nanocore | e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71

Analysis

max time kernel
148s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f80bd53a58316d8fb43c24725c923ff2.exe
Size

4.1MB
MD5

f80bd53a58316d8fb43c24725c923ff2
SHA1

45c116a5e5e1680c47dd01605aa5d5033b436162
SHA256

e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71
SHA512

3a0f0dcba8a4cbe3a9185f8965a9201e0fdfd0179fb374fbb590bfb717d71ad6a102a890322ba69447bb7ba16f6dd583af9a92c673cb34a2ddef21876ecd3634
SSDEEP

98304:FzEls77BGpj21HbwiWDO7PLgJSZdhmrJcgltWjW6ftjkn/0L4yGZ//2LXWAgUq:F17tGKHbIDO7DMorOqglAj3Sq4P2LmxU

Score

10^/10

nanocore quasar warzonerat slave evasion infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:54984

nojewsjwooujweq.duckdns.org:54984

Mutex

1da888af-eaab-4d01-bce7-7d314165f9b1

Attributes

activate_away_mode
true
backup_connection_host
nojewsjwooujweq.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-07-18T15:13:25.638938236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1da888af-eaab-4d01-bce7-7d314165f9b1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fgudhiiugiufgifufgihdhuidfxgd.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

warzonerat

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:5200

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:4782

Mutex

c01ef685-50b2-41b1-af94-aee5bc04e6fd

Attributes

encryption_key
6550C5FD133683B3330870C778B7DB73E923F472
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\systemq.exe	family_quasar
behavioral2/memory/2780-42-0x0000000000E00000-0x0000000001124000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\svchost.exe	family_quasar
C:\Windows\system32\SubDir\svchost.exe	family_quasar

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe	warzonerat
C:\Users\Admin\Documents\svchost.exe	warzonerat
C:\Users\Admin\Documents\svchost.exe	warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f80bd53a58316d8fb43c24725c923ff2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	f80bd53a58316d8fb43c24725c923ff2.exe

Executes dropped EXE 7 IoCs

Processes:

nanocore_payload.exepm_payload.exewz_payload.exesystemq.exesvchost.exesvchost.exeSyncRoot.exe

pid process

2688 nanocore_payload.exe
116 pm_payload.exe
1460 wz_payload.exe
2780 systemq.exe
2956 svchost.exe
4828 svchost.exe
880 SyncRoot.exe

pid	process
2688	nanocore_payload.exe
116	pm_payload.exe
1460	wz_payload.exe
2780	systemq.exe
2956	svchost.exe
4828	svchost.exe
880	SyncRoot.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wz_payload.exenanocore_payload.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\Documents\\svchost.exe"	wz_payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	nanocore_payload.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nanocore_payload.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nanocore_payload.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 api.ipify.org
67 api.ipify.org

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nanocore_payload.exe

flow	ioc
66	api.ipify.org
67	api.ipify.org

Drops file in System32 directory 5 IoCs

Processes:

svchost.exesystemq.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system32\SubDir	svchost.exe
File created	C:\Windows\system32\SubDir\svchost.exe	systemq.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	systemq.exe
File opened for modification	C:\Windows\system32\SubDir	systemq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SyncRoot.exe

description pid process target process

PID 880 set thread context of 4700 880 SyncRoot.exe RegSvcs.exe

description	pid	process	target process
PID 880 set thread context of 4700	880	SyncRoot.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

nanocore_payload.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	nanocore_payload.exe
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	nanocore_payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3908 schtasks.exe
2748 schtasks.exe

pid	process
3908	schtasks.exe
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exenanocore_payload.exeRegSvcs.exe

pid	process
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
4092	powershell.exe
1028	powershell.exe
1028	powershell.exe
4092	powershell.exe
4164	powershell.exe
4164	powershell.exe
2688	nanocore_payload.exe
2688	nanocore_payload.exe
2688	nanocore_payload.exe
2688	nanocore_payload.exe
4092	powershell.exe
4164	powershell.exe
1028	powershell.exe
2688	nanocore_payload.exe
2688	nanocore_payload.exe
2688	nanocore_payload.exe
2688	nanocore_payload.exe
4700	RegSvcs.exe
4700	RegSvcs.exe
4700	RegSvcs.exe
4700	RegSvcs.exe
4700	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nanocore_payload.exe

pid process

2688 nanocore_payload.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

nanocore_payload.exe

pid process

2688 nanocore_payload.exe

pid	process
2688	nanocore_payload.exe

pid	process
2688	nanocore_payload.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

systemq.exepm_payload.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIODG.EXEnanocore_payload.exeSyncRoot.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2780	systemq.exe
Token: SeDebugPrivilege	116	pm_payload.exe
Token: SeDebugPrivilege	4828	svchost.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: 33	4100	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4100	AUDIODG.EXE
Token: SeDebugPrivilege	2688	nanocore_payload.exe
Token: SeDebugPrivilege	880	SyncRoot.exe
Token: SeDebugPrivilege	4700	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

4828 svchost.exe

pid	process
4828	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

f80bd53a58316d8fb43c24725c923ff2.exewz_payload.exesystemq.exesvchost.exesvchost.exeSyncRoot.exe

description	pid	process	target process
PID 3300 wrote to memory of 1028	3300	f80bd53a58316d8fb43c24725c923ff2.exe	powershell.exe
PID 3300 wrote to memory of 1028	3300	f80bd53a58316d8fb43c24725c923ff2.exe	powershell.exe
PID 3300 wrote to memory of 1028	3300	f80bd53a58316d8fb43c24725c923ff2.exe	powershell.exe
PID 3300 wrote to memory of 2688	3300	f80bd53a58316d8fb43c24725c923ff2.exe	nanocore_payload.exe
PID 3300 wrote to memory of 2688	3300	f80bd53a58316d8fb43c24725c923ff2.exe	nanocore_payload.exe
PID 3300 wrote to memory of 2688	3300	f80bd53a58316d8fb43c24725c923ff2.exe	nanocore_payload.exe
PID 3300 wrote to memory of 116	3300	f80bd53a58316d8fb43c24725c923ff2.exe	pm_payload.exe
PID 3300 wrote to memory of 116	3300	f80bd53a58316d8fb43c24725c923ff2.exe	pm_payload.exe
PID 3300 wrote to memory of 1460	3300	f80bd53a58316d8fb43c24725c923ff2.exe	wz_payload.exe
PID 3300 wrote to memory of 1460	3300	f80bd53a58316d8fb43c24725c923ff2.exe	wz_payload.exe
PID 3300 wrote to memory of 1460	3300	f80bd53a58316d8fb43c24725c923ff2.exe	wz_payload.exe
PID 3300 wrote to memory of 2780	3300	f80bd53a58316d8fb43c24725c923ff2.exe	systemq.exe
PID 3300 wrote to memory of 2780	3300	f80bd53a58316d8fb43c24725c923ff2.exe	systemq.exe
PID 1460 wrote to memory of 4164	1460	wz_payload.exe	powershell.exe
PID 1460 wrote to memory of 4164	1460	wz_payload.exe	powershell.exe
PID 1460 wrote to memory of 4164	1460	wz_payload.exe	powershell.exe
PID 1460 wrote to memory of 2956	1460	wz_payload.exe	svchost.exe
PID 1460 wrote to memory of 2956	1460	wz_payload.exe	svchost.exe
PID 1460 wrote to memory of 2956	1460	wz_payload.exe	svchost.exe
PID 2780 wrote to memory of 3908	2780	systemq.exe	schtasks.exe
PID 2780 wrote to memory of 3908	2780	systemq.exe	schtasks.exe
PID 2780 wrote to memory of 4828	2780	systemq.exe	svchost.exe
PID 2780 wrote to memory of 4828	2780	systemq.exe	svchost.exe
PID 2956 wrote to memory of 4092	2956	svchost.exe	powershell.exe
PID 2956 wrote to memory of 4092	2956	svchost.exe	powershell.exe
PID 2956 wrote to memory of 4092	2956	svchost.exe	powershell.exe
PID 4828 wrote to memory of 2748	4828	svchost.exe	schtasks.exe
PID 4828 wrote to memory of 2748	4828	svchost.exe	schtasks.exe
PID 2956 wrote to memory of 456	2956	svchost.exe	cmd.exe
PID 2956 wrote to memory of 456	2956	svchost.exe	cmd.exe
PID 2956 wrote to memory of 456	2956	svchost.exe	cmd.exe
PID 2956 wrote to memory of 456	2956	svchost.exe	cmd.exe
PID 2956 wrote to memory of 456	2956	svchost.exe	cmd.exe
PID 880 wrote to memory of 4700	880	SyncRoot.exe	RegSvcs.exe
PID 880 wrote to memory of 4700	880	SyncRoot.exe	RegSvcs.exe
PID 880 wrote to memory of 4700	880	SyncRoot.exe	RegSvcs.exe
PID 880 wrote to memory of 4700	880	SyncRoot.exe	RegSvcs.exe
PID 880 wrote to memory of 4700	880	SyncRoot.exe	RegSvcs.exe
PID 880 wrote to memory of 4700	880	SyncRoot.exe	RegSvcs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f80bd53a58316d8fb43c24725c923ff2.exe
"C:\Users\Admin\AppData\Local\Temp\f80bd53a58316d8fb43c24725c923ff2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAaAB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAcgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbQBzACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
"C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Users\Admin\AppData\Local\Temp\pm_payload.exe
"C:\Users\Admin\AppData\Local\Temp\pm_payload.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
"C:\Users\Admin\AppData\Local\Temp\wz_payload.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Users\Admin\Documents\svchost.exe
"C:\Users\Admin\Documents\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\systemq.exe
"C:\Users\Admin\AppData\Local\Temp\systemq.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\SubDir\svchost.exe
"C:\Windows\system32\SubDir\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe
C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
f901e19b96973167e782fa8242e136b3

SHA1
2b5d3a3cb0c560b4d781b0566eaac183460d594d

SHA256
ba67d11498af1238fad5816e01ab2b3b5b338c2d8a4f769202b121ff0395b849

SHA512
c0e3d08db8d8e8fcb2ca479a4edd7a22f12eb4c75eb569ab689ec6140599f92ed92725203fa120e9378b6fa846554ce5eeebc3973629653539293fc5a532c610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
208b1a9f6836afa38bc9d270725e5c7f

SHA1
20eea2edf7ea4b36759d8f84a24b895a6bac346a

SHA256
bf747e90326badb1699b30fbe143987459291c2e9439a25602036c9f69fd79a2

SHA512
b2b69ca92eebf2c0d5a70fe04d76883534cb1eab9491912ce65a6320bf4238cd0524190ce1992969a1a286f6ac3488df40bf08b8eedd4756070cb3c0bf5f8458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
849256c0e17dc1eef1516e0535b11aed

SHA1
2ec0ccd07ea882ca60f23a34b437c30421467bbe

SHA256
36b5e10d6e7cea0beba510cb702760f23efd81e001839a3403f1b161ca53d348

SHA512
567ee7ae655bfb3a6a650233825739f742bb5ec936dc2a5b63eda2dcceb860e54eda79807937823037403a4921455ad613bd1b1542da38af3ab6cc073d121fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvuau5ds.zux.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
Filesize
202KB

MD5
8b31cbd0f87d48349f9c32f0277044d6

SHA1
76852e00cb42c41b7885a260b55cd626c29b57d8

SHA256
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17

SHA512
18c37e95db0d2d20795783906ed21dfc9aace21066c621e7e45e926053d46d48205e18d8a3633381857e947f680237a6503667bd88ba94da37f167cae0e88f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
Filesize
202KB

MD5
8b31cbd0f87d48349f9c32f0277044d6

SHA1
76852e00cb42c41b7885a260b55cd626c29b57d8

SHA256
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17

SHA512
18c37e95db0d2d20795783906ed21dfc9aace21066c621e7e45e926053d46d48205e18d8a3633381857e947f680237a6503667bd88ba94da37f167cae0e88f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nanocore_payload.exe
Filesize
202KB

MD5
8b31cbd0f87d48349f9c32f0277044d6

SHA1
76852e00cb42c41b7885a260b55cd626c29b57d8

SHA256
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17

SHA512
18c37e95db0d2d20795783906ed21dfc9aace21066c621e7e45e926053d46d48205e18d8a3633381857e947f680237a6503667bd88ba94da37f167cae0e88f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm_payload.exe
Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm_payload.exe
Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Local\Temp\pm_payload.exe
Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe
Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe
Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemq.exe
Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz_payload.exe
Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe
Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\AppData\Roaming\Key\SyncRoot.exe
Filesize
629KB

MD5
aa3e9f597ba0fe867af9efeb80a02caa

SHA1
ebe56e2604462b6d2882c774f7bcafe8c78892e0

SHA256
2b6233c0a91a1f89f344eeb74130a3a058c54fc28fb2b61f57bfc070da104633

SHA512
40a480823d756b8df1e6a9ae695c142768969a2c9d8ee10264f18be486e17fdaf5fdbf26745f512566d9502c459d7134f1c135cd917d621ad01f68545b255270

Download Submit
C:\Users\Admin\Documents\svchost.exe
Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\Documents\svchost.exe
Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Windows\System32\SubDir\svchost.exe
Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Windows\system32\SubDir\svchost.exe
Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
memory/116-62-0x00000222F49F0000-0x00000222F4A00000-memory.dmp

Filesize
64KB

Download
memory/116-44-0x00000222DC020000-0x00000222DC076000-memory.dmp

Filesize
344KB

Download
memory/116-25-0x00000222DA3E0000-0x00000222DA482000-memory.dmp

Filesize
648KB

Download
memory/116-53-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/116-38-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/116-49-0x00000222F4A70000-0x00000222F4AC4000-memory.dmp

Filesize
336KB

Download
memory/116-40-0x00000222F49F0000-0x00000222F4A00000-memory.dmp

Filesize
64KB

Download
memory/116-41-0x00000222F4890000-0x00000222F4992000-memory.dmp

Filesize
1.0MB

Download
memory/116-45-0x00000222F4990000-0x00000222F49DC000-memory.dmp

Filesize
304KB

Download
memory/116-103-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/456-94-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/880-161-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/880-155-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/880-157-0x0000023F5BDA0000-0x0000023F5BEA2000-memory.dmp

Filesize
1.0MB

Download
memory/880-156-0x0000023F747C0000-0x0000023F747D0000-memory.dmp

Filesize
64KB

Download
memory/880-162-0x0000023F747C0000-0x0000023F747D0000-memory.dmp

Filesize
64KB

Download
memory/1028-54-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/1028-82-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/1028-159-0x0000000006A00000-0x0000000006A4C000-memory.dmp

Filesize
304KB

Download
memory/1028-74-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1028-50-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1860-80-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/1860-142-0x000002D5F0890000-0x000002D5F08A0000-memory.dmp

Filesize
64KB

Download
memory/1860-97-0x000002D5F07B0000-0x000002D5F07D2000-memory.dmp

Filesize
136KB

Download
memory/1860-128-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/1860-81-0x000002D5F0890000-0x000002D5F08A0000-memory.dmp

Filesize
64KB

Download
memory/1860-145-0x000002D5F0890000-0x000002D5F08A0000-memory.dmp

Filesize
64KB

Download
memory/1860-149-0x000002D5F0890000-0x000002D5F08A0000-memory.dmp

Filesize
64KB

Download
memory/2688-69-0x0000000073030000-0x00000000735E1000-memory.dmp

Filesize
5.7MB

Download
memory/2688-160-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2688-48-0x0000000073030000-0x00000000735E1000-memory.dmp

Filesize
5.7MB

Download
memory/2688-46-0x0000000073030000-0x00000000735E1000-memory.dmp

Filesize
5.7MB

Download
memory/2688-73-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2688-47-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2688-146-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2780-70-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/2780-42-0x0000000000E00000-0x0000000001124000-memory.dmp

Filesize
3.1MB

Download
memory/2780-43-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/2780-51-0x000000001BDF0000-0x000000001BE00000-memory.dmp

Filesize
64KB

Download
memory/2780-63-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/4092-75-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4092-76-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/4092-78-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/4092-132-0x0000000005CF0000-0x0000000006044000-memory.dmp

Filesize
3.3MB

Download
memory/4092-79-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/4092-106-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/4092-96-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4092-112-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/4092-101-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/4164-59-0x00000000030A0000-0x00000000030D6000-memory.dmp

Filesize
216KB

Download
memory/4164-55-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/4164-98-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/4164-107-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/4164-72-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/4164-83-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/4164-158-0x0000000006A10000-0x0000000006A2E000-memory.dmp

Filesize
120KB

Download
memory/4164-110-0x00000000062B0000-0x0000000006316000-memory.dmp

Filesize
408KB

Download
memory/4164-52-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4164-77-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-147-0x000000001BF70000-0x000000001BF82000-memory.dmp

Filesize
72KB

Download
memory/4828-93-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/4828-71-0x00007FFF67580000-0x00007FFF68041000-memory.dmp

Filesize
10.8MB

Download
memory/4828-105-0x000000001BF00000-0x000000001BF50000-memory.dmp

Filesize
320KB

Download
memory/4828-148-0x000000001D300000-0x000000001D33C000-memory.dmp

Filesize
240KB

Download
memory/4828-111-0x000000001D3C0000-0x000000001D472000-memory.dmp

Filesize
712KB

Download