asyncrat | 41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
Size

6.7MB
MD5

713e742f7314ca8d684137f996540b4b
SHA1

1d88ed5170efab2d32d83341be56e1b9f6720d7c
SHA256

41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
SHA512

df373f00d609666811494d31c48f030e15155ddd4c3ccd4f0ef734a0eb4bee074244e8bb73263f06edca3cef60db37f7f603e98b7c040b6741dbcf8270fa90e4
SSDEEP

98304:tbqknnTC8vHM8aKN+3v4FOjfU2TNe7vWL26AaNeWgPhlmVqkQ7XSKUR83B:tzO8vH04FmMnG4S03B

Score

10^/10

asyncrat dcrat quasar xworm default office04 discovery evasion execution infostealer persistence rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

thing-wine.gl.at.ply.gg:55280

Mutex

EFhpy3TPM7sR

Attributes

delay
3
install
true
install_file
Ass.exe
install_folder
%Temp%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

businesses-eric.gl.at.ply.gg:55282

Mutex

ebfbd873-38ee-4f7b-bfe9-2b77cdff1c45

Attributes

encryption_key
361A99FCBAEDCD5C706B5E52C37C90BFB4E13FB2
install_name
Client.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

projects-pf.gl.at.ply.gg:55284

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018718-28.dat	family_xworm
behavioral1/memory/1684-49-0x0000000001260000-0x000000000127A000-memory.dmp	family_xworm
behavioral1/memory/276-181-0x0000000001050000-0x000000000106A000-memory.dmp	family_xworm
behavioral1/memory/816-187-0x0000000000230000-0x000000000024A000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\WizWormStub.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\WizWormStub.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\lsm.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\WizWormStub.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\WizWormStub.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\ChainPortsessionbroker\\dwm.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\WizWormStub.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\ChainPortsessionbroker\\dwm.exe\", \"C:\\Recovery\\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\\audiodg.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\WizWormStub.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\", \"C:\\ChainPortsessionbroker\\dwm.exe\", \"C:\\Recovery\\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Idle.exe\""	Fontsession.exe

Process spawned unexpected child process 17 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1392	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1392	schtasks.exe	45

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018716-21.dat	family_quasar
behavioral1/memory/2292-31-0x0000000000400000-0x0000000000AB3000-memory.dmp	family_quasar
behavioral1/memory/2824-50-0x0000000000110000-0x0000000000434000-memory.dmp	family_quasar
behavioral1/memory/2936-108-0x0000000000060000-0x0000000000384000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b00000001227f-2.dat	family_asyncrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017292-8.dat	dcrat
behavioral1/memory/2292-31-0x0000000000400000-0x0000000000AB3000-memory.dmp	dcrat
behavioral1/files/0x00050000000194d4-101.dat	dcrat
behavioral1/memory/2164-103-0x0000000000DA0000-0x0000000000FF2000-memory.dmp	dcrat
behavioral1/memory/2148-177-0x0000000000D40000-0x0000000000F92000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1208	powershell.exe
2708	powershell.exe
2028	powershell.exe

Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWormStub.lnk	WizWormStub.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWormStub.lnk	WizWormStub.exe

Executes dropped EXE 13 IoCs

pid	Process
2800	AsyncStub.exe
2784	DCRatStub.exe
2776	OrcusStub.exe
2824	QuasarStub.exe
1684	WizWormStub.exe
1004	WindowsInput.exe
2840	AudioDriver.exe
2164	Fontsession.exe
2936	Client.exe
1612	Ass.exe
2148	dllhost.exe
276	WizWormStub.exe
816	WizWormStub.exe

Loads dropped DLL 10 IoCs

pid	Process
2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
2776	OrcusStub.exe
2776	OrcusStub.exe
1784	cmd.exe
1784	cmd.exe
1772	cmd.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\dllhost.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ChainPortsessionbroker\\dwm.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Idle.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Idle.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizWormStub = "C:\\ProgramData\\WizWormStub.exe"	WizWormStub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\lsm.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\lsm.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ChainPortsessionbroker\\dwm.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizWormStub = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\WizWormStub.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\\audiodg.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\\audiodg.exe\""	Fontsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizWormStub = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\WizWormStub.exe\""	Fontsession.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\system32\SubDir\Client.exe	QuasarStub.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	QuasarStub.exe
File opened for modification	C:\Windows\system32\SubDir	QuasarStub.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	OrcusStub.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe	Fontsession.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\5940a34987c991	Fontsession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncStub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatStub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusStub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
112	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2632	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 22 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1744	schtasks.exe
2492	schtasks.exe
1820	schtasks.exe
920	schtasks.exe
1564	schtasks.exe
2036	schtasks.exe
1812	schtasks.exe
2732	schtasks.exe
2696	schtasks.exe
2484	schtasks.exe
2516	schtasks.exe
1568	schtasks.exe
2128	schtasks.exe
976	schtasks.exe
2744	schtasks.exe
3016	schtasks.exe
2020	schtasks.exe
1960	schtasks.exe
560	schtasks.exe
1344	schtasks.exe
1536	schtasks.exe
468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2164	Fontsession.exe
1208	powershell.exe
2708	powershell.exe
2800	AsyncStub.exe
2800	AsyncStub.exe
2800	AsyncStub.exe
2028	powershell.exe
1684	WizWormStub.exe
2148	dllhost.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe
2840	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	WizWormStub.exe
Token: SeDebugPrivilege	2824	QuasarStub.exe
Token: SeDebugPrivilege	2840	AudioDriver.exe
Token: SeDebugPrivilege	2936	Client.exe
Token: SeDebugPrivilege	2164	Fontsession.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2800	AsyncStub.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1684	WizWormStub.exe
Token: SeDebugPrivilege	2148	dllhost.exe
Token: SeDebugPrivilege	1612	Ass.exe
Token: SeDebugPrivilege	1612	Ass.exe
Token: SeDebugPrivilege	276	WizWormStub.exe
Token: SeDebugPrivilege	816	WizWormStub.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2936	Client.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2840	AudioDriver.exe
2936	Client.exe
1684	WizWormStub.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2800	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	30
PID 2292 wrote to memory of 2800	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	30
PID 2292 wrote to memory of 2800	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	30
PID 2292 wrote to memory of 2800	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	30
PID 2292 wrote to memory of 2784	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	31
PID 2292 wrote to memory of 2784	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	31
PID 2292 wrote to memory of 2784	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	31
PID 2292 wrote to memory of 2784	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	31
PID 2292 wrote to memory of 2776	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	32
PID 2292 wrote to memory of 2776	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	32
PID 2292 wrote to memory of 2776	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	32
PID 2292 wrote to memory of 2776	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	32
PID 2292 wrote to memory of 2824	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	33
PID 2292 wrote to memory of 2824	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	33
PID 2292 wrote to memory of 2824	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	33
PID 2292 wrote to memory of 2824	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	33
PID 2292 wrote to memory of 1684	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	34
PID 2292 wrote to memory of 1684	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	34
PID 2292 wrote to memory of 1684	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	34
PID 2292 wrote to memory of 1684	2292	41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe	34
PID 2784 wrote to memory of 3020	2784	DCRatStub.exe	35
PID 2784 wrote to memory of 3020	2784	DCRatStub.exe	35
PID 2784 wrote to memory of 3020	2784	DCRatStub.exe	35
PID 2784 wrote to memory of 3020	2784	DCRatStub.exe	35
PID 2784 wrote to memory of 884	2784	DCRatStub.exe	36
PID 2784 wrote to memory of 884	2784	DCRatStub.exe	36
PID 2784 wrote to memory of 884	2784	DCRatStub.exe	36
PID 2784 wrote to memory of 884	2784	DCRatStub.exe	36
PID 2776 wrote to memory of 1004	2776	OrcusStub.exe	37
PID 2776 wrote to memory of 1004	2776	OrcusStub.exe	37
PID 2776 wrote to memory of 1004	2776	OrcusStub.exe	37
PID 2776 wrote to memory of 1004	2776	OrcusStub.exe	37
PID 2776 wrote to memory of 2840	2776	OrcusStub.exe	38
PID 2776 wrote to memory of 2840	2776	OrcusStub.exe	38
PID 2776 wrote to memory of 2840	2776	OrcusStub.exe	38
PID 2776 wrote to memory of 2840	2776	OrcusStub.exe	38
PID 3020 wrote to memory of 1784	3020	WScript.exe	40
PID 3020 wrote to memory of 1784	3020	WScript.exe	40
PID 3020 wrote to memory of 1784	3020	WScript.exe	40
PID 3020 wrote to memory of 1784	3020	WScript.exe	40
PID 2824 wrote to memory of 1960	2824	QuasarStub.exe	39
PID 2824 wrote to memory of 1960	2824	QuasarStub.exe	39
PID 2824 wrote to memory of 1960	2824	QuasarStub.exe	39
PID 1784 wrote to memory of 2164	1784	cmd.exe	43
PID 1784 wrote to memory of 2164	1784	cmd.exe	43
PID 1784 wrote to memory of 2164	1784	cmd.exe	43
PID 1784 wrote to memory of 2164	1784	cmd.exe	43
PID 2824 wrote to memory of 2936	2824	QuasarStub.exe	44
PID 2824 wrote to memory of 2936	2824	QuasarStub.exe	44
PID 2824 wrote to memory of 2936	2824	QuasarStub.exe	44
PID 2936 wrote to memory of 1744	2936	Client.exe	53
PID 2936 wrote to memory of 1744	2936	Client.exe	53
PID 2936 wrote to memory of 1744	2936	Client.exe	53
PID 1684 wrote to memory of 1208	1684	WizWormStub.exe	66
PID 1684 wrote to memory of 1208	1684	WizWormStub.exe	66
PID 1684 wrote to memory of 1208	1684	WizWormStub.exe	66
PID 2164 wrote to memory of 2700	2164	Fontsession.exe	68
PID 2164 wrote to memory of 2700	2164	Fontsession.exe	68
PID 2164 wrote to memory of 2700	2164	Fontsession.exe	68
PID 1784 wrote to memory of 2632	1784	cmd.exe	70
PID 1784 wrote to memory of 2632	1784	cmd.exe	70
PID 1784 wrote to memory of 2632	1784	cmd.exe	70
PID 1784 wrote to memory of 2632	1784	cmd.exe	70
PID 2700 wrote to memory of 2608	2700	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
"C:\Users\Admin\AppData\Local\Temp\41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe
  "C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:844
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9E.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:112
  - - C:\Users\Admin\AppData\Local\Temp\Ass.exe
      "C:\Users\Admin\AppData\Local\Temp\Ass.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1612
- C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ChainPortsessionbroker\QV4mcYA2Sc8KOpCoQlEXh.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ChainPortsessionbroker\G0RgA51UzNSlvJ.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\ChainPortsessionbroker\Fontsession.exe
        
        "C:\ChainPortsessionbroker\Fontsession.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6AeBC68ZhB.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2608
        
        C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2632
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ChainPortsessionbroker\file.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:884
- C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe
  "C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2840
- C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe
  "C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1960
- - C:\Windows\system32\SubDir\Client.exe
    "C:\Windows\system32\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1744
- C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe
  "C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWormStub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizWormStub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWormStub" /tr "C:\ProgramData\WizWormStub.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WizWormStubW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\WizWormStub.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WizWormStub" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\WizWormStub.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WizWormStubW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\WizWormStub.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\ChainPortsessionbroker\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ChainPortsessionbroker\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\ChainPortsessionbroker\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\taskeng.exe
taskeng.exe {EC6A986B-3639-40B0-8B74-F518A91E5881} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]
1⤵
PID:2264
- C:\ProgramData\WizWormStub.exe
  C:\ProgramData\WizWormStub.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\ProgramData\WizWormStub.exe
  C:\ProgramData\WizWormStub.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainPortsessionbroker\Fontsession.exe

Filesize
2.3MB

MD5
e68c730d5e9eea130b20f99f8380e644

SHA1
d5387728b7aa9724e5f49d9ebe871c4bcc447c01

SHA256
44a30d53788ccbbef510a68b894c40a093ecc4a934b6a7c91037d3180987bf71

SHA512
4389361097a762576b0ed8da4ebec4d4189af80decbe0b4e2e7c12a6b2f206107ad0597be557690cac73f0e5875057e48a7338a52403288527329e276cbc6041

Download Submit
C:\ChainPortsessionbroker\G0RgA51UzNSlvJ.bat

Filesize
166B

MD5
eff3710eb6f094ac204ff6b4d7d7107e

SHA1
2ec3eebb2037ee862dfd7984101bbec687c7ad7b

SHA256
5a27f828660d67faae0e0c7c9d201c543f9e16db4ef1cb5f0883899b86e321d7

SHA512
19becb062d3cf759b820fb45170e9aab11e6179475c0090f9306ca2e722f24b74274263fbb4783096ceb10d311dc8f1f3261ef9f44ee0235a70aa0f004cb508c

Download Submit
C:\ChainPortsessionbroker\QV4mcYA2Sc8KOpCoQlEXh.vbe

Filesize
224B

MD5
55733945e00baace8cd6236206f9acf6

SHA1
61a590cb6acb3e6bfaac1fc5752162fc60647ce5

SHA256
d7f4a58ae89de59a45958e9a78eb6d3e83ff45d9843747850fc4f4974f24e3e3

SHA512
58ac06c815cc508dc6281cae24a78ac98fce1bd310809f0311a4613adf2f103e92ccd65e073787ef682d9a37adc3ef6fd1c81f7eebdc5f7a0f7b28636caa76c8

Download Submit
C:\ChainPortsessionbroker\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AeBC68ZhB.bat

Filesize
222B

MD5
dbe67e5b932e197133cc75765231b2ad

SHA1
d3d8321778373adee08e19dd3d000e9690834224

SHA256
7cbddb7abc19885c260541ce11ae61306f460a338da8d3e8fad1c3259ac13230

SHA512
58e105ee7a436e41ef7b2056bb576cc1c3c7b9b5607d0cbfdf44abdc4645e8a98d0c8da415b078a6be19ed1d1548521b2bb611c191b5dfb0e0f587163d11368f

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.InstallLog

Filesize
596B

MD5
cb1bafcb3fb3195881c7c67e4261f503

SHA1
e7246d89642cd7205a745e55062123dd67a85394

SHA256
6440aac0367e1bae8944a650f73ca775ed4a0f3810576adce09d6c4f6d10f6ae

SHA512
2da4d8bf1142ccd20fa3190fd7670d67f1b48bfbbfe55a71fc8cb1570cc69f3128892bb2b02309fc0353d0b928168f3810d0b2938bd08f6b01b31910929dacf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9E.tmp.bat

Filesize
149B

MD5
f1897ebef9852a7a2b7c6283d04a2619

SHA1
a7f2a4d2991edf9b0494ec1b03f723bd60cb4ea1

SHA256
a6a04938bd45f1455cf03251800e29871c821fb6e033693221493e54558cd9cf

SHA512
dec92ab395e35938dd76fffb0f25ac049d7729e4faeb4a5e6c996d71aea2bc5f95c6042b8e41ae316eed9a8a5bf4a5774c556cd9b795077be7eb5f7fb0abe5d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0d3c5b48775696a7312f521dc92e4f6

SHA1
6e2077dc903e76c039e8f384648ddad3f65964cf

SHA256
138d5ae49d2898ff39657b233065beb92fa634739a017d227d3d726a50f1131b

SHA512
64c0c62f6be124fb9d923467a9a35e736b1805b8667ec1f343ea80fab4af55b4b856419f95ae8731e337ad054ea79ecda3dc2c7fdb34157b72169d50f660a07a

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
224B

MD5
e469dda91ae810a1f94c96060f3f8a65

SHA1
0b4b3b0f6f937016b1e045ce5313ee2a65a38630

SHA256
d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

SHA512
2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
597B

MD5
c2291863df7c2d3038ce3c22fa276506

SHA1
7b7d2bc07a6c35523807342c747c9b6a19f3184e

SHA256
14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

SHA512
00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
\Users\Admin\AppData\Local\Temp\AsyncStub.exe

Filesize
47KB

MD5
2498d43b33fdf705d23a044d0704271b

SHA1
79b2ee6e706d561533936cde87a46830fbfeec9b

SHA256
d1ba8885bb27b8b53e8754181b474f47d0afc57ce406ca4c18edf111cbb63226

SHA512
79b0ff8be1762e31c20ae5b5440958bbe652b11f219a5542d9cd2fa789c90dd5898b14be2245ae03f49c5ada54db0547df5eacc7d143f9c0ea608fb4600b4690

Download Submit
\Users\Admin\AppData\Local\Temp\DCRatStub.exe

Filesize
2.6MB

MD5
9d479998ab307798514e77b13fa5a38a

SHA1
2cdd52a5496e45d74a8acce3b19456ef5241130b

SHA256
b83e03ed28f61bcfa07e3a06b73d7e0a3b6e8469fe8d8137549cc12ae3911b08

SHA512
122bf95d3e56c366db4e1a1af4c2c44d980a54a7a2dca3ef7376587d8e5bcf32d0e06b2bf6465f164763c5f8954302704ead062a9de0729aa4e6e6161051a6f4

Download Submit
\Users\Admin\AppData\Local\Temp\OrcusStub.exe

Filesize
841KB

MD5
3de8bb77473e360e1b15d2f80f489248

SHA1
507f0223797e077f25775908d911dbbdc64e04a9

SHA256
be6c566ca9e0f0c620ccbd0581b48ba0cdf616135195dc4f5b9236f985b3172f

SHA512
4addcce355f43e392b30b78195372ae8618fdf42f976a6bc88c369708efa3ce2c1222f7f1e20cc49491cc475c970c687445062c51c026d0bf7ecdea3fb26017c

Download Submit
\Users\Admin\AppData\Local\Temp\QuasarStub.exe

Filesize
3.1MB

MD5
6940c38a8661b0b8713afd4c63b12456

SHA1
cc78ac6b4974bb3352890b8e89d038ddc4c4eae4

SHA256
42a913fedb31db5ba0cf28abd0fe6afc3b9807aac7045a1c02579c2b3282a3b1

SHA512
df2e75e842f22802a43e155c0667147933d17f8902df880d3738d29a5bcaae5ae199c759642bf2414c10a1eca4721966b3d7759e06ddeca5b69c698689e71b05

Download Submit
\Users\Admin\AppData\Local\Temp\WizWormStub.exe

Filesize
81KB

MD5
cdff2cee70c00c73f066e1c9a7515a95

SHA1
f8bfe41193a917830dc13450c2665d862fea08d1

SHA256
f52798a690f661a2b30e2fb3a3689a0aa09fcc0f7ea4efe669e265670742254e

SHA512
747a63e7bc184d7fd09f842c176090bc37c88166155b4429faf430760cd8af182c853cc173c62a25ce3c94ccd74b66106b145f80bf5bb151e6b9bb865f23a939

Download Submit
memory/276-181-0x0000000001050000-0x000000000106A000-memory.dmp

Filesize
104KB

Download
memory/816-187-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/1208-138-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1208-139-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1612-170-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/1684-49-0x0000000001260000-0x000000000127A000-memory.dmp

Filesize
104KB

Download
memory/2028-154-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2028-152-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2148-177-0x0000000000D40000-0x0000000000F92000-memory.dmp

Filesize
2.3MB

Download
memory/2164-113-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2164-111-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/2164-110-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2164-109-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2164-112-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2164-115-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2164-114-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2164-103-0x0000000000DA0000-0x0000000000FF2000-memory.dmp

Filesize
2.3MB

Download
memory/2292-31-0x0000000000400000-0x0000000000AB3000-memory.dmp

Filesize
6.7MB

Download
memory/2708-145-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2708-146-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2776-88-0x0000000004270000-0x00000000042BE000-memory.dmp

Filesize
312KB

Download
memory/2776-53-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2776-54-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/2776-52-0x00000000006F0000-0x000000000073C000-memory.dmp

Filesize
304KB

Download
memory/2776-51-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/2776-43-0x0000000000B60000-0x0000000000C38000-memory.dmp

Filesize
864KB

Download
memory/2800-34-0x0000000001370000-0x0000000001382000-memory.dmp

Filesize
72KB

Download
memory/2824-50-0x0000000000110000-0x0000000000434000-memory.dmp

Filesize
3.1MB

Download
memory/2840-107-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/2840-95-0x0000000000980000-0x0000000000A58000-memory.dmp

Filesize
864KB

Download
memory/2936-108-0x0000000000060000-0x0000000000384000-memory.dmp

Filesize
3.1MB

Download