nanocore | 4635920e78112660335f3ee1a05290b0fc174787a0e4532a029983e02179ad0b

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-10-2023 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

java_done.exe
Size

4.1MB
MD5

88b17e26ef2c53627314448b4894bb9a
SHA1

e444ca1f1c3a1bc003e9e03f5dbcc3e88400e7fd
SHA256

4635920e78112660335f3ee1a05290b0fc174787a0e4532a029983e02179ad0b
SHA512

f113b2fc5f68a86c94931140c22e3557ee15c75ad21734015bd93ddc9553169a926374d721b083161995573ab34651ea6fec5d7330704f0bb432f0f0aa81c6c9
SSDEEP

98304:F/PnaasivP4Af1rumiBWgd5m+Qfr7fBZiVIrB6:FHnPgAf1r2WgbAtd

Score

10^/10

nanocore quasar warzonerat slave evasion infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

backupcraft.ddns.net:54984

127.0.0.1:54984

Mutex

96156e42-3e88-498a-83b0-34f138a87549

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65541
build_time
2023-06-29T18:37:26.433436736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.0485763e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
96156e42-3e88-498a-83b0-34f138a87549
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
backupcraft.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

backupcraft.ddns.net:4782

Mutex

fbfe67fd-8086-4852-908c-75959d17c0c7

Attributes

encryption_key
6550C5FD133683B3330870C778B7DB73E923F472
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

warzonerat

supercraft123.serveminecraft.net:5200

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
behavioral1/memory/2728-34-0x00000000010D0000-0x00000000013F4000-memory.dmp	family_quasar

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\Documents\svchost.exe	warzonerat
\Users\Admin\Documents\svchost.exe	warzonerat
\Users\Admin\Documents\svchost.exe	warzonerat
C:\Users\Admin\Documents\svchost.exe	warzonerat

Drops startup file 2 IoCs

Processes:

wz_payload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	wz_payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	wz_payload.exe

Executes dropped EXE 6 IoCs

Processes:

nanocore_payload.exesystemq.exewz_payload.exepm_payload.exesvchost.exeTags.exe

pid process

2296 nanocore_payload.exe
2728 systemq.exe
2664 wz_payload.exe
2408 pm_payload.exe
1820 svchost.exe
1872 Tags.exe

pid	process
2296	nanocore_payload.exe
2728	systemq.exe
2664	wz_payload.exe
2408	pm_payload.exe
1820	svchost.exe
1872	Tags.exe

Loads dropped DLL 9 IoCs

Processes:

java_done.exewz_payload.exetaskeng.exe

pid	process
2240	java_done.exe
2240	java_done.exe
2240	java_done.exe
2240	java_done.exe
2240	java_done.exe
2240	java_done.exe
2664	wz_payload.exe
2664	wz_payload.exe
1784	taskeng.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nanocore_payload.exewz_payload.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	nanocore_payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\svchost.exe"	wz_payload.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nanocore_payload.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nanocore_payload.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nanocore_payload.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 2 IoCs

Processes:

nanocore_payload.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	nanocore_payload.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	nanocore_payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

wz_payload.exe

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData wz_payload.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	wz_payload.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exenanocore_payload.exepowershell.exepowershell.exepowershell.exeTags.exe

pid	process
1264	powershell.exe
2296	nanocore_payload.exe
2296	nanocore_payload.exe
2296	nanocore_payload.exe
288	powershell.exe
2296	nanocore_payload.exe
2296	nanocore_payload.exe
2296	nanocore_payload.exe
2932	powershell.exe
828	powershell.exe
1872	Tags.exe
1872	Tags.exe
1872	Tags.exe
1872	Tags.exe
1872	Tags.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nanocore_payload.exe

pid process

2296 nanocore_payload.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

svchost.exe

pid process

1820 svchost.exe

pid	process
2296	nanocore_payload.exe

pid	process
1820	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exenanocore_payload.exesystemq.exepowershell.exepm_payload.exepowershell.exepowershell.exeTags.exe

description	pid	process
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2296	nanocore_payload.exe
Token: SeDebugPrivilege	2728	systemq.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	2408	pm_payload.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	1872	Tags.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

systemq.exe

pid process

2728 systemq.exe

pid	process
2728	systemq.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

java_done.exewz_payload.exesvchost.exetaskeng.exetaskeng.exe

description	pid	process	target process
PID 2240 wrote to memory of 1264	2240	java_done.exe	powershell.exe
PID 2240 wrote to memory of 1264	2240	java_done.exe	powershell.exe
PID 2240 wrote to memory of 1264	2240	java_done.exe	powershell.exe
PID 2240 wrote to memory of 1264	2240	java_done.exe	powershell.exe
PID 2240 wrote to memory of 2296	2240	java_done.exe	nanocore_payload.exe
PID 2240 wrote to memory of 2296	2240	java_done.exe	nanocore_payload.exe
PID 2240 wrote to memory of 2296	2240	java_done.exe	nanocore_payload.exe
PID 2240 wrote to memory of 2296	2240	java_done.exe	nanocore_payload.exe
PID 2240 wrote to memory of 2728	2240	java_done.exe	systemq.exe
PID 2240 wrote to memory of 2728	2240	java_done.exe	systemq.exe
PID 2240 wrote to memory of 2728	2240	java_done.exe	systemq.exe
PID 2240 wrote to memory of 2728	2240	java_done.exe	systemq.exe
PID 2240 wrote to memory of 2664	2240	java_done.exe	wz_payload.exe
PID 2240 wrote to memory of 2664	2240	java_done.exe	wz_payload.exe
PID 2240 wrote to memory of 2664	2240	java_done.exe	wz_payload.exe
PID 2240 wrote to memory of 2664	2240	java_done.exe	wz_payload.exe
PID 2240 wrote to memory of 2408	2240	java_done.exe	pm_payload.exe
PID 2240 wrote to memory of 2408	2240	java_done.exe	pm_payload.exe
PID 2240 wrote to memory of 2408	2240	java_done.exe	pm_payload.exe
PID 2240 wrote to memory of 2408	2240	java_done.exe	pm_payload.exe
PID 2664 wrote to memory of 288	2664	wz_payload.exe	powershell.exe
PID 2664 wrote to memory of 288	2664	wz_payload.exe	powershell.exe
PID 2664 wrote to memory of 288	2664	wz_payload.exe	powershell.exe
PID 2664 wrote to memory of 288	2664	wz_payload.exe	powershell.exe
PID 2664 wrote to memory of 1820	2664	wz_payload.exe	svchost.exe
PID 2664 wrote to memory of 1820	2664	wz_payload.exe	svchost.exe
PID 2664 wrote to memory of 1820	2664	wz_payload.exe	svchost.exe
PID 2664 wrote to memory of 1820	2664	wz_payload.exe	svchost.exe
PID 1820 wrote to memory of 2932	1820	svchost.exe	powershell.exe
PID 1820 wrote to memory of 2932	1820	svchost.exe	powershell.exe
PID 1820 wrote to memory of 2932	1820	svchost.exe	powershell.exe
PID 1820 wrote to memory of 2932	1820	svchost.exe	powershell.exe
PID 1820 wrote to memory of 1452	1820	svchost.exe	cmd.exe
PID 1820 wrote to memory of 1452	1820	svchost.exe	cmd.exe
PID 1820 wrote to memory of 1452	1820	svchost.exe	cmd.exe
PID 1820 wrote to memory of 1452	1820	svchost.exe	cmd.exe
PID 2216 wrote to memory of 828	2216	taskeng.exe	powershell.exe
PID 2216 wrote to memory of 828	2216	taskeng.exe	powershell.exe
PID 2216 wrote to memory of 828	2216	taskeng.exe	powershell.exe
PID 1820 wrote to memory of 1452	1820	svchost.exe	cmd.exe
PID 1820 wrote to memory of 1452	1820	svchost.exe	cmd.exe
PID 1784 wrote to memory of 1872	1784	taskeng.exe	Tags.exe
PID 1784 wrote to memory of 1872	1784	taskeng.exe	Tags.exe
PID 1784 wrote to memory of 1872	1784	taskeng.exe	Tags.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\java_done.exe
"C:\Users\Admin\AppData\Local\Temp\java_done.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAaQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAYgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAegB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZwBrACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
"C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Users\Admin\AppData\Local\Temp\systemq.exe
"C:\Users\Admin\AppData\Local\Temp\systemq.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
"C:\Users\Admin\AppData\Local\Temp\wz_payload.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Users\Admin\Documents\svchost.exe
"C:\Users\Admin\Documents\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\pm_payload.exe
"C:\Users\Admin\AppData\Local\Temp\pm_payload.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\taskeng.exe
taskeng.exe {8EB82ED0-FED2-49C7-BFED-83815056E406} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\taskeng.exe
taskeng.exe {5B104478-7E95-4AA2-97AC-FD584137D738} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\Current\Tags.exe
C:\Users\Admin\AppData\Roaming\Current\Tags.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
Filesize
202KB

MD5
453bdc5af90ce17385bc4e0ca1cbe15d

SHA1
4047e7aea50df01ea1adf1d3c1354e3335e56429

SHA256
89e3d9bdab44323f4e95c7ed14859e36e87e39332b2c28c2038465eb1abbc602

SHA512
368c8374f7e1cbe351c952625ca43b541230edc14e8b9e3c3751fc126dc7507fd7260c523233ef8e82f2d7562ed0e03068d9158551069d8e70156610b60d58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
Filesize
202KB

MD5
453bdc5af90ce17385bc4e0ca1cbe15d

SHA1
4047e7aea50df01ea1adf1d3c1354e3335e56429

SHA256
89e3d9bdab44323f4e95c7ed14859e36e87e39332b2c28c2038465eb1abbc602

SHA512
368c8374f7e1cbe351c952625ca43b541230edc14e8b9e3c3751fc126dc7507fd7260c523233ef8e82f2d7562ed0e03068d9158551069d8e70156610b60d58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
Filesize
202KB

MD5
453bdc5af90ce17385bc4e0ca1cbe15d

SHA1
4047e7aea50df01ea1adf1d3c1354e3335e56429

SHA256
89e3d9bdab44323f4e95c7ed14859e36e87e39332b2c28c2038465eb1abbc602

SHA512
368c8374f7e1cbe351c952625ca43b541230edc14e8b9e3c3751fc126dc7507fd7260c523233ef8e82f2d7562ed0e03068d9158551069d8e70156610b60d58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm_payload.exe
Filesize
630KB

MD5
854ba5549b621ef7c140df6e5bb0617e

SHA1
01f9799ca06a249653bf49ec5a63188ce4f09fd7

SHA256
93388acca3dcc7f881169f858a3c90bf26b38502bd0635c0caebbd4102db7ba3

SHA512
11892a24a7695f40602f02581aa05e08e6e37e156594c453d92f14df75713cdb4897f3a44eadb4d3f54cfa99ff12afc39c06e894cd8995ff578e8d1dd1ca3ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm_payload.exe
Filesize
630KB

MD5
854ba5549b621ef7c140df6e5bb0617e

SHA1
01f9799ca06a249653bf49ec5a63188ce4f09fd7

SHA256
93388acca3dcc7f881169f858a3c90bf26b38502bd0635c0caebbd4102db7ba3

SHA512
11892a24a7695f40602f02581aa05e08e6e37e156594c453d92f14df75713cdb4897f3a44eadb4d3f54cfa99ff12afc39c06e894cd8995ff578e8d1dd1ca3ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe
Filesize
3.1MB

MD5
29853d6de2a6ea760788dbdbe601a4ab

SHA1
038ee578dca716ebb46d4a96105838d39122d7a0

SHA256
ad306c945a71d25faffefb7330f1563ceb100513a4c50fa29fb60b2d46fbd732

SHA512
a6c5822ac7899582b6f7b09670a4e8f0f7867d468aa0b321967ed25a8cea0c27e8357b81e3909b61f8ae70f69d4e50f2b68c31f64110c0e6a258efc39f2f9bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe
Filesize
3.1MB

MD5
29853d6de2a6ea760788dbdbe601a4ab

SHA1
038ee578dca716ebb46d4a96105838d39122d7a0

SHA256
ad306c945a71d25faffefb7330f1563ceb100513a4c50fa29fb60b2d46fbd732

SHA512
a6c5822ac7899582b6f7b09670a4e8f0f7867d468aa0b321967ed25a8cea0c27e8357b81e3909b61f8ae70f69d4e50f2b68c31f64110c0e6a258efc39f2f9bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
C:\Users\Admin\AppData\Roaming\Current\Tags.exe
Filesize
630KB

MD5
854ba5549b621ef7c140df6e5bb0617e

SHA1
01f9799ca06a249653bf49ec5a63188ce4f09fd7

SHA256
93388acca3dcc7f881169f858a3c90bf26b38502bd0635c0caebbd4102db7ba3

SHA512
11892a24a7695f40602f02581aa05e08e6e37e156594c453d92f14df75713cdb4897f3a44eadb4d3f54cfa99ff12afc39c06e894cd8995ff578e8d1dd1ca3ba6

Download Submit
C:\Users\Admin\AppData\Roaming\Current\Tags.exe
Filesize
630KB

MD5
854ba5549b621ef7c140df6e5bb0617e

SHA1
01f9799ca06a249653bf49ec5a63188ce4f09fd7

SHA256
93388acca3dcc7f881169f858a3c90bf26b38502bd0635c0caebbd4102db7ba3

SHA512
11892a24a7695f40602f02581aa05e08e6e37e156594c453d92f14df75713cdb4897f3a44eadb4d3f54cfa99ff12afc39c06e894cd8995ff578e8d1dd1ca3ba6

Download Submit
C:\Users\Admin\AppData\Roaming\Current\Tags.exe
Filesize
630KB

MD5
854ba5549b621ef7c140df6e5bb0617e

SHA1
01f9799ca06a249653bf49ec5a63188ce4f09fd7

SHA256
93388acca3dcc7f881169f858a3c90bf26b38502bd0635c0caebbd4102db7ba3

SHA512
11892a24a7695f40602f02581aa05e08e6e37e156594c453d92f14df75713cdb4897f3a44eadb4d3f54cfa99ff12afc39c06e894cd8995ff578e8d1dd1ca3ba6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8X9FCME5DENAK7DMTKZH.temp
Filesize
7KB

MD5
cf1ceb9e3baa5d7591ff160b4e10d26c

SHA1
c071229222db75deeec2b21a25ba5f8c126e6c1d

SHA256
da6bffd186839ceb23a1b484b44549c948e36548dc1beb32ebeffc371f2d98ca

SHA512
a3cae66908dbf938946b7e522609db784628cb67068443f2273f0f1e51637ac8c8a0800c0f3f446e55debe2635cd3e9121e0dea7af0acd74230ed76cb14c88c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cf1ceb9e3baa5d7591ff160b4e10d26c

SHA1
c071229222db75deeec2b21a25ba5f8c126e6c1d

SHA256
da6bffd186839ceb23a1b484b44549c948e36548dc1beb32ebeffc371f2d98ca

SHA512
a3cae66908dbf938946b7e522609db784628cb67068443f2273f0f1e51637ac8c8a0800c0f3f446e55debe2635cd3e9121e0dea7af0acd74230ed76cb14c88c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cf1ceb9e3baa5d7591ff160b4e10d26c

SHA1
c071229222db75deeec2b21a25ba5f8c126e6c1d

SHA256
da6bffd186839ceb23a1b484b44549c948e36548dc1beb32ebeffc371f2d98ca

SHA512
a3cae66908dbf938946b7e522609db784628cb67068443f2273f0f1e51637ac8c8a0800c0f3f446e55debe2635cd3e9121e0dea7af0acd74230ed76cb14c88c1

Download Submit
C:\Users\Admin\Documents\svchost.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
C:\Users\Admin\Documents\svchost.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
Filesize
202KB

MD5
453bdc5af90ce17385bc4e0ca1cbe15d

SHA1
4047e7aea50df01ea1adf1d3c1354e3335e56429

SHA256
89e3d9bdab44323f4e95c7ed14859e36e87e39332b2c28c2038465eb1abbc602

SHA512
368c8374f7e1cbe351c952625ca43b541230edc14e8b9e3c3751fc126dc7507fd7260c523233ef8e82f2d7562ed0e03068d9158551069d8e70156610b60d58ba

Download Submit
\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
Filesize
202KB

MD5
453bdc5af90ce17385bc4e0ca1cbe15d

SHA1
4047e7aea50df01ea1adf1d3c1354e3335e56429

SHA256
89e3d9bdab44323f4e95c7ed14859e36e87e39332b2c28c2038465eb1abbc602

SHA512
368c8374f7e1cbe351c952625ca43b541230edc14e8b9e3c3751fc126dc7507fd7260c523233ef8e82f2d7562ed0e03068d9158551069d8e70156610b60d58ba

Download Submit
\Users\Admin\AppData\Local\Temp\pm_payload.exe
Filesize
630KB

MD5
854ba5549b621ef7c140df6e5bb0617e

SHA1
01f9799ca06a249653bf49ec5a63188ce4f09fd7

SHA256
93388acca3dcc7f881169f858a3c90bf26b38502bd0635c0caebbd4102db7ba3

SHA512
11892a24a7695f40602f02581aa05e08e6e37e156594c453d92f14df75713cdb4897f3a44eadb4d3f54cfa99ff12afc39c06e894cd8995ff578e8d1dd1ca3ba6

Download Submit
\Users\Admin\AppData\Local\Temp\systemq.exe
Filesize
3.1MB

MD5
29853d6de2a6ea760788dbdbe601a4ab

SHA1
038ee578dca716ebb46d4a96105838d39122d7a0

SHA256
ad306c945a71d25faffefb7330f1563ceb100513a4c50fa29fb60b2d46fbd732

SHA512
a6c5822ac7899582b6f7b09670a4e8f0f7867d468aa0b321967ed25a8cea0c27e8357b81e3909b61f8ae70f69d4e50f2b68c31f64110c0e6a258efc39f2f9bf8

Download Submit
\Users\Admin\AppData\Local\Temp\wz_payload.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
\Users\Admin\AppData\Local\Temp\wz_payload.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
\Users\Admin\AppData\Roaming\Current\Tags.exe
Filesize
630KB

MD5
854ba5549b621ef7c140df6e5bb0617e

SHA1
01f9799ca06a249653bf49ec5a63188ce4f09fd7

SHA256
93388acca3dcc7f881169f858a3c90bf26b38502bd0635c0caebbd4102db7ba3

SHA512
11892a24a7695f40602f02581aa05e08e6e37e156594c453d92f14df75713cdb4897f3a44eadb4d3f54cfa99ff12afc39c06e894cd8995ff578e8d1dd1ca3ba6

Download Submit
\Users\Admin\Documents\svchost.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
\Users\Admin\Documents\svchost.exe
Filesize
141KB

MD5
6dcd690c1dfe99f5ca7d7919dbc38295

SHA1
945aa4ef16fcddf718f06ef03fa00e1489f73d04

SHA256
ede6cba917445c8673017c2154e370a24fbc6a29c2c8e2d90e5a45d8624d837d

SHA512
1f2bbb98f2e439e4b09ba8e32053c212a747b58dac1eff4f2583d6a649d6974f5196876d7e8521717ab7932a84fe3882ac68c4d7ad7d193dc11022ecada584ba

Download Submit
memory/288-60-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/288-57-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/288-59-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/288-58-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/288-78-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/288-56-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/828-109-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/828-103-0x0000000019F90000-0x000000001A272000-memory.dmp

Filesize
2.9MB

Download
memory/828-104-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/828-105-0x000007FEEBB20000-0x000007FEEC4BD000-memory.dmp

Filesize
9.6MB

Download
memory/828-111-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/828-112-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/828-107-0x000007FEEBB20000-0x000007FEEC4BD000-memory.dmp

Filesize
9.6MB

Download
memory/828-115-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/828-117-0x000007FEEBB20000-0x000007FEEC4BD000-memory.dmp

Filesize
9.6MB

Download
memory/1264-44-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1264-42-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1264-43-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/1264-77-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1264-49-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/1264-45-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/1452-106-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1452-108-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1872-126-0x000000013F940000-0x000000013F9E2000-memory.dmp

Filesize
648KB

Download
memory/1872-125-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-130-0x0000000000830000-0x00000000008B0000-memory.dmp

Filesize
512KB

Download
memory/1872-131-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-132-0x0000000000830000-0x00000000008B0000-memory.dmp

Filesize
512KB

Download
memory/1872-133-0x0000000000830000-0x00000000008B0000-memory.dmp

Filesize
512KB

Download
memory/1872-134-0x0000000000830000-0x00000000008B0000-memory.dmp

Filesize
512KB

Download
memory/1872-127-0x0000000000830000-0x00000000008B0000-memory.dmp

Filesize
512KB

Download
memory/1872-128-0x0000000000830000-0x00000000008B0000-memory.dmp

Filesize
512KB

Download
memory/1872-129-0x0000000000830000-0x00000000008B0000-memory.dmp

Filesize
512KB

Download
memory/1872-135-0x0000000000830000-0x00000000008B0000-memory.dmp

Filesize
512KB

Download
memory/2296-97-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/2296-48-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/2296-41-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2296-35-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2296-95-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2296-90-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-40-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-61-0x000000001AB00000-0x000000001AB56000-memory.dmp

Filesize
344KB

Download
memory/2408-46-0x000000001B8B0000-0x000000001B9B2000-memory.dmp

Filesize
1.0MB

Download
memory/2408-47-0x000000001B830000-0x000000001B8B0000-memory.dmp

Filesize
512KB

Download
memory/2408-94-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-75-0x000000001B7C0000-0x000000001B814000-memory.dmp

Filesize
336KB

Download
memory/2408-120-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-96-0x000000001B830000-0x000000001B8B0000-memory.dmp

Filesize
512KB

Download
memory/2408-62-0x000000001B260000-0x000000001B2AC000-memory.dmp

Filesize
304KB

Download
memory/2408-33-0x000000013FB10000-0x000000013FBB2000-memory.dmp

Filesize
648KB

Download
memory/2728-37-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-89-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-34-0x00000000010D0000-0x00000000013F4000-memory.dmp

Filesize
3.1MB

Download
memory/2728-98-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/2728-50-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/2932-93-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-85-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-86-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2932-87-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-91-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2932-92-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download