860 wrote to memory of 2736	2860	42f972925508a82236e8533567487761.exe	33
PID 2860 wrote to memory of 2736	2860	42f972925508a82236e8533567487761.exe	33
PID 2860 wrote to memory of 2736	2860	42f972925508a82236e8533567487761.exe	33
PID 2860 wrote to memory of 2736	2860	42f972925508a82236e8533567487761.exe	33
PID 2860 wrote to memory of 2728	2860	42f972925508a82236e8533567487761.exe	34
PID 2860 wrote to memory of 2728	2860	42f972925508a82236e8533567487761.exe	34
PID 2860 wrote to memory of 2728	2860	42f972925508a82236e8533567487761.exe	34
PID 2860 wrote to memory of 2728	2860	42f972925508a82236e8533567487761.exe	34
PID 2860 wrote to memory of 3008	2860	42f972925508a82236e8533567487761.exe	35
PID 2860 wrote to memory of 3008	2860	42f972925508a82236e8533567487761.exe	35
PID 2860 wrote to memory of 3008	2860	42f972925508a82236e8533567487761.exe	35
PID 2860 wrote to memory of 3008	2860	42f972925508a82236e8533567487761.exe	35
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 2860 wrote to memory of 2012	2860	42f972925508a82236e8533567487761.exe	36
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 3008 wrote to memory of 2340	3008	Dj8EYwuUy6blqkFA.exe	37
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 2524 wrote to memory of 2400	2524	mMA1fIJTZtNJvMAP.exe	38
PID 920 wrote to memory of 2120	920	GXsJb60byMh1ZwNP.exe	40
PID 920 wrote to memory of 2120	920	GXsJb60byMh1ZwNP.exe	40
PID 920 wrote to memory of 2120	920	GXsJb60byMh1ZwNP.exe	40

C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe
"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\GXsJb60byMh1ZwNP.exe
  "C:\Users\Admin\AppData\Local\Temp\GXsJb60byMh1ZwNP.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\svehosts.exe
    "C:\Windows\svehosts.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2676
- C:\Users\Admin\AppData\Local\Temp\5UR6FsWeRvbKN4Gc.exe
  "C:\Users\Admin\AppData\Local\Temp\5UR6FsWeRvbKN4Gc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
    "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
    "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
    "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
    3⤵
    - Executes dropped EXE
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
    "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
    "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
    "C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 660
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2104
- C:\Users\Admin\AppData\Local\Temp\mMA1fIJTZtNJvMAP.exe
  "C:\Users\Admin\AppData\Local\Temp\mMA1fIJTZtNJvMAP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
    "C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
  - - C:\Users\Admin\Documents\excelsl.exe
      "C:\Users\Admin\Documents\excelsl.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:996
    - - C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2000
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
- C:\Users\Admin\AppData\Local\Temp\Wy5dCjEEEt87yXhN.exe
  "C:\Users\Admin\AppData\Local\Temp\Wy5dCjEEEt87yXhN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2420
  - - C:\Users\Admin\AppData\Roaming\prndrvest.exe
      "C:\Users\Admin\AppData\Roaming\prndrvest.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1008
- C:\Users\Admin\AppData\Local\Temp\q2woKxkSzDoHqQ2A.exe
  "C:\Users\Admin\AppData\Local\Temp\q2woKxkSzDoHqQ2A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
    "C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\Dj8EYwuUy6blqkFA.exe
  "C:\Users\Admin\AppData\Local\Temp\Dj8EYwuUy6blqkFA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
    "C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2340
- C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
  "C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
  2⤵
  - Executes dropped EXE
  PID:2012

Network

DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0
DNS

sandyclark255.hopto.org

svehosts.exe

Remote address:

8.8.8.8:53

Request

sandyclark255.hopto.org

IN A

Response

sandyclark255.hopto.org

IN A

0.0.0.0

No results found

8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

207 B
85 B
3
1

DNS Request

sandyclark255.hopto.org

DNS Request

sandyclark255.hopto.org

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

138 B
85 B
2
1

DNS Request

sandyclark255.hopto.org

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

138 B
85 B
2
1

DNS Request

sandyclark255.hopto.org

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0
8.8.8.8:53

sandyclark255.hopto.org

dns

svehosts.exe

69 B
85 B
1
1

DNS Request

sandyclark255.hopto.org

DNS Response

0.0.0.0

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dj8EYwuUy6blqkFA.exe

Filesize
336KB

MD5
e87459f61fd1f017d4bd6b0a1a1fc86a

SHA1
30838d010aad8c9f3fd0fc302e71b4cbe6f138c0

SHA256
ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727

SHA512
dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2woKxkSzDoHqQ2A.exe

Filesize
366KB

MD5
f07d2c33e4afe36ec6f6f14f9a56e84a

SHA1
3ebed0c1a265d1e17ce038dfaf1029387f0b53ee

SHA256
309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca

SHA512
b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.bat

Filesize
153B

MD5
5064c351df29f9ec7ab86ad4633b5522

SHA1
1de153d124042f25fb4230044ba65b54b67c0d6e

SHA256
e9594bce13b4a0a5f73d715eb780368a5d6b63b2866f09136cb0a4bff69ef185

SHA512
98194083ad75ac8e595e68572b99e4708719836009885c4db5109bd620f04eaa8421a1e8bee655f2e52985023f900e7b0fedab6cdb59ea5893d641fd973e0dcb

Download Submit
C:\Users\Admin\AppData\Roaming\prndrvest.exe

Filesize
46.6MB

MD5
ee2935bee02b3ffacd070cfe8c266545

SHA1
6319eceef03cf2c3440d52022b1414a97882ace3

SHA256
4150b67228d799419f1f00d421d619939704f63e180ab26b4b54d8deefc26a8a

SHA512
8d21110efe31926e669b0aa8524e01e0d7e1fcaaea1afc40ed4511d843237dd5fa3bded99602d68ca2d04edf132dcaa103dbac5faa5df32ff30b30476df00bc3

Download Submit
C:\Users\Admin\AppData\Roaming\prndrvest.exe

Filesize
6.7MB

MD5
d2e1aa4db0e756d71d74eaf92e87b4f2

SHA1
194309da633643bbc15892561126d579070eb2a8

SHA256
0421cd2c8f4eb398f89f28eaa4d699c916ab1a28c9f1c8830222554c0fa78bb3

SHA512
0f519d6dfd6430e5e4a1b1ccced70a5d41573e530f2fd2e3984ffb68a90067e1fa4cd85641ef88d6242d3a1ce950d3017373c54a936f4250701ee985f3abd509

Download Submit
C:\Users\Admin\AppData\Roaming\prndrvest.exe

Filesize
11.1MB

MD5
903063c8e2c211f6faaba71c64733b65

SHA1
f044c42dc030a1d9d29b58bad2850f6316cd7af3

SHA256
40c28e107d78553f2925aaad870e5a4bc5d1d765dfc6106a4c11d4765b2b1cfb

SHA512
226b5f030ee2f8ab5a8681b1981242ddea0c8002f63e570de65a8752a584fcfc37d8676701e0724c08f3a7bd18c47f23f8b6067ef55f339c25761ec663f812a5

Download Submit
\Users\Admin\AppData\Local\Temp\5UR6FsWeRvbKN4Gc.exe

Filesize
801KB

MD5
9133c2a5ebf3e25aceae5a001ca6f279

SHA1
319f911282f3cded94de3730fa0abd5dec8f14be

SHA256
7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d

SHA512
1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

Download Submit
\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

Filesize
3.7MB

MD5
9d2a888ca79e1ff3820882ea1d88d574

SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Download Submit
\Users\Admin\AppData\Local\Temp\GXsJb60byMh1ZwNP.exe

Filesize
472KB

MD5
2819e45588024ba76f248a39d3e232ba

SHA1
08a797b87ecfbee682ce14d872177dae1a5a46a2

SHA256
b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93

SHA512
a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

Download Submit
\Users\Admin\AppData\Local\Temp\Wy5dCjEEEt87yXhN.exe

Filesize
376KB

MD5
590acb5fa6b5c3001ebce3d67242aac4

SHA1
5df39906dc4e60f01b95783fc55af6128402d611

SHA256
7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509

SHA512
4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba

Download Submit
\Users\Admin\AppData\Local\Temp\mMA1fIJTZtNJvMAP.exe

Filesize
742KB

MD5
3e804917c454ca31c1cbd602682542b7

SHA1
1df3e81b9d879e21af299f5478051b98f3cb7739

SHA256
f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1

SHA512
28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

Download Submit
\Users\Admin\AppData\Roaming\prndrvest.exe

Filesize
8.0MB

MD5
24014633a34ec5d3b778d0f1f859ec7e

SHA1
099890facb7b160bcc11b1531da580dbcd215ecf

SHA256
1d5d2ba4f832878a622e60f0edeffa943119f024681ad83b55668b642054e229

SHA512
c313062557166bd69f00e3864032e9cd742957fede31b8d76ecb46caa782bcc7c5ed490a408025dfc93c4b6837c43c2275fcc391f23f9bae37f2777062e688bc

Download Submit
memory/920-72-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/920-21-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/920-17-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/920-74-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/920-182-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-311-0x0000000001350000-0x00000000013B4000-memory.dmp

Filesize
400KB

Download
memory/2012-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2012-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2012-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2012-61-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2012-63-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2012-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2012-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2012-65-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2012-55-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2012-53-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2300-22-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-76-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-297-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2340-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2340-85-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-83-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-81-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-96-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-94-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-91-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-87-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-89-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2344-135-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2400-120-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2400-109-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2400-113-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2400-111-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2400-107-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2400-105-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2400-104-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2400-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-118-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2400-115-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2736-218-0x0000000000520000-0x0000000000544000-memory.dmp

Filesize
144KB

Download
memory/2736-296-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2736-295-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2736-73-0x0000000000C90000-0x0000000000CF4000-memory.dmp

Filesize
400KB

Download
memory/2860-75-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-3-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.