asyncrat | ceb87fb8fc18a0699bac5b532cfdad64cfdf755efccb03b2571679460b465724

Resubmissions

20/08/2024, 05:13

240820-fwfbbaydmr 10

17/08/2024, 08:11

240817-j3kq6awaqh 10

Analysis

max time kernel
2s
max time network
33s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BYTER.exe
Size

13.3MB
MD5

9fd8d6a471d60fbf60d029504916ea50
SHA1

e1cb6de275494b2642a88a0b2136b1ec84551947
SHA256

ceb87fb8fc18a0699bac5b532cfdad64cfdf755efccb03b2571679460b465724
SHA512

c80968a9e7ecd6c31a4dcc5a27cd47260d0bc2601312b3b3a250487bea64e63595c062c9f48358fd477609a4bfcdd82bfca1da8689b3c247ce62d3fbfb409f7b
SSDEEP

393216:0tk1FrHQc/l+FvxWBqWwVrCCIIedFQMG9:0tkPHQG+FJAqWwVCCI/Du

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

10.0.2.15:9090

10.0.2.15:52033

147.185.221.19:9090

147.185.221.19:52033

Mutex

yigdzohbebyxyvvzbc

Attributes

delay
1
install
true
install_file
Steam.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000018f08-4.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
2732	MAIN.exe
2788	MAIN.exe
2540	MAIN.exe

Loads dropped DLL 3 IoCs

pid	Process
2472	BYTER.exe
2244	BYTER.exe
2532	BYTER.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2440	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
972	schtasks.exe
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2324	powershell.exe
2552	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2324	2472	BYTER.exe	29
PID 2472 wrote to memory of 2324	2472	BYTER.exe	29
PID 2472 wrote to memory of 2324	2472	BYTER.exe	29
PID 2472 wrote to memory of 2324	2472	BYTER.exe	29
PID 2472 wrote to memory of 2244	2472	BYTER.exe	32
PID 2472 wrote to memory of 2244	2472	BYTER.exe	32
PID 2472 wrote to memory of 2244	2472	BYTER.exe	32
PID 2472 wrote to memory of 2244	2472	BYTER.exe	32
PID 2472 wrote to memory of 2732	2472	BYTER.exe	33
PID 2472 wrote to memory of 2732	2472	BYTER.exe	33
PID 2472 wrote to memory of 2732	2472	BYTER.exe	33
PID 2472 wrote to memory of 2732	2472	BYTER.exe	33
PID 2244 wrote to memory of 2760	2244	BYTER.exe	34
PID 2244 wrote to memory of 2760	2244	BYTER.exe	34
PID 2244 wrote to memory of 2760	2244	BYTER.exe	34
PID 2244 wrote to memory of 2760	2244	BYTER.exe	34
PID 2244 wrote to memory of 2532	2244	BYTER.exe	36
PID 2244 wrote to memory of 2532	2244	BYTER.exe	36
PID 2244 wrote to memory of 2532	2244	BYTER.exe	36
PID 2244 wrote to memory of 2532	2244	BYTER.exe	36
PID 2244 wrote to memory of 2788	2244	BYTER.exe	37
PID 2244 wrote to memory of 2788	2244	BYTER.exe	37
PID 2244 wrote to memory of 2788	2244	BYTER.exe	37
PID 2244 wrote to memory of 2788	2244	BYTER.exe	37
PID 2532 wrote to memory of 2552	2532	BYTER.exe	38
PID 2532 wrote to memory of 2552	2532	BYTER.exe	38
PID 2532 wrote to memory of 2552	2532	BYTER.exe	38
PID 2532 wrote to memory of 2552	2532	BYTER.exe	38
PID 2532 wrote to memory of 2528	2532	BYTER.exe	40
PID 2532 wrote to memory of 2528	2532	BYTER.exe	40
PID 2532 wrote to memory of 2528	2532	BYTER.exe	40
PID 2532 wrote to memory of 2528	2532	BYTER.exe	40
PID 2532 wrote to memory of 2540	2532	BYTER.exe	41
PID 2532 wrote to memory of 2540	2532	BYTER.exe	41
PID 2532 wrote to memory of 2540	2532	BYTER.exe	41
PID 2532 wrote to memory of 2540	2532	BYTER.exe	41
PID 2528 wrote to memory of 2996	2528	BYTER.exe	42
PID 2528 wrote to memory of 2996	2528	BYTER.exe	42
PID 2528 wrote to memory of 2996	2528	BYTER.exe	42
PID 2528 wrote to memory of 2996	2528	BYTER.exe	42
PID 2528 wrote to memory of 980	2528	BYTER.exe	175
PID 2528 wrote to memory of 980	2528	BYTER.exe	175
PID 2528 wrote to memory of 980	2528	BYTER.exe	175
PID 2528 wrote to memory of 980	2528	BYTER.exe	175

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\BYTER.exe
"C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\BYTER.exe
  "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\BYTER.exe
    "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\BYTER.exe
      "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        5⤵
        
        PID:980
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        6⤵
        
        PID:2840
      - C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        6⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        7⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        7⤵
        
        PID:872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        8⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        8⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        9⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        10⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        10⤵
        
        PID:108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        11⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        11⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        12⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        12⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        13⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        13⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        14⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        14⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        15⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        15⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        16⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        16⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        17⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        17⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        18⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        18⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        19⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        19⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        20⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        20⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        21⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        21⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        22⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        22⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        23⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        23⤵
        
        PID:320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        24⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        24⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        25⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        25⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        26⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        26⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        27⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        27⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        28⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        28⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        29⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        29⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        30⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        30⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        31⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        31⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        32⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        32⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        33⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        33⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        34⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        34⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        35⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        35⤵
        
        PID:276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        36⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        36⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AZAB2ACMAPgA="
        37⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\BYTER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BYTER.exe"
        37⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        36⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        35⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        34⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        33⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        32⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        31⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        30⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        29⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        28⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        27⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        26⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        25⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        24⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        23⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        22⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        21⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        20⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        19⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        18⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        17⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        16⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        15⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        14⤵
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
        15⤵
        
        PID:2636
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        13⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        12⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        11⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        10⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        9⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        8⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        7⤵
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        6⤵
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
        7⤵
        
        PID:2724
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7484.tmp.bat""
        7⤵
        
        PID:872
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Steam.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam.exe"
        8⤵
        
        PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\MAIN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
        5⤵
        
        PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\MAIN.exe
      "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
      4⤵
      Executes dropped EXE
      PID:2540
- - C:\Users\Admin\AppData\Local\Temp\MAIN.exe
    "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
    3⤵
    - Executes dropped EXE
    PID:2788
- C:\Users\Admin\AppData\Local\Temp\MAIN.exe
  "C:\Users\Admin\AppData\Local\Temp\MAIN.exe"
  2⤵
  - Executes dropped EXE
  PID:2732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13009629962069955501-712094752161624191911356370241733231548-128722016-251768973"
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7484.tmp.bat

Filesize
149B

MD5
4a13e8145cf4af8fe38d804909a1394e

SHA1
7c111a642849cc8559d8a197096431d4f84463ad

SHA256
bce55b1bb6e4d71a6b72c08a8a6a206c448023bbc8512005c39985ec195e270d

SHA512
e4eed76caed61bde5a83603efa8f51f7e2dca694d618857c64d8ea67b43b5de6ba518b152311afbbfa77b5f8a71652fade74c632aef580d2f6b548b287a82300

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cadd5c52524ea1ddd4a6131a722e40d5

SHA1
b0f53f0c6d00c08c7110cd730971d573a956ad26

SHA256
c2885bc5cfe24cada7af4f86223f6a38046d9266ead943e3720ce4e918646f46

SHA512
6e3fb970c0e604fbe279333f6a6e03b4a8adbf4edfb435b2cbe440f3282f27a48d5e98fcaa4adb638fe5146ebf75532028273bf0790e746eaafe29f64fb29f32

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
16B

MD5
913e889d9d90b8960fcf84a0d3077aa4

SHA1
659cad11dc7627829f0746b5cb99283b8d93d1b2

SHA256
3c543056285a398424ca9650716fa6536fcf2e77955cf73bfb7a5b12c13caf81

SHA512
5b593230b5c5b8476cf64013f7a626390c7ee830cb7a2c79e55f21cf78ecd660c0b82eb0f9cdd292646d75508b8a7f5b247038d7290e7a0d48f8d9940345b97f

Download Submit
\Users\Admin\AppData\Local\Temp\MAIN.exe

Filesize
74KB

MD5
b8ccfc163e2d56a73b6fd7387a45e6eb

SHA1
f81a368c275574fa808a92d29c5e0b37e01162ce

SHA256
8386fa61b6c5f873c692fbd3b394851ec714e5c852898ef6f622035e4d3d5e84

SHA512
8ea7d2ee4fa1f737e7c77dda98963a1c9d3a3276ab0d0d327b5df41682da91996e2e17cbfdb99ddf9399a819c6ec9cdde18b6a8fe6cf221960103b34acb21faf

Download Submit
memory/2624-136-0x00000000011F0000-0x0000000001208000-memory.dmp

Filesize
96KB

Download
memory/2788-15-0x0000000000E60000-0x0000000000E78000-memory.dmp

Filesize
96KB

Download