asyncrat | a7521b44c71baaaa5ac4c74b1918196713fee07470a48cbd27b2c46142375154

Analysis

max time kernel
152s
max time network
144s
platform
windows7_x64
resource
win7-en-20211014
submitted
06-11-2021 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
Size

22.7MB
MD5

55287c8aa442a3f521aabb6a80b3f6a8
SHA1

5e9c38e66448c4c1b8066b04987eb62cf6f48763
SHA256

cfb1ee668fc3e25580c334ab753749d2ef5a44ab9be1e033047345827696cbf8
SHA512

2d265bb941c28944ae7a25dea43d6122e04e549d349fc8276670683926feac52b12d3de42b0601d134f3842641b28751a62c8ddc28e3a3140f2041dfdf629813

Score

10^/10

asyncrat nanocore neshta quasar mix21 mixone discovery evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

pettbull.ddns.net:53896

127.0.0.1:53896

Mutex

5bb33a25-3661-40a6-bf27-e3cf4c873773

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-12-19T09:35:29.334939436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
53896
default_group
MIX221
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5bb33a25-3661-40a6-bf27-e3cf4c873773
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
pettbull.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MIXONE

pettbull.ddns.net:6606

pettbull.ddns.net:7707

pettbull.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
true
install_file
Windows Microsoft.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

MIX21

pettbull.ddns.net:4782

Mutex

69383ffd-4823-44c2-b21f-a105f85ed9a0

Attributes

encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
install_name
Windows Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
Windows Update

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Detect Neshta Payload 6 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	family_neshta
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	family_neshta
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	family_neshta
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	family_neshta
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	family_neshta
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	family_neshta

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Quasar Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1864-125-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1864-126-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1864-127-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1864-128-0x000000000047E7CE-mapping.dmp	family_quasar
behavioral1/memory/1864-134-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/768-93-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/768-92-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/768-94-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/768-95-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/768-97-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1176-230-0x000000000040C75E-mapping.dmp	asyncrat

Executes dropped EXE 10 IoCs

Processes:

Service Host.exeService Host.exesvchost.exesvchost.exeWindows Help.exeWindows Microsoft.exeWindows Help.exeWinOptimizer.18.00.18.Portable.exeWO18.exeWindows Microsoft.exe

pid	process
1468	Service Host.exe
436	Service Host.exe
664	svchost.exe
768	svchost.exe
892	Windows Help.exe
1652	Windows Microsoft.exe
1864	Windows Help.exe
1632	WinOptimizer.18.00.18.Portable.exe
1600	WO18.exe
1176	Windows Microsoft.exe

Loads dropped DLL 18 IoCs

Processes:

CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.execmd.exeWinOptimizer.18.00.18.Portable.exe

pid	process
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
748	cmd.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
1632	WinOptimizer.18.00.18.Portable.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Service Host.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsvc.exe"	Service Host.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Service Host.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Service Host.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Service Host.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WO18.exe

description	ioc	process
File opened (read-only)	\??\Y:	WO18.exe
File opened (read-only)	\??\D:	WO18.exe
File opened (read-only)	\??\K:	WO18.exe
File opened (read-only)	\??\M:	WO18.exe
File opened (read-only)	\??\N:	WO18.exe
File opened (read-only)	\??\O:	WO18.exe
File opened (read-only)	\??\S:	WO18.exe
File opened (read-only)	\??\X:	WO18.exe
File opened (read-only)	\??\Z:	WO18.exe
File opened (read-only)	\??\U:	WO18.exe
File opened (read-only)	\??\V:	WO18.exe
File opened (read-only)	\??\B:	WO18.exe
File opened (read-only)	\??\G:	WO18.exe
File opened (read-only)	\??\J:	WO18.exe
File opened (read-only)	\??\L:	WO18.exe
File opened (read-only)	\??\Q:	WO18.exe
File opened (read-only)	\??\W:	WO18.exe
File opened (read-only)	\??\E:	WO18.exe
File opened (read-only)	\??\F:	WO18.exe
File opened (read-only)	\??\H:	WO18.exe
File opened (read-only)	\??\I:	WO18.exe
File opened (read-only)	\??\P:	WO18.exe
File opened (read-only)	\??\R:	WO18.exe
File opened (read-only)	\??\T:	WO18.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WO18.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	WO18.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	WO18.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	WO18.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Service Host.exesvchost.exeWindows Help.exeWindows Microsoft.exe

description	pid	process	target process
PID 1468 set thread context of 436	1468	Service Host.exe	Service Host.exe
PID 664 set thread context of 768	664	svchost.exe	svchost.exe
PID 892 set thread context of 1864	892	Windows Help.exe	Windows Help.exe
PID 1652 set thread context of 1176	1652	Windows Microsoft.exe	Windows Microsoft.exe

Drops file in Program Files directory 27 IoCs

Processes:

WinOptimizer.18.00.18.Portable.exeWO18.exeService Host.exeCFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.manifest.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__meta__.__tmp__	WO18.exe
File created	C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Service Host.exe
File opened for modification	C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Service Host.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__meta__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\modified\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Uninstall.exe	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Uninstall.ini	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\temp\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__meta__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin.__tmp__	WinOptimizer.18.00.18.Portable.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.manifest.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\xregistry.bin.__tmp__	WinOptimizer.18.00.18.Portable.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin.__tmp__	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__meta__.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.manifest	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\modified\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\xregistry.bin.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\temp\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__deleted__	WO18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1564 schtasks.exe
1676 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

544 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Service Host.exesvchost.exeWO18.exe

pid process

436 Service Host.exe
436 Service Host.exe
436 Service Host.exe
768 svchost.exe
1600 WO18.exe
1600 WO18.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Service Host.exe

pid process

436 Service Host.exe

pid	process
1564	schtasks.exe
1676	schtasks.exe

pid	process
544	timeout.exe

pid	process
436	Service Host.exe
436	Service Host.exe
436	Service Host.exe
768	svchost.exe
1600	WO18.exe
1600	WO18.exe

pid	process
436	Service Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Service Host.exesvchost.exeWindows Help.exeWindows Microsoft.exe

description	pid	process
Token: SeDebugPrivilege	436	Service Host.exe
Token: SeDebugPrivilege	768	svchost.exe
Token: SeDebugPrivilege	1864	Windows Help.exe
Token: SeDebugPrivilege	1176	Windows Microsoft.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

WO18.exe

pid process

1600 WO18.exe

pid	process
1600	WO18.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exeService Host.exesvchost.exesvchost.execmd.execmd.exeWindows Help.exeWinOptimizer.18.00.18.Portable.exe

description	pid	process	target process
PID 1604 wrote to memory of 1468	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Service Host.exe
PID 1604 wrote to memory of 1468	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Service Host.exe
PID 1604 wrote to memory of 1468	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Service Host.exe
PID 1604 wrote to memory of 1468	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1468 wrote to memory of 436	1468	Service Host.exe	Service Host.exe
PID 1604 wrote to memory of 664	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	svchost.exe
PID 1604 wrote to memory of 664	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	svchost.exe
PID 1604 wrote to memory of 664	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	svchost.exe
PID 1604 wrote to memory of 664	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 664 wrote to memory of 768	664	svchost.exe	svchost.exe
PID 1604 wrote to memory of 892	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Windows Help.exe
PID 1604 wrote to memory of 892	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Windows Help.exe
PID 1604 wrote to memory of 892	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Windows Help.exe
PID 1604 wrote to memory of 892	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Windows Help.exe
PID 768 wrote to memory of 968	768	svchost.exe	cmd.exe
PID 768 wrote to memory of 968	768	svchost.exe	cmd.exe
PID 768 wrote to memory of 968	768	svchost.exe	cmd.exe
PID 768 wrote to memory of 968	768	svchost.exe	cmd.exe
PID 768 wrote to memory of 748	768	svchost.exe	cmd.exe
PID 768 wrote to memory of 748	768	svchost.exe	cmd.exe
PID 768 wrote to memory of 748	768	svchost.exe	cmd.exe
PID 768 wrote to memory of 748	768	svchost.exe	cmd.exe
PID 968 wrote to memory of 1676	968	cmd.exe	schtasks.exe
PID 968 wrote to memory of 1676	968	cmd.exe	schtasks.exe
PID 968 wrote to memory of 1676	968	cmd.exe	schtasks.exe
PID 968 wrote to memory of 1676	968	cmd.exe	schtasks.exe
PID 748 wrote to memory of 544	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 544	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 544	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 544	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1652	748	cmd.exe	Windows Microsoft.exe
PID 748 wrote to memory of 1652	748	cmd.exe	Windows Microsoft.exe
PID 748 wrote to memory of 1652	748	cmd.exe	Windows Microsoft.exe
PID 748 wrote to memory of 1652	748	cmd.exe	Windows Microsoft.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 892 wrote to memory of 1864	892	Windows Help.exe	Windows Help.exe
PID 1604 wrote to memory of 1632	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	WinOptimizer.18.00.18.Portable.exe
PID 1604 wrote to memory of 1632	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	WinOptimizer.18.00.18.Portable.exe
PID 1604 wrote to memory of 1632	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	WinOptimizer.18.00.18.Portable.exe
PID 1604 wrote to memory of 1632	1604	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	WinOptimizer.18.00.18.Portable.exe
PID 1632 wrote to memory of 1600	1632	WinOptimizer.18.00.18.Portable.exe	WO18.exe

C:\Users\Admin\AppData\Local\Temp\CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
"C:\Users\Admin\AppData\Local\Temp\CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Roaming\Service Host.exe
"C:\Users\Admin\AppData\Roaming\Service Host.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Roaming\Service Host.exe
"C:\Users\Admin\AppData\Roaming\Service Host.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"'
5⤵
- Creates scheduled task(s)
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp13FE.tmp.bat""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:544

C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1652

C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Admin\AppData\Roaming\Windows Help.exe
"C:\Users\Admin\AppData\Roaming\Windows Help.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Roaming\Windows Help.exe
"C:\Users\Admin\AppData\Roaming\Windows Help.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Help.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1564

C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
"C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1632

C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe
"C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe
MD5
a42c7fe90cd110ed7b73e2795d68080c

SHA1
6ef8b052120331562d38d2eceb35bf6e1bc7674a

SHA256
6bf9fe450845361706dd331a02ff51dcb21b4df9be2387af43be690ad4189bb5

SHA512
e4ae00e77454c8b25a47d4cf15aa46bce68f7fbd0bcc8bd42c3ad6a0d224736dfe42d04a1be7daaa3437b2c99aa6be0fb3ed2867ddae7a7d455f1b44139394ce

Download Submit
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin
MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
MD5
22a7ba737ffda155c69a9630b43b4735

SHA1
781201b674d7b0a090999c58f86c749563e0d127

SHA256
1eb27b1a605dd47402d6b4fbe12db60242d7beb941e39bfaf1e718c17f5a4e2c

SHA512
fa7607cdc59559a51fde243a26d0e5dc799351edc1d4b1924cc4699bb7cc197558ee0d108a50532e5919a480595c8e74712a7a3578ef50e585c2b8427032ac50

Download Submit
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
MD5
22a7ba737ffda155c69a9630b43b4735

SHA1
781201b674d7b0a090999c58f86c749563e0d127

SHA256
1eb27b1a605dd47402d6b4fbe12db60242d7beb941e39bfaf1e718c17f5a4e2c

SHA512
fa7607cdc59559a51fde243a26d0e5dc799351edc1d4b1924cc4699bb7cc197558ee0d108a50532e5919a480595c8e74712a7a3578ef50e585c2b8427032ac50

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x68C067F445817A5B\sxs\manifests\WO18.exe_0xF006DAFA0CD57778F6EDBDF7001FBC97.1.manifest
MD5
bb0fd220a11c9083c19e432ff91dc842

SHA1
f88e500302e91645ee6894dbc599a8ac09b54030

SHA256
dcd7ddf6a1a7a5dcdf0502012331f9994e6a17ea4bac1603d15492b243a7dde4

SHA512
019622e05728c73d6c0d014cbe4595e25f6ac919d30aae5bfc1e52c0f1b51a2f510f9097733f64e744f7a6fb0b131ce796db5f7866363d762a99ba4b64b0b765

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x68C067F445817A5B\sxs\manifests\ash_libcurl.dll_0xB0CE1D849E7BA97A94B88A7B7E09323F.2.manifest
MD5
73102579f0cc3777bdd0ba96bab8d6f4

SHA1
08512e731aed9cdfeebf2e8fdc24a35ea23e3477

SHA256
03c937a5aba7fd7eab8ae959606ea4598e474da06b7ec63701255e7325a9e435

SHA512
e3928e509d852ae8f62b6378f984013345ddff9f5073e77323703acf20ca44bebff1753f09e7343cd948559bcafe766edce38e767efc5e7e7a5fd42c37be2e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13FE.tmp.bat
MD5
8a52bf7cbfdb4d8f0999653b7a02ed1c

SHA1
f6f327a8b90ec69b8bea207c9cdaad843f017e2c

SHA256
39eb9b8abe84adfd9d43a48975ce9f61f29b0caddb8ed388e8ea28f4b041afd2

SHA512
373c47e51ebe5a63fd2780936ab4a818a48af22bfe1dcb0149eac9b6087baa756fd17d49d16535003571e88816cd4a4d41eda12dcc26236e0a94fcc8ae58e05c

Download Submit
C:\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
C:\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
C:\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe
MD5
a42c7fe90cd110ed7b73e2795d68080c

SHA1
6ef8b052120331562d38d2eceb35bf6e1bc7674a

SHA256
6bf9fe450845361706dd331a02ff51dcb21b4df9be2387af43be690ad4189bb5

SHA512
e4ae00e77454c8b25a47d4cf15aa46bce68f7fbd0bcc8bd42c3ad6a0d224736dfe42d04a1be7daaa3437b2c99aa6be0fb3ed2867ddae7a7d455f1b44139394ce

Download Submit
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
MD5
22a7ba737ffda155c69a9630b43b4735

SHA1
781201b674d7b0a090999c58f86c749563e0d127

SHA256
1eb27b1a605dd47402d6b4fbe12db60242d7beb941e39bfaf1e718c17f5a4e2c

SHA512
fa7607cdc59559a51fde243a26d0e5dc799351edc1d4b1924cc4699bb7cc197558ee0d108a50532e5919a480595c8e74712a7a3578ef50e585c2b8427032ac50

Download Submit
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
MD5
22a7ba737ffda155c69a9630b43b4735

SHA1
781201b674d7b0a090999c58f86c749563e0d127

SHA256
1eb27b1a605dd47402d6b4fbe12db60242d7beb941e39bfaf1e718c17f5a4e2c

SHA512
fa7607cdc59559a51fde243a26d0e5dc799351edc1d4b1924cc4699bb7cc197558ee0d108a50532e5919a480595c8e74712a7a3578ef50e585c2b8427032ac50

Download Submit
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
MD5
22a7ba737ffda155c69a9630b43b4735

SHA1
781201b674d7b0a090999c58f86c749563e0d127

SHA256
1eb27b1a605dd47402d6b4fbe12db60242d7beb941e39bfaf1e718c17f5a4e2c

SHA512
fa7607cdc59559a51fde243a26d0e5dc799351edc1d4b1924cc4699bb7cc197558ee0d108a50532e5919a480595c8e74712a7a3578ef50e585c2b8427032ac50

Download Submit
\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
MD5
22a7ba737ffda155c69a9630b43b4735

SHA1
781201b674d7b0a090999c58f86c749563e0d127

SHA256
1eb27b1a605dd47402d6b4fbe12db60242d7beb941e39bfaf1e718c17f5a4e2c

SHA512
fa7607cdc59559a51fde243a26d0e5dc799351edc1d4b1924cc4699bb7cc197558ee0d108a50532e5919a480595c8e74712a7a3578ef50e585c2b8427032ac50

Download Submit
\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
\Users\Admin\AppData\Roaming\Windows Microsoft.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
memory/436-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-72-0x000000000041E792-mapping.dmp

Download
memory/436-76-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/436-86-0x0000000000450000-0x0000000000455000-memory.dmp

Filesize
20KB

Download
memory/436-87-0x0000000000460000-0x0000000000479000-memory.dmp

Filesize
100KB

Download
memory/436-88-0x00000000005C0000-0x00000000005C3000-memory.dmp

Filesize
12KB

Download
memory/544-115-0x0000000000000000-mapping.dmp

Download
memory/664-108-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/664-81-0x0000000000000000-mapping.dmp

Download
memory/664-84-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/748-112-0x0000000000000000-mapping.dmp

Download
memory/768-95-0x000000000040C75E-mapping.dmp

Download
memory/768-97-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-110-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/768-90-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-94-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-91-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-92-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/892-106-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/892-103-0x0000000000000000-mapping.dmp

Download
memory/892-145-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/968-111-0x0000000000000000-mapping.dmp

Download
memory/1176-230-0x000000000040C75E-mapping.dmp

Download
memory/1176-252-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1468-66-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/1468-65-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/1468-63-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/1468-60-0x0000000000000000-mapping.dmp

Download
memory/1564-167-0x0000000000000000-mapping.dmp

Download
memory/1600-155-0x0000000000000000-mapping.dmp

Download
memory/1600-181-0x000000006FEE0000-0x000000006FEF9000-memory.dmp

Filesize
100KB

Download
memory/1600-361-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1600-185-0x000000006FEE0000-0x000000006FEF9000-memory.dmp

Filesize
100KB

Download
memory/1600-184-0x000000006FEE0000-0x000000006FEF9000-memory.dmp

Filesize
100KB

Download
memory/1600-183-0x000000006FEE0000-0x000000006FEF9000-memory.dmp

Filesize
100KB

Download
memory/1600-182-0x000000006FEE0000-0x000000006FEF9000-memory.dmp

Filesize
100KB

Download
memory/1600-161-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-165-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-166-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-169-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-171-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-168-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-164-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-163-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1600-162-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-160-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1600-159-0x0000000001C10000-0x00000000021B5000-memory.dmp

Filesize
5.6MB

Download
memory/1604-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1632-149-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1632-136-0x0000000000000000-mapping.dmp

Download
memory/1632-143-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-141-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-153-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-140-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-150-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-142-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-147-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-148-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-144-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1632-146-0x00000000015C0000-0x0000000001B65000-memory.dmp

Filesize
5.6MB

Download
memory/1652-118-0x0000000000000000-mapping.dmp

Download
memory/1652-232-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1652-120-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1676-114-0x0000000000000000-mapping.dmp

Download
memory/1864-125-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1864-124-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1864-127-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1864-123-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1864-134-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1864-126-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1864-152-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1864-128-0x000000000047E7CE-mapping.dmp

Download