asyncrat | 281ce7db7e9338e11241437e9b4c980506a2dee645438b2f29e395d278b03995

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Liberium2.1.exe
Size

6.3MB
MD5

ccfdfb92db45d64ac2ef0daf3751f362
SHA1

79915d8c61f9f44f2211a269e949dc6aa11c1448
SHA256

281ce7db7e9338e11241437e9b4c980506a2dee645438b2f29e395d278b03995
SHA512

c4816f347a3aee1b77ddcd31529019458597d9b6d1c297c3bf7ec14bfb9cb25ceaf01469eb2ed3f8bd636e0160da476728a84cf0f5e7ab4d5822809402eff41f
SSDEEP

196608:FRofnQF79aM5Gv8+VkY6ID5NwbEWWvXHQoiTIPa:FCQF75S3kY6IKEWWPqN

Score

10^/10

asyncrat quasar venomrat default github discovery persistence rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

GitHub

127.0.0.1:10000

127.0.0.1:650

domain13.ddns.net:10000

domain13.ddns.net:650

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

GitHub

domain13.ddns.net:650

Mutex

21b27c61-8944-4615-8ab6-b84be8f39d71

Attributes

encryption_key
845C5D60A275826BC650C718626063CA6657034B
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost.exe
subdirectory
java JDK 8

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

mer)/bjvoerf&%cwno

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%Temp%
pastebin_config
https://pastebin.com/raw/q6cqRVgM

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024249-34.dat	family_quasar
behavioral2/memory/956-45-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x000700000002424a-39.dat	VenomRAT
behavioral2/memory/4528-50-0x00000000004D0000-0x00000000004E8000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000024243-7.dat	family_asyncrat
behavioral2/files/0x000700000002424a-39.dat	family_asyncrat

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Liberium2.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	BGIHAU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	VMMVZP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 23 IoCs

pid	Process
2584	VMMVZP.exe
956	WPMVAF.exe
4528	BGIHAU.exe
4736	PCERUQ.exe
5892	svchost.exe
876	svchost.exe
5548	svchost.exe
3980	svchost.exe
5412	svchost.exe
220	svchost.exe
876	svchost.exe
2676	svchost.exe
2736	svchost.exe
5544	svchost.exe
1616	svchost.exe
2800	svchost.exe
4652	svchost.exe
2200	svchost.exe
5568	svchost.exe
5672	svchost.exe
4444	svchost.exe
2676	svchost.exe
4388	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GMYRXX = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\svchost.exe\""	Liberium2.1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
27	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002424d-87.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5236	4736	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liberium2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCERUQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4948	PING.EXE
5932	PING.EXE
2160	PING.EXE
3164	PING.EXE
3460	PING.EXE
4808	PING.EXE
2396	PING.EXE
656	PING.EXE
4660	PING.EXE
3600	PING.EXE
3812	PING.EXE
4728	PING.EXE
5716	PING.EXE
1100	PING.EXE

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4388	timeout.exe
3772	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	Liberium2.1.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
656	PING.EXE
4948	PING.EXE
2160	PING.EXE
3164	PING.EXE
3460	PING.EXE
4808	PING.EXE
4660	PING.EXE
4728	PING.EXE
5716	PING.EXE
1100	PING.EXE
5932	PING.EXE
3600	PING.EXE
2396	PING.EXE
3812	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5084	schtasks.exe
1396	schtasks.exe
4712	schtasks.exe
4828	schtasks.exe
5792	schtasks.exe
4476	schtasks.exe
4888	schtasks.exe
5016	schtasks.exe
3896	schtasks.exe
5472	schtasks.exe
2052	schtasks.exe
4192	schtasks.exe
2596	schtasks.exe
4140	schtasks.exe
3600	schtasks.exe
3948	schtasks.exe
5868	schtasks.exe
228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
2584	VMMVZP.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
4528	BGIHAU.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe
2624	Liberium2.1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	Liberium2.1.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	WPMVAF.exe
Token: SeDebugPrivilege	4528	BGIHAU.exe
Token: SeDebugPrivilege	2584	VMMVZP.exe
Token: SeDebugPrivilege	5892	svchost.exe
Token: SeDebugPrivilege	3980	svchost.exe
Token: SeDebugPrivilege	5548	svchost.exe
Token: SeDebugPrivilege	5412	svchost.exe
Token: SeDebugPrivilege	220	svchost.exe
Token: SeDebugPrivilege	876	svchost.exe
Token: SeDebugPrivilege	2736	svchost.exe
Token: SeDebugPrivilege	5544	svchost.exe
Token: SeDebugPrivilege	1616	svchost.exe
Token: SeDebugPrivilege	2800	svchost.exe
Token: SeDebugPrivilege	4652	svchost.exe
Token: SeDebugPrivilege	2200	svchost.exe
Token: SeDebugPrivilege	5672	svchost.exe
Token: SeDebugPrivilege	4444	svchost.exe
Token: SeDebugPrivilege	2676	svchost.exe
Token: SeDebugPrivilege	4388	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3980	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2584	2624	Liberium2.1.exe	87
PID 2624 wrote to memory of 2584	2624	Liberium2.1.exe	87
PID 2624 wrote to memory of 956	2624	Liberium2.1.exe	90
PID 2624 wrote to memory of 956	2624	Liberium2.1.exe	90
PID 2624 wrote to memory of 4528	2624	Liberium2.1.exe	91
PID 2624 wrote to memory of 4528	2624	Liberium2.1.exe	91
PID 2624 wrote to memory of 4736	2624	Liberium2.1.exe	92
PID 2624 wrote to memory of 4736	2624	Liberium2.1.exe	92
PID 2624 wrote to memory of 4736	2624	Liberium2.1.exe	92
PID 956 wrote to memory of 4888	956	WPMVAF.exe	93
PID 956 wrote to memory of 4888	956	WPMVAF.exe	93
PID 956 wrote to memory of 5892	956	WPMVAF.exe	95
PID 956 wrote to memory of 5892	956	WPMVAF.exe	95
PID 2624 wrote to memory of 3936	2624	Liberium2.1.exe	97
PID 2624 wrote to memory of 3936	2624	Liberium2.1.exe	97
PID 2624 wrote to memory of 3936	2624	Liberium2.1.exe	97
PID 2624 wrote to memory of 3008	2624	Liberium2.1.exe	98
PID 2624 wrote to memory of 3008	2624	Liberium2.1.exe	98
PID 2624 wrote to memory of 3008	2624	Liberium2.1.exe	98
PID 3936 wrote to memory of 5016	3936	cmd.exe	103
PID 3936 wrote to memory of 5016	3936	cmd.exe	103
PID 3936 wrote to memory of 5016	3936	cmd.exe	103
PID 5892 wrote to memory of 3948	5892	svchost.exe	105
PID 5892 wrote to memory of 3948	5892	svchost.exe	105
PID 4528 wrote to memory of 1076	4528	BGIHAU.exe	107
PID 4528 wrote to memory of 1076	4528	BGIHAU.exe	107
PID 4528 wrote to memory of 3216	4528	BGIHAU.exe	108
PID 4528 wrote to memory of 3216	4528	BGIHAU.exe	108
PID 2584 wrote to memory of 6060	2584	VMMVZP.exe	112
PID 2584 wrote to memory of 6060	2584	VMMVZP.exe	112
PID 2584 wrote to memory of 2180	2584	VMMVZP.exe	114
PID 2584 wrote to memory of 2180	2584	VMMVZP.exe	114
PID 5436 wrote to memory of 876	5436	cmd.exe	116
PID 5436 wrote to memory of 876	5436	cmd.exe	116
PID 5436 wrote to memory of 876	5436	cmd.exe	116
PID 1076 wrote to memory of 5472	1076	cmd.exe	117
PID 1076 wrote to memory of 5472	1076	cmd.exe	117
PID 6060 wrote to memory of 5868	6060	cmd.exe	118
PID 6060 wrote to memory of 5868	6060	cmd.exe	118
PID 3216 wrote to memory of 4388	3216	cmd.exe	119
PID 3216 wrote to memory of 4388	3216	cmd.exe	119
PID 2180 wrote to memory of 3772	2180	cmd.exe	120
PID 2180 wrote to memory of 3772	2180	cmd.exe	120
PID 5892 wrote to memory of 3588	5892	svchost.exe	121
PID 5892 wrote to memory of 3588	5892	svchost.exe	121
PID 3588 wrote to memory of 6056	3588	cmd.exe	123
PID 3588 wrote to memory of 6056	3588	cmd.exe	123
PID 3588 wrote to memory of 3164	3588	cmd.exe	124
PID 3588 wrote to memory of 3164	3588	cmd.exe	124
PID 2180 wrote to memory of 5548	2180	cmd.exe	130
PID 2180 wrote to memory of 5548	2180	cmd.exe	130
PID 3216 wrote to memory of 3980	3216	cmd.exe	131
PID 3216 wrote to memory of 3980	3216	cmd.exe	131
PID 3588 wrote to memory of 5412	3588	cmd.exe	135
PID 3588 wrote to memory of 5412	3588	cmd.exe	135
PID 5412 wrote to memory of 228	5412	svchost.exe	136
PID 5412 wrote to memory of 228	5412	svchost.exe	136
PID 5412 wrote to memory of 4992	5412	svchost.exe	138
PID 5412 wrote to memory of 4992	5412	svchost.exe	138
PID 4992 wrote to memory of 2780	4992	cmd.exe	140
PID 4992 wrote to memory of 2780	4992	cmd.exe	140
PID 4992 wrote to memory of 3460	4992	cmd.exe	141
PID 4992 wrote to memory of 3460	4992	cmd.exe	141
PID 4992 wrote to memory of 220	4992	cmd.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Liberium2.1.exe
"C:\Users\Admin\AppData\Local\Temp\Liberium2.1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\VMMVZP.exe
  "C:\Users\Admin\AppData\Local\Temp\VMMVZP.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6060
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F32.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3772
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5548
- C:\Users\Admin\AppData\Local\Temp\WPMVAF.exe
  "C:\Users\Admin\AppData\Local\Temp\WPMVAF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4888
- - C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
    "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5892
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\051V5QUzIFoO.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:6056
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3164
    - - C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5412
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:228
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6aKOespwQijY.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3460
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9vpZBl37HjBu.bat" "
        8⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m9G1PX0dMaaZ.bat" "
        10⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3600
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kLx5mXOnvNCf.bat" "
        12⤵
        
        PID:3356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CbOGVkqp3j7E.bat" "
        14⤵
        
        PID:5432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyMoUMdQKbtP.bat" "
        16⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:656
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1G50vojPyaqT.bat" "
        18⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oFKZbndopvaK.bat" "
        20⤵
        
        PID:3488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8hXtjfkG0hEi.bat" "
        22⤵
        
        PID:5676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5716
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TlYrEgivI3di.bat" "
        24⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c4pbes8DL0MU.bat" "
        26⤵
        
        PID:2116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4948
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RLkxCEKgZcmh.bat" "
        28⤵
        
        PID:4504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5932
        
        C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ java JDK 8\svchost.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kY6iInKlXj75.bat" "
        30⤵
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2160
- C:\Users\Admin\AppData\Local\Temp\BGIHAU.exe
  "C:\Users\Admin\AppData\Local\Temp\BGIHAU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3980
- C:\Users\Admin\AppData\Local\Temp\PCERUQ.exe
  "C:\Users\Admin\AppData\Local\Temp\PCERUQ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 844
    3⤵
    - Program crash
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn GMYRXX.exe /tr C:\Users\Admin\AppData\Roaming\Windata\svchost.exe /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GMYRXX.exe /tr C:\Users\Admin\AppData\Roaming\Windata\svchost.exe /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5016
- C:\Windows\SysWOW64\WSCript.exe
  WSCript C:\Users\Admin\AppData\Local\Temp\GMYRXX.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Windata\svchost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5436
- C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
  C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 4736
1⤵
PID:4928

C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676

C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
C:\Users\Admin\AppData\Roaming\Windata\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\051V5QUzIFoO.bat

Filesize
213B

MD5
5a26d95e94e2da97fc21a3122df0afda

SHA1
55cc30d25ca553b4c8ae7fcc8c97b6c13ada0c89

SHA256
52d34413ff92891e81121f37a214c47a4c7b5d5d12b9c26020657df1b0bc8e51

SHA512
c686b6444921a30295081cecbf764a5d4c2d813f923562a12b0899a2c9ae087d8e149cf3e3c13079a4a36c91f25922203caee7a92dbffc8929b08d932a8a780a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1G50vojPyaqT.bat

Filesize
213B

MD5
a0f51fd22d4271a525cdaf9c24f0ab57

SHA1
4987afd6a9f96ea8e84953dc43599a4c03c4d4c3

SHA256
2325c2ec5979ee2f20b520444924c84db2cbb90c07b4c0a64b51fb8709b158a0

SHA512
f4006e180c58d6cd42e5b02c4263c6fc3d4db7d8115f58dc0bef7f7920f250599d2690e2977e531eff6959f9578b5a0b77ec6354c28f1ba1c11caee53a97e694

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aKOespwQijY.bat

Filesize
213B

MD5
b3b1832b02baf967c79c820bf200c62e

SHA1
9758f4a46fee63e5202f0d76ae767e134668265f

SHA256
446e056908bc43e037284106ff37acf3eee13d1f04f6e96ab7432c8b675ddb92

SHA512
fb26764f46314f5d669e53da72e5ae76c0d4370a743fb4a32fe5c57b7979011c8436fdbd344fef944831cbd2f30921712b3405eb866fc684a0661b3c67abafd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8hXtjfkG0hEi.bat

Filesize
213B

MD5
f0cf8bc009cad1c4068e2f8d263eaf29

SHA1
a9c53677c5641ccf2e6e9cdbfa54706a887bdd1b

SHA256
92251c1d4d8edce6fb3908b677bf61ea410455dc61c1051ce64ea54a83c75bd8

SHA512
e5c1cce2ffd7edc2493877ab232671fd028dca32f3e40cb31cb8e6f19f50dc7524e110dcb58270615cdbe8ed97c76189f1ebddb24c5bd8f86a5409ba45d40723

Download Submit
C:\Users\Admin\AppData\Local\Temp\9vpZBl37HjBu.bat

Filesize
213B

MD5
17d2c190482bb038af7a27309660a2eb

SHA1
a91a9e7059e98eb6f952bf8d726a98875ee960da

SHA256
d9f77284c4d266d48f81ae42450da0d83c646de45be6860cb7775d90b4a4a660

SHA512
3aee89b1415fddde9ebee9ebd64df5f100f6bd60dec2ae490e34b7ff4fa86c44c0f06aeffdcad3fc23016c6650550f4c6b4aae0462bc0f48b7ebce4be71c1ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGIHAU.exe

Filesize
74KB

MD5
9a8c5d8ce65e53cfd403a80b3210cb4f

SHA1
38a7f8354d7b4f65e8f941878f99b6383ebfec4f

SHA256
ac532153b6e68114a6a3e12772487ac0a6e0d075e5e74737c96f16dded1d2960

SHA512
2d8335b8c2ca2cada74cb446ca86fe6606e4235dcd85a65ae44bd22e8f77ca5d1d239c5c7e0364a1683918bb3cbf6c4e43e9b644e878400d1caca2cd00afce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbOGVkqp3j7E.bat

Filesize
213B

MD5
80abf02d372acce78b16abbeeb0ff234

SHA1
38f1b68dd4f26b1f086dba204adb0cb81ccd9eb5

SHA256
c7c9bef95f5fe76039bed956d4ec2896bcd2821dd8cb2dbed7957ff7562f7bc9

SHA512
7c8bc8aed3af43d991a3208cf1abc79c776739949955b210cab7bae396d4c3747258070fc3bc50df72fe8c27625008b89c1839c815f58b16b154a3f51f50af74

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYRXX.vbs

Filesize
842B

MD5
c807a0b6e562ccd877722b0e90ecc02d

SHA1
f876f44d00d34a3de21646b2d975f8d6e3bfed46

SHA256
71496ce1631f04ae52406852b9d63ac3bb6ae7a023a3583991e0d0e3b91a15c6

SHA512
dfc5e3ac57133b9dae87d47a0a97e916b9ae77938a8df10e6dbde99d792cf52889b4ffa41d744ca2eabf460fcb4c4cb1b15f5568fc8bc7266525807387acf418

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCERUQ.exe

Filesize
6.1MB

MD5
eb5f70a725c9338a846d7f6e95aa2fc2

SHA1
0b39c505232a33842cde9b13ea75e4bc1e9004fc

SHA256
9d12b9fb18f031c13648d2aff2bf8c7df9ed654e0c6eb8f62bc52987a9b8c571

SHA512
d9558084fbb97cfbf26b57e174ffe65fe470e35d4c952357cba1251302175cd7ce6a8e75d28bdda9196074a96b3196a2d96921652c98d01a3bdfa3b21726690d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLkxCEKgZcmh.bat

Filesize
213B

MD5
294c8611cbb218683bbdf0d6be6d81e3

SHA1
9abbe60f7a02bd12b4affe6f65ab1590295cf3ea

SHA256
4c115fe22888babbff63afec7000b5b59760b4d04b6b66024d7f3dbcb40c8162

SHA512
427050de8e526c093b8dfecd2ce20f3339dbc4e552b3dfddbe66a1e8165604236fd4516fb2d9981baf373d459341a61d41f5fa51fe4a521cf406b442c999b447

Download Submit
C:\Users\Admin\AppData\Local\Temp\TlYrEgivI3di.bat

Filesize
213B

MD5
ba8db7b8468e7a6c98d2c79fd574202a

SHA1
81a3f7996dadac003bc93f01221e1fb9e6c673df

SHA256
657043c260792224623b924a05c890bbe9bb588cbe6c87cf76e42ae43a9b704c

SHA512
66164f3f82c2f7bd91d7b41fcb4bf353e1c441728e8084a41adf03cd18f1578b8f33c0838479f6341039298bb598ed7a602f54989f71ec6aba2bc836a71545a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMMVZP.exe

Filesize
47KB

MD5
c668e4bc361c31fafff805af7a805a08

SHA1
3a2d274130c8c9a277142c25496d8ecead104b9d

SHA256
d21ae2f37d50b482f9e5f56b792c6bf599f6406cf56fd71f143bae135a371f26

SHA512
f9743170afc14fb7322f826c32349c85100847b02d08f13dce9ceff805c83764c0cff897340f7f290282b93d6d5aaa2a55ceca1474ec7454b5977ebda2ce0c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPMVAF.exe

Filesize
3.1MB

MD5
603a9f2cdfe56da891a223469a3b92c6

SHA1
d8720c43dc6c7cbe337c20744e040e2ee1683837

SHA256
61a973193ad25f94adbc53dcfcdd94cdec52f63cf2f19aaad5d36bbe673a5e0f

SHA512
5e30df5ce1a39c46fff05e38c76adfcae52bb01e002834a36e370f86a89fa94ba8a5f43506ebc29be2279e102a4d0671a4ae58d5f814f7079cd076df2afb9a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4pbes8DL0MU.bat

Filesize
213B

MD5
a8c90a3f0fb5fa69b385662dac87d9be

SHA1
cdd655273407e334fb6cbe4459af1dbfd0fac5de

SHA256
28ff23da15b0bfefa803f5d83572a3666efe1ceec7a8b62b09cbc0731bd2ea7e

SHA512
b7e0fdb2ea840f588d6b620359ed7fad036e45d819821d32fc573b1a356d250822dbe657de1e20a8321c9a5782fc089b04c699d969b05c6a8363c28942681361

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyMoUMdQKbtP.bat

Filesize
213B

MD5
89e169e025591ce9e6579acd2ea3c677

SHA1
98f17dc90e81c30242a1e192bedc4aa1ffcf7b0f

SHA256
1ee47c02974069962a5ce22bebf527efa93c36bde315b13d0779061b30e44de2

SHA512
8be67d4e1a008142809dc66176edc498e7f2d96d2ee913f31dec991ffc6336594301a7d7b0fcd5ffb66c56ff66d7e8358da373f09e5f8336c5c223271ea1d3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\kLx5mXOnvNCf.bat

Filesize
213B

MD5
77bac7328f35ab96c867b2b14a665ffc

SHA1
ce7f2aa50105e5b467a1914aa48d57ac728c23dc

SHA256
b382c20d5ef1b2d7dbf97e3fdd0f6550034893357fc34a5cd6fcf742e44daff8

SHA512
5352207ba62d3ba85cb7483e10e0f14a2b191a6e28641a69fd8522243a4552f71ff946c892e24a47c43d00e114ce28c0e716d49d7d42566dd725cd90715006f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kY6iInKlXj75.bat

Filesize
213B

MD5
64bc706e158b85c4968fa2e33a2d5635

SHA1
1c0cb335ba1ef7d8777b88b15b671bc0376bf7c1

SHA256
10ed43adab539e939e5b9116826c025ae16d497231e81f29b7044f7fe9669807

SHA512
2933163173767e57c03f9f1172ec0a6c19596278253ab4ed9e6841c91373e963e1eec50e14e9d7e5d6182438bcedabf7e416dc2ac042ef9b91577551f0616ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\m9G1PX0dMaaZ.bat

Filesize
213B

MD5
6cb6a37e0e326107bd4105224414e0a8

SHA1
86ebd3d27a2b90733606594b911419744c1d2924

SHA256
fb29dfdd4aa2986d8d641edb71b88869d77797ae342bf781e828e064807ef51b

SHA512
dddfd31f54093012f700938c8a809dd1f6e5934219dccab8932b1a5b1d5138328f41d701adf326cab34a39a0e213a3d9090481d68a897df0c56042e64f09feef

Download Submit
C:\Users\Admin\AppData\Local\Temp\oFKZbndopvaK.bat

Filesize
213B

MD5
bb63489b1f9af1991cf7963d910e0017

SHA1
e394e34b3d7142d3c62ba1779d222886eddb752e

SHA256
45434f322d159eede6fae0d533f78cdb8d4418320d16a270686feaa0128fe9db

SHA512
7a42670a816016a7ed1fb9ff47e012d969effae6264114820d83df9edd5779ed8dc7254558d318c873bad9a5a92adb2b66ae19a0c3c0b992087625187bfbfc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp.bat

Filesize
154B

MD5
5a981e4caaf2a53e9a67aeeb2a9303fc

SHA1
a8d68cc6678a788609124685641783806c25c95d

SHA256
213166f0ec5a6b74db0e234dae9b52bcaf287132d5616adbf1dea734ec68179f

SHA512
f299ca6b4b0576b22fa21cf6e4bf1623f8afccb05eab28b14b79dcb26a286d5a76c8582371afc719e3480b898154b4be198ca598486f421abdb99acc2d9c12d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F32.tmp.bat

Filesize
151B

MD5
6d7ee37699a751a43f9eea9b22a110da

SHA1
68ba2c8d6b4d8ebe6013e173702f1576ca4393c8

SHA256
ac8dc99730cccd04c0d40c543496866ec7784b38aab8c9e1bfcce64e5b89386d

SHA512
1b0baab78902af3c9df9c16bb5221ac6742436cb3c3fa67a891a8d3c5eb9aa96df3892b05ad138b780959ce78ed15c8fe503917050fed695e73c03358e695543

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\svchost.exe

Filesize
6.3MB

MD5
ccfdfb92db45d64ac2ef0daf3751f362

SHA1
79915d8c61f9f44f2211a269e949dc6aa11c1448

SHA256
281ce7db7e9338e11241437e9b4c980506a2dee645438b2f29e395d278b03995

SHA512
c4816f347a3aee1b77ddcd31529019458597d9b6d1c297c3bf7ec14bfb9cb25ceaf01469eb2ed3f8bd636e0160da476728a84cf0f5e7ab4d5822809402eff41f

Download Submit
memory/956-48-0x00007FF8EC870000-0x00007FF8ED331000-memory.dmp

Filesize
10.8MB

Download
memory/956-75-0x00007FF8EC870000-0x00007FF8ED331000-memory.dmp

Filesize
10.8MB

Download
memory/956-45-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/2584-15-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2584-16-0x00007FF8EC873000-0x00007FF8EC875000-memory.dmp

Filesize
8KB

Download
memory/3980-110-0x000000001D200000-0x000000001D302000-memory.dmp

Filesize
1.0MB

Download
memory/4528-50-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/4736-67-0x0000000000270000-0x0000000000886000-memory.dmp

Filesize
6.1MB

Download
memory/5892-88-0x000000001D500000-0x000000001D550000-memory.dmp

Filesize
320KB

Download
memory/5892-90-0x000000001D8C0000-0x000000001D972000-memory.dmp

Filesize
712KB

Download