asyncrat | 281ce7db7e9338e11241437e9b4c980506a2dee645438b2f29e395d278b03995

Analysis

max time kernel
131s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Liberium2.1.exe
Size

6.3MB
MD5

ccfdfb92db45d64ac2ef0daf3751f362
SHA1

79915d8c61f9f44f2211a269e949dc6aa11c1448
SHA256

281ce7db7e9338e11241437e9b4c980506a2dee645438b2f29e395d278b03995
SHA512

c4816f347a3aee1b77ddcd31529019458597d9b6d1c297c3bf7ec14bfb9cb25ceaf01469eb2ed3f8bd636e0160da476728a84cf0f5e7ab4d5822809402eff41f
SSDEEP

196608:FRofnQF79aM5Gv8+VkY6ID5NwbEWWvXHQoiTIPa:FCQF75S3kY6IKEWWPqN

Score

10^/10

asyncrat quasar venomrat default github discovery persistence rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

GitHub

127.0.0.1:10000

127.0.0.1:650

domain13.ddns.net:10000

domain13.ddns.net:650

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

GitHub

domain13.ddns.net:650

Mutex

21b27c61-8944-4615-8ab6-b84be8f39d71

Attributes

encryption_key
845C5D60A275826BC650C718626063CA6657034B
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost.exe
subdirectory
java JDK 8

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

mer)/bjvoerf&%cwno

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%Temp%
pastebin_config
https://pastebin.com/raw/q6cqRVgM

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019465-26.dat	family_quasar
behavioral1/memory/2676-58-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar
behavioral1/memory/2956-96-0x0000000001250000-0x0000000001574000-memory.dmp	family_quasar
behavioral1/memory/2868-131-0x00000000013B0000-0x00000000016D4000-memory.dmp	family_quasar
behavioral1/memory/2608-201-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar
behavioral1/memory/2808-213-0x0000000001150000-0x0000000001474000-memory.dmp	family_quasar
behavioral1/memory/2608-263-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar

VenomRAT 3 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/files/0x000700000001946a-52.dat	VenomRAT
behavioral1/memory/2740-57-0x0000000000D70000-0x0000000000D88000-memory.dmp	VenomRAT
behavioral1/memory/2444-128-0x00000000001E0000-0x00000000001F8000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000001945b-6.dat	family_asyncrat
behavioral1/files/0x000700000001946a-52.dat	family_asyncrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 21 IoCs

pid	Process
1800	VMMVZP.exe
2676	WPMVAF.exe
2740	BGIHAU.exe
2632	PCERUQ.exe
2956	svchost.exe
948	svchost.exe
2444	svchost.exe
2868	svchost.exe
524	svchost.exe
2628	svchost.exe
2764	svchost.exe
1284	svchost.exe
1664	svchost.exe
2668	svchost.exe
2608	svchost.exe
2808	svchost.exe
2464	svchost.exe
1384	svchost.exe
1896	svchost.exe
2816	svchost.exe
2380	svchost.exe

Loads dropped DLL 21 IoCs

pid	Process
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GMYRXX = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\svchost.exe\""	Liberium2.1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000194d7-172.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	2632	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liberium2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCERUQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1540	PING.EXE
2044	PING.EXE
2360	PING.EXE
2728	PING.EXE
2792	PING.EXE
1296	PING.EXE
2840	PING.EXE
1484	PING.EXE
348	PING.EXE
2208	PING.EXE
2988	PING.EXE
2540	PING.EXE
2212	PING.EXE
2964	PING.EXE
2064	PING.EXE

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1368	timeout.exe
1580	timeout.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	Liberium2.1.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2540	PING.EXE
348	PING.EXE
2728	PING.EXE
1540	PING.EXE
2044	PING.EXE
2988	PING.EXE
1484	PING.EXE
2964	PING.EXE
2064	PING.EXE
2212	PING.EXE
2840	PING.EXE
2208	PING.EXE
1296	PING.EXE
2792	PING.EXE
2360	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe
2360	schtasks.exe
2760	schtasks.exe
904	schtasks.exe
1680	schtasks.exe
1548	schtasks.exe
1196	schtasks.exe
1208	schtasks.exe
2568	schtasks.exe
1516	schtasks.exe
2612	schtasks.exe
3040	schtasks.exe
824	schtasks.exe
1724	schtasks.exe
2752	schtasks.exe
2856	schtasks.exe
2940	schtasks.exe
1044	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1800	VMMVZP.exe
1800	VMMVZP.exe
1800	VMMVZP.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe
1956	Liberium2.1.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1956	Liberium2.1.exe
1096	explorer.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	BGIHAU.exe
Token: SeDebugPrivilege	2676	WPMVAF.exe
Token: SeDebugPrivilege	1800	VMMVZP.exe
Token: SeDebugPrivilege	2956	svchost.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeDebugPrivilege	948	svchost.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeDebugPrivilege	2868	svchost.exe
Token: SeDebugPrivilege	524	svchost.exe
Token: SeDebugPrivilege	2628	svchost.exe
Token: SeDebugPrivilege	2764	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	2668	svchost.exe
Token: SeDebugPrivilege	2608	svchost.exe
Token: SeDebugPrivilege	2808	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	1384	svchost.exe
Token: SeDebugPrivilege	2816	svchost.exe
Token: SeDebugPrivilege	2380	svchost.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2956	svchost.exe
2444	svchost.exe
2464	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1800	1956	Liberium2.1.exe	30
PID 1956 wrote to memory of 1800	1956	Liberium2.1.exe	30
PID 1956 wrote to memory of 1800	1956	Liberium2.1.exe	30
PID 1956 wrote to memory of 1800	1956	Liberium2.1.exe	30
PID 1956 wrote to memory of 2676	1956	Liberium2.1.exe	31
PID 1956 wrote to memory of 2676	1956	Liberium2.1.exe	31
PID 1956 wrote to memory of 2676	1956	Liberium2.1.exe	31
PID 1956 wrote to memory of 2676	1956	Liberium2.1.exe	31
PID 1956 wrote to memory of 2740	1956	Liberium2.1.exe	32
PID 1956 wrote to memory of 2740	1956	Liberium2.1.exe	32
PID 1956 wrote to memory of 2740	1956	Liberium2.1.exe	32
PID 1956 wrote to memory of 2740	1956	Liberium2.1.exe	32
PID 1956 wrote to memory of 2632	1956	Liberium2.1.exe	33
PID 1956 wrote to memory of 2632	1956	Liberium2.1.exe	33
PID 1956 wrote to memory of 2632	1956	Liberium2.1.exe	33
PID 1956 wrote to memory of 2632	1956	Liberium2.1.exe	33
PID 1956 wrote to memory of 2920	1956	Liberium2.1.exe	34
PID 1956 wrote to memory of 2920	1956	Liberium2.1.exe	34
PID 1956 wrote to memory of 2920	1956	Liberium2.1.exe	34
PID 1956 wrote to memory of 2920	1956	Liberium2.1.exe	34
PID 1956 wrote to memory of 2188	1956	Liberium2.1.exe	35
PID 1956 wrote to memory of 2188	1956	Liberium2.1.exe	35
PID 1956 wrote to memory of 2188	1956	Liberium2.1.exe	35
PID 1956 wrote to memory of 2188	1956	Liberium2.1.exe	35
PID 2920 wrote to memory of 1196	2920	cmd.exe	37
PID 2920 wrote to memory of 1196	2920	cmd.exe	37
PID 2920 wrote to memory of 1196	2920	cmd.exe	37
PID 2920 wrote to memory of 1196	2920	cmd.exe	37
PID 1800 wrote to memory of 2812	1800	VMMVZP.exe	39
PID 1800 wrote to memory of 2812	1800	VMMVZP.exe	39
PID 1800 wrote to memory of 2812	1800	VMMVZP.exe	39
PID 2676 wrote to memory of 2776	2676	WPMVAF.exe	40
PID 2676 wrote to memory of 2776	2676	WPMVAF.exe	40
PID 2676 wrote to memory of 2776	2676	WPMVAF.exe	40
PID 1800 wrote to memory of 1972	1800	VMMVZP.exe	43
PID 1800 wrote to memory of 1972	1800	VMMVZP.exe	43
PID 1800 wrote to memory of 1972	1800	VMMVZP.exe	43
PID 2812 wrote to memory of 1208	2812	cmd.exe	45
PID 2812 wrote to memory of 1208	2812	cmd.exe	45
PID 2812 wrote to memory of 1208	2812	cmd.exe	45
PID 1972 wrote to memory of 1368	1972	cmd.exe	46
PID 1972 wrote to memory of 1368	1972	cmd.exe	46
PID 1972 wrote to memory of 1368	1972	cmd.exe	46
PID 2676 wrote to memory of 2956	2676	WPMVAF.exe	47
PID 2676 wrote to memory of 2956	2676	WPMVAF.exe	47
PID 2676 wrote to memory of 2956	2676	WPMVAF.exe	47
PID 2740 wrote to memory of 2336	2740	BGIHAU.exe	48
PID 2740 wrote to memory of 2336	2740	BGIHAU.exe	48
PID 2740 wrote to memory of 2336	2740	BGIHAU.exe	48
PID 2740 wrote to memory of 1656	2740	BGIHAU.exe	49
PID 2740 wrote to memory of 1656	2740	BGIHAU.exe	49
PID 2740 wrote to memory of 1656	2740	BGIHAU.exe	49
PID 2336 wrote to memory of 2360	2336	cmd.exe	52
PID 2336 wrote to memory of 2360	2336	cmd.exe	52
PID 2336 wrote to memory of 2360	2336	cmd.exe	52
PID 1656 wrote to memory of 1580	1656	cmd.exe	53
PID 1656 wrote to memory of 1580	1656	cmd.exe	53
PID 1656 wrote to memory of 1580	1656	cmd.exe	53
PID 2632 wrote to memory of 2056	2632	PCERUQ.exe	54
PID 2632 wrote to memory of 2056	2632	PCERUQ.exe	54
PID 2632 wrote to memory of 2056	2632	PCERUQ.exe	54
PID 2632 wrote to memory of 2056	2632	PCERUQ.exe	54
PID 2956 wrote to memory of 2568	2956	svchost.exe	55
PID 2956 wrote to memory of 2568	2956	svchost.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Liberium2.1.exe
"C:\Users\Admin\AppData\Local\Temp\Liberium2.1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\VMMVZP.exe
  "C:\Users\Admin\AppData\Local\Temp\VMMVZP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1208
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD807.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1368
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:948
- C:\Users\Admin\AppData\Local\Temp\WPMVAF.exe
  "C:\Users\Admin\AppData\Local\Temp\WPMVAF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2776
- - C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
    "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2568
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\9c72WDKKo2BA.bat" "
      4⤵
      PID:1068
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:740
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
    - - C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2856
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOAzCxBbHIsv.bat" "
        6⤵
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kc9cDDnamlWV.bat" "
        8⤵
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmiCSIocBg1S.bat" "
        10⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:904
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKzxedjKlNMe.bat" "
        12⤵
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1724
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ks2qJVLZwuph.bat" "
        14⤵
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMWgVFD6aMik.bat" "
        16⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1JxFKrpxAfal.bat" "
        18⤵
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiu9xHvimT3I.bat" "
        20⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyQ2U1nimk16.bat" "
        22⤵
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:348
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\q8Dbfda2tQfE.bat" "
        24⤵
        
        PID:1328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYs8QiIbOgp9.bat" "
        26⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xXJVZX4pfike.bat" "
        28⤵
        
        PID:2668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        29⤵
        
        PID:1976
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGIWfXmvzb3A.bat" "
        30⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        31⤵
        
        PID:2608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\38mHjBMIJhfS.bat" "
        32⤵
        
        PID:1548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2208
- C:\Users\Admin\AppData\Local\Temp\BGIHAU.exe
  "C:\Users\Admin\AppData\Local\Temp\BGIHAU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2360
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC89.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2444
- C:\Users\Admin\AppData\Local\Temp\PCERUQ.exe
  "C:\Users\Admin\AppData\Local\Temp\PCERUQ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 576
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn GMYRXX.exe /tr C:\Users\Admin\AppData\Roaming\Windata\svchost.exe /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GMYRXX.exe /tr C:\Users\Admin\AppData\Roaming\Windata\svchost.exe /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1196
- C:\Windows\SysWOW64\WSCript.exe
  WSCript C:\Users\Admin\AppData\Local\Temp\GMYRXX.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1096

C:\Windows\system32\taskeng.exe
taskeng.exe {6A029794-D9E2-4E9F-9FBF-9F462F71E314} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
PID:2108
- C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
  C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1284
- C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
  C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1JxFKrpxAfal.bat

Filesize
213B

MD5
b1c73e1cdfac1bf6dc55055aaa282eed

SHA1
2621fe57d445068405a9f7557d9999677fbbb396

SHA256
9c2affb8c09544e0e9eddf332575509b1604b75adcd9de25b81c720c3ade88c5

SHA512
ef85b3958a51ea37b8653fa843987d33ca59a985f7d1029eea2847b198e788f465a1bd12df9f033f9cde0fc8cc328e146f216f22e73d81d3a39f48545a72de31

Download Submit
C:\Users\Admin\AppData\Local\Temp\38mHjBMIJhfS.bat

Filesize
213B

MD5
0338ca734c338d381c7231369e9f18d4

SHA1
f55b989287bc354074a01487b1ccaa9f4adab785

SHA256
28614d26df4430d2c0818502ae94d28c7d0d5ce77e9cad667e9de058dcc043ea

SHA512
faad21875b7f4006279d5f14fd1a70fe7910e1fb8ce1b73e07ed570b5fbeee44fe6eb4af9c5bb72c6dfebf1cf29ee6c3996aada242a14dfaef368d87eb07bfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c72WDKKo2BA.bat

Filesize
213B

MD5
470c243343b1c5d79d09a09963ec67d3

SHA1
213270444c056a919eeacf1a088f530dc7ed88de

SHA256
f810f8a8a3f77dfd3da07f8546494b1cfb5ad5e6913088d3d5256a9b3fab5b86

SHA512
525ccb387868850b5a90cb22be4db16cd34b05d593a0306d1bf06ead04da60d9cf6f6f340396640edfe40184e6b76aa903bc4279f0b2b82b5f6a4a87c154b19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYRXX.vbs

Filesize
842B

MD5
c807a0b6e562ccd877722b0e90ecc02d

SHA1
f876f44d00d34a3de21646b2d975f8d6e3bfed46

SHA256
71496ce1631f04ae52406852b9d63ac3bb6ae7a023a3583991e0d0e3b91a15c6

SHA512
dfc5e3ac57133b9dae87d47a0a97e916b9ae77938a8df10e6dbde99d792cf52889b4ffa41d744ca2eabf460fcb4c4cb1b15f5568fc8bc7266525807387acf418

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYs8QiIbOgp9.bat

Filesize
213B

MD5
46d575cff3970c5e4138d0547e07df58

SHA1
2c1520ebcffbf86808543ac12f7cf64b95957d26

SHA256
9773f5022c3fd79170d921214ecba2752dc8b0ad53966e5ac97d2ad1c8d6417b

SHA512
256e964106d6f192c05fc8671a8f7030fe6e280c0a5586978725955638060d2ab6e9fa9aaee6c502eb2b389bfe9b6a47038add8305ce2d3a0a8b3f4cc69b01b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kc9cDDnamlWV.bat

Filesize
213B

MD5
a37bf46aec7601dd8648fd2cd73963cc

SHA1
fdfccc90be73e01fb812735a631bcfdae4ea9f78

SHA256
abbf4896d9f3b0fba4747c66b515b43e6bd4035eeb692e320b5eff9f889f627f

SHA512
0761aca8b012f1c301dac67a59c3067631ae09b674845e05a85cc91514a3c783d90756479088f4d2947a91525e7c880678797be8636a3e4ba1562df23f311932

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmiCSIocBg1S.bat

Filesize
213B

MD5
b4eb6ffa073102a6f17693b3d29c3df0

SHA1
118ce25476f416e28ef09af3e7c634f1fc2ba1ad

SHA256
61d73ed4dbe079d593c6ac141343c51683c4752e020b2db29dee0065f496e0ad

SHA512
9756b28a6529cfca97bace1566bd0f65be230a97e64f53e16bcb9e39f9799afae0369d3269aa134a488259c8c86138e543313d03e9dac11f9e95cabe00e44caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKzxedjKlNMe.bat

Filesize
213B

MD5
ed5e816b860354e33f9405f1bbdeca30

SHA1
a335333fb84a2e1b4f0994f5971f4ec8c07a2a97

SHA256
3d70e4ef0e2e531d78a8145faaf7ed0319445fbf0db7f588a3f78ed2cf0b94fa

SHA512
6193c7b4c733c1036a8bb6a74ab2c8d582e2206609a59087156f4ab7a8766fddbc3f2a5aa81a0c6d7624546d2bb5a35dbcfa8d75f4136f43b1484ec88cc7b283

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMWgVFD6aMik.bat

Filesize
213B

MD5
d00a9e9939a0a3f8e859b8b3e12fe1dc

SHA1
af68ea0b5d7fc9e4d57e482872cdc23048554d0a

SHA256
2c85a7cab319a2a38852f89419cadc677667eb24a320b543d7855b4490ef664d

SHA512
1612bd4148b3f4ea63dcc2fafcfe2570a19c6d62165ec26548cd675a8c9652ba734104c7f4d498189d1bccdb5cdb401cadb0c0cb4d458c1e5281b55509f58b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyQ2U1nimk16.bat

Filesize
213B

MD5
3e54bb13cca09f7c8848d08d8492abe6

SHA1
b7df9d64ab5e535ba86e553e27fa9d7cff72521a

SHA256
b35b7519c56ecbba7905b15b72b75ea643194d92af55fb0964f4f06e827f894d

SHA512
e0acdecdf2af6a6113ed4021cdc1f506f2896baf7edc8d12825540655ecd3fd1875fa9efd23a4cb1e1a07629cca7e0c6c8c760b18582230b02b778f67ac44226

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOAzCxBbHIsv.bat

Filesize
213B

MD5
79cc0f333d3f1045b887dc560b44d3b6

SHA1
5dc96da384a2d4f208a320df262ea9098b7ad9df

SHA256
414ca6f9ad2eed8d6d4ede37cb3152d561fbd06e6e7afbfa2da93b5c6c0d97e1

SHA512
bf48874dec9df3cca47cc2f4f19bc7c1cf5506284929f1f2f2cb151b16a362cea36e5e7ab3ca6badff2b5a3898e99b871c647ce772995210066847ed1e01283b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ks2qJVLZwuph.bat

Filesize
213B

MD5
2925596f50c2ee5ecc75dc3b47e75aa5

SHA1
aec0f23e9bf6ca357f9f89814da1e3edd7678b7b

SHA256
fc8ebc23f9046f036f4422e34865f6d27dd9d1a297fb6c77ee418c965c4f2ea7

SHA512
7dbe194cdd43deec1156ef7933dd00a161053edb080e8a0c25f220be3839a42162260dc79c5d348d80b3c1fafe62ef686c7600ede975bb15e2b1f21f788eb55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\q8Dbfda2tQfE.bat

Filesize
213B

MD5
631c19639d28709cbb1e766ffada5555

SHA1
56c6fd8b69a5ce64e42dd43517ef71e3b2e7fcad

SHA256
0d098c8f2dfe8b1b23a8ac4f998c9c4f56f837e113a331ffce1b2a2acd21be7d

SHA512
615b3aba6aa06aec281b62895c707220f4c2fb793107753b89eb98585f0dde713897b5a144ace2bd2637d128e3199ec2b64fe3f548825d0d97acaf86c58a198e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD807.tmp.bat

Filesize
151B

MD5
7b898582a74e10d55b2c0fd2ee8f8651

SHA1
cbcdd414c4ddc0d7977f20e03493204f8f33d048

SHA256
feb3ed7a1ff0df444504df238b2db6eaa12d82496f481ebcafdcb5d37b0ae57a

SHA512
85bfdb9217fb6bf0f09aef8139c9bf87e9ed6c8af9c9884d6de2baa4ebc4db4d9f287af04b0488cccbd589928a7adda0e322c62b58fdfbddad2266c9f454e972

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC89.tmp.bat

Filesize
154B

MD5
4a2a9cd80c3b6bb1fd69458a0d1335ab

SHA1
be2221d2075d732c77b4e23cef12f1d5fab08030

SHA256
a0916e75e5dab90d253b8e4d52bfe085e01dbe8ea1446dff64c0d6820011ce0e

SHA512
2bfc982cde0965beced90bdba1f3c36ded92a3d4579b1707d2e5b3acd153a0beda1ef7f77b2cdcb511b91742c3e4e8cef4f63bb99ef8136207a5a747a48af3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXJVZX4pfike.bat

Filesize
213B

MD5
2fea426bf8e2ddcf212f058c51b02503

SHA1
605f1e26cad6e4e72be9401ef0f21c423492be67

SHA256
91f7882286d8b087828de284213c995ff178b8fdca7a3e67ce0b765016d4effe

SHA512
0d4673563ee6b4123ca8001806b0eb56810172c1041d79236d1d0bd23446cbdf1d7d16347c7f0ac211ef3a395a0b3d22cfbe8299d11704f487bb6037f14d79b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiu9xHvimT3I.bat

Filesize
213B

MD5
23a98a3c58bbde1ce8f62074e8dd20be

SHA1
28cab950d8a11bbbeda69b8dca1cf6c199848bf2

SHA256
95408c4f5b0d1912184e9583b0184f051bd7e45d944f05e0d35a5233849e6431

SHA512
3e60cba33ebb0880d0e97c074a20e364d025340661015e2d0c304472a4b1981db2ce8ce832d92c42167ee77eb343f719e1ef9f307d59bef41c45cf6c19a8eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGIWfXmvzb3A.bat

Filesize
213B

MD5
1744418d29dc7643c4a39d1aeed79aea

SHA1
21f1d9a0c44f120fd920a6b6981b3aa0e5a631fb

SHA256
d7d3145109fef08a6c054fcd3162e1165b84d20ec4baea4b198db62b19cde9c2

SHA512
f9391836435e4b3f4c1a2c7f270288eae8d40a515e3c914aabc03d30b5e19a55930019d2e732aa4ac1737785c6e270fb42329e50593f9f67f994d1d4a97add18

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\svchost.exe

Filesize
6.3MB

MD5
ccfdfb92db45d64ac2ef0daf3751f362

SHA1
79915d8c61f9f44f2211a269e949dc6aa11c1448

SHA256
281ce7db7e9338e11241437e9b4c980506a2dee645438b2f29e395d278b03995

SHA512
c4816f347a3aee1b77ddcd31529019458597d9b6d1c297c3bf7ec14bfb9cb25ceaf01469eb2ed3f8bd636e0160da476728a84cf0f5e7ab4d5822809402eff41f

Download Submit
\Users\Admin\AppData\Local\Temp\BGIHAU.exe

Filesize
74KB

MD5
9a8c5d8ce65e53cfd403a80b3210cb4f

SHA1
38a7f8354d7b4f65e8f941878f99b6383ebfec4f

SHA256
ac532153b6e68114a6a3e12772487ac0a6e0d075e5e74737c96f16dded1d2960

SHA512
2d8335b8c2ca2cada74cb446ca86fe6606e4235dcd85a65ae44bd22e8f77ca5d1d239c5c7e0364a1683918bb3cbf6c4e43e9b644e878400d1caca2cd00afce54

Download Submit
\Users\Admin\AppData\Local\Temp\PCERUQ.exe

Filesize
6.1MB

MD5
eb5f70a725c9338a846d7f6e95aa2fc2

SHA1
0b39c505232a33842cde9b13ea75e4bc1e9004fc

SHA256
9d12b9fb18f031c13648d2aff2bf8c7df9ed654e0c6eb8f62bc52987a9b8c571

SHA512
d9558084fbb97cfbf26b57e174ffe65fe470e35d4c952357cba1251302175cd7ce6a8e75d28bdda9196074a96b3196a2d96921652c98d01a3bdfa3b21726690d

Download Submit
\Users\Admin\AppData\Local\Temp\VMMVZP.exe

Filesize
47KB

MD5
c668e4bc361c31fafff805af7a805a08

SHA1
3a2d274130c8c9a277142c25496d8ecead104b9d

SHA256
d21ae2f37d50b482f9e5f56b792c6bf599f6406cf56fd71f143bae135a371f26

SHA512
f9743170afc14fb7322f826c32349c85100847b02d08f13dce9ceff805c83764c0cff897340f7f290282b93d6d5aaa2a55ceca1474ec7454b5977ebda2ce0c75

Download Submit
\Users\Admin\AppData\Local\Temp\WPMVAF.exe

Filesize
3.1MB

MD5
603a9f2cdfe56da891a223469a3b92c6

SHA1
d8720c43dc6c7cbe337c20744e040e2ee1683837

SHA256
61a973193ad25f94adbc53dcfcdd94cdec52f63cf2f19aaad5d36bbe673a5e0f

SHA512
5e30df5ce1a39c46fff05e38c76adfcae52bb01e002834a36e370f86a89fa94ba8a5f43506ebc29be2279e102a4d0671a4ae58d5f814f7079cd076df2afb9a44

Download Submit
memory/948-115-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/1096-254-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

Filesize
64KB

Download
memory/1800-24-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/1800-19-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2444-128-0x00000000001E0000-0x00000000001F8000-memory.dmp

Filesize
96KB

Download
memory/2608-201-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download
memory/2608-263-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2632-79-0x00000000011F0000-0x0000000001806000-memory.dmp

Filesize
6.1MB

Download
memory/2676-58-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download
memory/2740-57-0x0000000000D70000-0x0000000000D88000-memory.dmp

Filesize
96KB

Download
memory/2808-213-0x0000000001150000-0x0000000001474000-memory.dmp

Filesize
3.1MB

Download
memory/2868-131-0x00000000013B0000-0x00000000016D4000-memory.dmp

Filesize
3.1MB

Download
memory/2956-96-0x0000000001250000-0x0000000001574000-memory.dmp

Filesize
3.1MB

Download