asyncrat | a7521b44c71baaaa5ac4c74b1918196713fee07470a48cbd27b2c46142375154

Analysis

max time kernel
147s
max time network
154s
platform
windows10_x64
resource
win10-en-20211104
submitted
06-11-2021 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
Size

22.7MB
MD5

55287c8aa442a3f521aabb6a80b3f6a8
SHA1

5e9c38e66448c4c1b8066b04987eb62cf6f48763
SHA256

cfb1ee668fc3e25580c334ab753749d2ef5a44ab9be1e033047345827696cbf8
SHA512

2d265bb941c28944ae7a25dea43d6122e04e549d349fc8276670683926feac52b12d3de42b0601d134f3842641b28751a62c8ddc28e3a3140f2041dfdf629813

Score

10^/10

asyncrat nanocore neshta quasar mix21 mixone discovery evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

pettbull.ddns.net:53896

127.0.0.1:53896

Mutex

5bb33a25-3661-40a6-bf27-e3cf4c873773

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-12-19T09:35:29.334939436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
53896
default_group
MIX221
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5bb33a25-3661-40a6-bf27-e3cf4c873773
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
pettbull.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MIXONE

pettbull.ddns.net:6606

pettbull.ddns.net:7707

pettbull.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
true
install_file
Windows Microsoft.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

MIX21

pettbull.ddns.net:4782

Mutex

69383ffd-4823-44c2-b21f-a105f85ed9a0

Attributes

encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
install_name
Windows Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
Windows Update

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Detect Neshta Payload 2 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	family_neshta
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	family_neshta

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3204-179-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral2/memory/3204-180-0x000000000047E7CE-mapping.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1712-150-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1712-151-0x000000000040C75E-mapping.dmp	asyncrat
behavioral2/memory/2556-263-0x000000000040C75E-mapping.dmp	asyncrat

Executes dropped EXE 13 IoCs

Processes:

Service Host.exeService Host.exesvchost.exesvchost.exesvchost.exeWindows Help.exeWindows Microsoft.exeWindows Help.exeWindows Help.exeWinOptimizer.18.00.18.Portable.exeWO18.exeWindows Microsoft.exeWindows Microsoft.exe

pid	process
3120	Service Host.exe
1428	Service Host.exe
1260	svchost.exe
2324	svchost.exe
1712	svchost.exe
1936	Windows Help.exe
1644	Windows Microsoft.exe
3616	Windows Help.exe
3204	Windows Help.exe
1816	WinOptimizer.18.00.18.Portable.exe
4092	WO18.exe
1560	Windows Microsoft.exe
2556	Windows Microsoft.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Service Host.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe"	Service Host.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Service Host.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Service Host.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Service Host.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WO18.exe

description	ioc	process
File opened (read-only)	\??\H:	WO18.exe
File opened (read-only)	\??\P:	WO18.exe
File opened (read-only)	\??\T:	WO18.exe
File opened (read-only)	\??\W:	WO18.exe
File opened (read-only)	\??\B:	WO18.exe
File opened (read-only)	\??\E:	WO18.exe
File opened (read-only)	\??\J:	WO18.exe
File opened (read-only)	\??\S:	WO18.exe
File opened (read-only)	\??\V:	WO18.exe
File opened (read-only)	\??\Y:	WO18.exe
File opened (read-only)	\??\Z:	WO18.exe
File opened (read-only)	\??\D:	WO18.exe
File opened (read-only)	\??\I:	WO18.exe
File opened (read-only)	\??\K:	WO18.exe
File opened (read-only)	\??\L:	WO18.exe
File opened (read-only)	\??\O:	WO18.exe
File opened (read-only)	\??\R:	WO18.exe
File opened (read-only)	\??\U:	WO18.exe
File opened (read-only)	\??\F:	WO18.exe
File opened (read-only)	\??\G:	WO18.exe
File opened (read-only)	\??\Q:	WO18.exe
File opened (read-only)	\??\X:	WO18.exe
File opened (read-only)	\??\M:	WO18.exe
File opened (read-only)	\??\N:	WO18.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WO18.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	WO18.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	WO18.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	WO18.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Service Host.exesvchost.exeWindows Help.exeWindows Microsoft.exe

description	pid	process	target process
PID 3120 set thread context of 1428	3120	Service Host.exe	Service Host.exe
PID 1260 set thread context of 1712	1260	svchost.exe	svchost.exe
PID 1936 set thread context of 3204	1936	Windows Help.exe	Windows Help.exe
PID 1644 set thread context of 2556	1644	Windows Microsoft.exe	Windows Microsoft.exe

Drops file in Program Files directory 51 IoCs

Processes:

WinOptimizer.18.00.18.Portable.exeWO18.exeCFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exeService Host.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\xregistry.bin.__tmp__	WinOptimizer.18.00.18.Portable.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.manifest.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins.__meta__.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins.__meta__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\ash_inet.__meta__.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\ash_inet\v3.__meta__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.manifest.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__meta__	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\temp\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini.__deleted__	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo.__meta__.__tmp__	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\xregistry.bin.__tmp__	WinOptimizer.18.00.18.Portable.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\ash_inet\v3.__meta__.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18.__meta__	WinOptimizer.18.00.18.Portable.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\temp\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__meta__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini.__meta__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo.__meta__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Uninstall.exe	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
File opened for modification	C:\Program Files (x86)\DHCP Service\dhcpsvc.exe	Service Host.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins.__meta__.__tmp__	WO18.exe
File created	C:\Program Files (x86)\DHCP Service\dhcpsvc.exe	Service Host.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\temp\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__deleted__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\temp\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18.__meta__.__tmp__	WinOptimizer.18.00.18.Portable.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\modified\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\modified\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\ash_inet.__meta__	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Uninstall.ini	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18.__meta__.__tmp__	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini.__meta__	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini.__meta__.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini.__meta__.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__meta__.__tmp__	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\roaming\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini.__meta__.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\modified\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\default\skin.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\modified\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\data\dc.ini	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo.__meta__.__tmp__	WO18.exe
File created	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\ash_inet.__meta__.__tmp__	WO18.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe.manifest	WinOptimizer.18.00.18.Portable.exe
File opened for modification	C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\meta\@PROGRAMFILESX86@\Ashampoo\Ashampoo WinOptimizer 18\skins\ash_inet\v3.__meta__.__tmp__	WO18.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2200 4092 WerFault.exe WO18.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
2200	4092	WerFault.exe	WO18.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WO18.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WO18.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WO18.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3848 schtasks.exe
424 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2288 timeout.exe

pid	process
3848	schtasks.exe
424	schtasks.exe

pid	process
2288	timeout.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

WO18.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER	WO18.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER	WO18.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CrossDomain_Fix_KB867801	WO18.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	WO18.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	WO18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CrossDomain_Fix_KB867801\WO18.exe = "1"	WO18.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	WO18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WO18.exe = "10001"	WO18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\WO18.exe = "10"	WO18.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	WO18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\WO18.exe = "10"	WO18.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation	WO18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation\WO18.exe = "1"	WO18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\WO18.exe = "1"	WO18.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	WO18.exe

Modifies registry class 1 IoCs

Processes:

CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WO18.exe

pid process

4092 WO18.exe

pid	process
4092	WO18.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

Service Host.exesvchost.exesvchost.exeWindows Help.exeWindows Microsoft.exeWO18.exeWerFault.exe

pid	process
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1260	svchost.exe
1260	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1936	Windows Help.exe
1936	Windows Help.exe
1644	Windows Microsoft.exe
1644	Windows Microsoft.exe
4092	WO18.exe
4092	WO18.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
1428	Service Host.exe
1428	Service Host.exe
1428	Service Host.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Service Host.exe

pid process

1428 Service Host.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Service Host.exesvchost.exesvchost.exeWindows Help.exeWindows Help.exeWindows Microsoft.exeWindows Microsoft.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1428	Service Host.exe
Token: SeDebugPrivilege	1260	svchost.exe
Token: SeDebugPrivilege	1712	svchost.exe
Token: SeDebugPrivilege	1936	Windows Help.exe
Token: SeDebugPrivilege	3204	Windows Help.exe
Token: SeDebugPrivilege	1644	Windows Microsoft.exe
Token: SeDebugPrivilege	2556	Windows Microsoft.exe
Token: SeRestorePrivilege	2200	WerFault.exe
Token: SeBackupPrivilege	2200	WerFault.exe
Token: SeBackupPrivilege	2200	WerFault.exe
Token: SeDebugPrivilege	2200	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WO18.exe

pid process

4092 WO18.exe
4092 WO18.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

WO18.exe

pid process

4092 WO18.exe

pid	process
4092	WO18.exe
4092	WO18.exe

pid	process
4092	WO18.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exeService Host.exesvchost.exesvchost.execmd.execmd.exeWindows Help.exeWinOptimizer.18.00.18.Portable.exeWindows Help.exe

description	pid	process	target process
PID 2732 wrote to memory of 3120	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Service Host.exe
PID 2732 wrote to memory of 3120	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Service Host.exe
PID 2732 wrote to memory of 3120	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Service Host.exe
PID 3120 wrote to memory of 1428	3120	Service Host.exe	Service Host.exe
PID 3120 wrote to memory of 1428	3120	Service Host.exe	Service Host.exe
PID 3120 wrote to memory of 1428	3120	Service Host.exe	Service Host.exe
PID 3120 wrote to memory of 1428	3120	Service Host.exe	Service Host.exe
PID 3120 wrote to memory of 1428	3120	Service Host.exe	Service Host.exe
PID 3120 wrote to memory of 1428	3120	Service Host.exe	Service Host.exe
PID 3120 wrote to memory of 1428	3120	Service Host.exe	Service Host.exe
PID 3120 wrote to memory of 1428	3120	Service Host.exe	Service Host.exe
PID 2732 wrote to memory of 1260	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	svchost.exe
PID 2732 wrote to memory of 1260	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	svchost.exe
PID 2732 wrote to memory of 1260	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	svchost.exe
PID 1260 wrote to memory of 2324	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 2324	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 2324	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	svchost.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	svchost.exe	svchost.exe
PID 2732 wrote to memory of 1936	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Windows Help.exe
PID 2732 wrote to memory of 1936	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Windows Help.exe
PID 2732 wrote to memory of 1936	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	Windows Help.exe
PID 1712 wrote to memory of 2376	1712	svchost.exe	cmd.exe
PID 1712 wrote to memory of 2376	1712	svchost.exe	cmd.exe
PID 1712 wrote to memory of 2376	1712	svchost.exe	cmd.exe
PID 1712 wrote to memory of 2648	1712	svchost.exe	cmd.exe
PID 1712 wrote to memory of 2648	1712	svchost.exe	cmd.exe
PID 1712 wrote to memory of 2648	1712	svchost.exe	cmd.exe
PID 2376 wrote to memory of 3848	2376	cmd.exe	schtasks.exe
PID 2376 wrote to memory of 3848	2376	cmd.exe	schtasks.exe
PID 2376 wrote to memory of 3848	2376	cmd.exe	schtasks.exe
PID 2648 wrote to memory of 2288	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2288	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2288	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1644	2648	cmd.exe	Windows Microsoft.exe
PID 2648 wrote to memory of 1644	2648	cmd.exe	Windows Microsoft.exe
PID 2648 wrote to memory of 1644	2648	cmd.exe	Windows Microsoft.exe
PID 1936 wrote to memory of 3616	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3616	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3616	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3204	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3204	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3204	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3204	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3204	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3204	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3204	1936	Windows Help.exe	Windows Help.exe
PID 1936 wrote to memory of 3204	1936	Windows Help.exe	Windows Help.exe
PID 2732 wrote to memory of 1816	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	WinOptimizer.18.00.18.Portable.exe
PID 2732 wrote to memory of 1816	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	WinOptimizer.18.00.18.Portable.exe
PID 2732 wrote to memory of 1816	2732	CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe	WinOptimizer.18.00.18.Portable.exe
PID 1816 wrote to memory of 4092	1816	WinOptimizer.18.00.18.Portable.exe	WO18.exe
PID 1816 wrote to memory of 4092	1816	WinOptimizer.18.00.18.Portable.exe	WO18.exe
PID 1816 wrote to memory of 4092	1816	WinOptimizer.18.00.18.Portable.exe	WO18.exe
PID 1816 wrote to memory of 4092	1816	WinOptimizer.18.00.18.Portable.exe	WO18.exe
PID 1816 wrote to memory of 4092	1816	WinOptimizer.18.00.18.Portable.exe	WO18.exe
PID 1816 wrote to memory of 4092	1816	WinOptimizer.18.00.18.Portable.exe	WO18.exe
PID 3204 wrote to memory of 424	3204	Windows Help.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
"C:\Users\Admin\AppData\Local\Temp\CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Roaming\Service Host.exe
"C:\Users\Admin\AppData\Roaming\Service Host.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Roaming\Service Host.exe
"C:\Users\Admin\AppData\Roaming\Service Host.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"'
5⤵
- Creates scheduled task(s)
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB7E2.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:2288

C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"
6⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Users\Admin\AppData\Roaming\Windows Help.exe
"C:\Users\Admin\AppData\Roaming\Windows Help.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Roaming\Windows Help.exe
"C:\Users\Admin\AppData\Roaming\Windows Help.exe"
3⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\AppData\Roaming\Windows Help.exe
"C:\Users\Admin\AppData\Roaming\Windows Help.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Help.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:424

C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
"C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1816

C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe
"C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2640
4⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe
MD5
a42c7fe90cd110ed7b73e2795d68080c

SHA1
6ef8b052120331562d38d2eceb35bf6e1bc7674a

SHA256
6bf9fe450845361706dd331a02ff51dcb21b4df9be2387af43be690ad4189bb5

SHA512
e4ae00e77454c8b25a47d4cf15aa46bce68f7fbd0bcc8bd42c3ad6a0d224736dfe42d04a1be7daaa3437b2c99aa6be0fb3ed2867ddae7a7d455f1b44139394ce

Download Submit
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\xsandbox.bin
MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
MD5
22a7ba737ffda155c69a9630b43b4735

SHA1
781201b674d7b0a090999c58f86c749563e0d127

SHA256
1eb27b1a605dd47402d6b4fbe12db60242d7beb941e39bfaf1e718c17f5a4e2c

SHA512
fa7607cdc59559a51fde243a26d0e5dc799351edc1d4b1924cc4699bb7cc197558ee0d108a50532e5919a480595c8e74712a7a3578ef50e585c2b8427032ac50

Download Submit
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe
MD5
22a7ba737ffda155c69a9630b43b4735

SHA1
781201b674d7b0a090999c58f86c749563e0d127

SHA256
1eb27b1a605dd47402d6b4fbe12db60242d7beb941e39bfaf1e718c17f5a4e2c

SHA512
fa7607cdc59559a51fde243a26d0e5dc799351edc1d4b1924cc4699bb7cc197558ee0d108a50532e5919a480595c8e74712a7a3578ef50e585c2b8427032ac50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Service Host.exe.log
MD5
1f838145a4923ed562d02902e8762497

SHA1
3c4ad809241ab1659276b0447ce66c04cb5ce760

SHA256
470bf5909e08a43394ef4ab3bac70b8686ea79b0c6a42a6ceab2f59b1f34a343

SHA512
21ae448fcf3f01e3348511618e8dd7abe9afc48c009503c24358d3342565e03228b563228f680859d96932889d23370b8346cf130a219ef6b80b185c2ce80ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Help.exe.log
MD5
1f838145a4923ed562d02902e8762497

SHA1
3c4ad809241ab1659276b0447ce66c04cb5ce760

SHA256
470bf5909e08a43394ef4ab3bac70b8686ea79b0c6a42a6ceab2f59b1f34a343

SHA512
21ae448fcf3f01e3348511618e8dd7abe9afc48c009503c24358d3342565e03228b563228f680859d96932889d23370b8346cf130a219ef6b80b185c2ce80ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
MD5
1f838145a4923ed562d02902e8762497

SHA1
3c4ad809241ab1659276b0447ce66c04cb5ce760

SHA256
470bf5909e08a43394ef4ab3bac70b8686ea79b0c6a42a6ceab2f59b1f34a343

SHA512
21ae448fcf3f01e3348511618e8dd7abe9afc48c009503c24358d3342565e03228b563228f680859d96932889d23370b8346cf130a219ef6b80b185c2ce80ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x68C067F445817A5B\sxs\manifests\WO18.exe_0xF006DAFA0CD57778F6EDBDF7001FBC97.1.manifest
MD5
bb0fd220a11c9083c19e432ff91dc842

SHA1
f88e500302e91645ee6894dbc599a8ac09b54030

SHA256
dcd7ddf6a1a7a5dcdf0502012331f9994e6a17ea4bac1603d15492b243a7dde4

SHA512
019622e05728c73d6c0d014cbe4595e25f6ac919d30aae5bfc1e52c0f1b51a2f510f9097733f64e744f7a6fb0b131ce796db5f7866363d762a99ba4b64b0b765

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x68C067F445817A5B\sxs\manifests\ash_libcurl.dll_0xB0CE1D849E7BA97A94B88A7B7E09323F.2.manifest
MD5
73102579f0cc3777bdd0ba96bab8d6f4

SHA1
08512e731aed9cdfeebf2e8fdc24a35ea23e3477

SHA256
03c937a5aba7fd7eab8ae959606ea4598e474da06b7ec63701255e7325a9e435

SHA512
e3928e509d852ae8f62b6378f984013345ddff9f5073e77323703acf20ca44bebff1753f09e7343cd948559bcafe766edce38e767efc5e7e7a5fd42c37be2e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB7E2.tmp.bat
MD5
432b51e42d7b47fdc9970680146441f4

SHA1
4213c46f5953ce265227cd3fc7b809029727f0f3

SHA256
f8c1a90b532497b111012489ba20318c88c53d0a1dc9575b3770f4f75f9becc9

SHA512
321561cef3b5df9d4ca926f54c4db29c2bdd003946a0a21794bccce22c7f55c0f8e9d92ef02fd2de24db8c51891bc782234b33dc306589f8a02a06910344965b

Download Submit
C:\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
C:\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
C:\Users\Admin\AppData\Roaming\Service Host.exe
MD5
eca239a4923b4a96c2ed6a0805dd86dd

SHA1
01c57f3ac452857996accd616cc94b11a0fa4ade

SHA256
edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4

SHA512
49eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Help.exe
MD5
53992ebaadaca513d4a606f7bd349157

SHA1
45fe4a2a83ae6d8f334687969a85be4ff3cbaf05

SHA256
fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9

SHA512
be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
5552da494eb603d395bd867989de69b1

SHA1
bb4054c6db453a73c7c34d6f5f15cdf1a111252f

SHA256
4ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2

SHA512
722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7

Download Submit
\??\c:\program files (x86)\ashampoo gmbh & co. kg\winoptimizer portable\ashampoo winoptimizer 18\local\stubexe\0x27455f3dafb1b6bb\wo18.exe
MD5
a42c7fe90cd110ed7b73e2795d68080c

SHA1
6ef8b052120331562d38d2eceb35bf6e1bc7674a

SHA256
6bf9fe450845361706dd331a02ff51dcb21b4df9be2387af43be690ad4189bb5

SHA512
e4ae00e77454c8b25a47d4cf15aa46bce68f7fbd0bcc8bd42c3ad6a0d224736dfe42d04a1be7daaa3437b2c99aa6be0fb3ed2867ddae7a7d455f1b44139394ce

Download Submit
memory/424-230-0x0000000000000000-mapping.dmp

Download
memory/1260-135-0x0000000000000000-mapping.dmp

Download
memory/1260-138-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1260-162-0x0000000005B00000-0x0000000005FFE000-memory.dmp

Filesize
5.0MB

Download
memory/1428-139-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/1428-143-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/1428-144-0x0000000005A60000-0x0000000005A65000-memory.dmp

Filesize
20KB

Download
memory/1428-126-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1428-133-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1428-127-0x000000000041E792-mapping.dmp

Download
memory/1428-146-0x0000000006290000-0x0000000006293000-memory.dmp

Filesize
12KB

Download
memory/1428-145-0x0000000006160000-0x0000000006179000-memory.dmp

Filesize
100KB

Download
memory/1644-273-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/1644-170-0x0000000000000000-mapping.dmp

Download
memory/1712-150-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-163-0x0000000005B01000-0x0000000005B02000-memory.dmp

Filesize
4KB

Download
memory/1712-151-0x000000000040C75E-mapping.dmp

Download
memory/1816-191-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-201-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-200-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-185-0x0000000000000000-mapping.dmp

Download
memory/1816-197-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-202-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-204-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-194-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1816-193-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-199-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-195-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1816-198-0x0000000001660000-0x0000000001C05000-memory.dmp

Filesize
5.6MB

Download
memory/1936-190-0x0000000005540000-0x0000000005A3E000-memory.dmp

Filesize
5.0MB

Download
memory/1936-159-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1936-155-0x0000000000000000-mapping.dmp

Download
memory/2288-169-0x0000000000000000-mapping.dmp

Download
memory/2376-165-0x0000000000000000-mapping.dmp

Download
memory/2556-263-0x000000000040C75E-mapping.dmp

Download
memory/2556-285-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2648-166-0x0000000000000000-mapping.dmp

Download
memory/3120-124-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3120-121-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3120-123-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/3120-125-0x0000000004D70000-0x0000000004D7C000-memory.dmp

Filesize
48KB

Download
memory/3120-142-0x0000000004DA0000-0x000000000529E000-memory.dmp

Filesize
5.0MB

Download
memory/3120-118-0x0000000000000000-mapping.dmp

Download
memory/3204-179-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3204-180-0x000000000047E7CE-mapping.dmp

Download
memory/3204-196-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/3848-168-0x0000000000000000-mapping.dmp

Download
memory/4092-209-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-215-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-219-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4092-218-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-231-0x000000006E3C0000-0x000000006E3D9000-memory.dmp

Filesize
100KB

Download
memory/4092-232-0x000000006E3C0000-0x000000006E3D9000-memory.dmp

Filesize
100KB

Download
memory/4092-217-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-233-0x000000006E3C0000-0x000000006E3D9000-memory.dmp

Filesize
100KB

Download
memory/4092-234-0x000000006E3C0000-0x000000006E3D9000-memory.dmp

Filesize
100KB

Download
memory/4092-229-0x000000006E3C0000-0x000000006E3D9000-memory.dmp

Filesize
100KB

Download
memory/4092-235-0x000000006E3C0000-0x000000006E3D9000-memory.dmp

Filesize
100KB

Download
memory/4092-213-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-214-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-212-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-210-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-211-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-208-0x0000000001D20000-0x00000000022C5000-memory.dmp

Filesize
5.6MB

Download
memory/4092-286-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4092-205-0x0000000000000000-mapping.dmp

Download