Overview

overview

10

Static

static

10

41bd2718e2...f5.exe

windows7-x64

10

41bd2718e2...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/08/2024, 01:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe

  • Size

    6.7MB

  • MD5

    713e742f7314ca8d684137f996540b4b

  • SHA1

    1d88ed5170efab2d32d83341be56e1b9f6720d7c

  • SHA256

    41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5

  • SHA512

    df373f00d609666811494d31c48f030e15155ddd4c3ccd4f0ef734a0eb4bee074244e8bb73263f06edca3cef60db37f7f603e98b7c040b6741dbcf8270fa90e4

  • SSDEEP

    98304:tbqknnTC8vHM8aKN+3v4FOjfU2TNe7vWL26AaNeWgPhlmVqkQ7XSKUR83B:tzO8vH04FmMnG4S03B

Score
10/10
asyncratdcratquasarxwormdefaultoffice04discoveryevasionexecutioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

businesses-eric.gl.at.ply.gg:55282

Mutex

ebfbd873-38ee-4f7b-bfe9-2b77cdff1c45

Attributes
  • encryption_key

    361A99FCBAEDCD5C706B5E52C37C90BFB4E13FB2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

projects-pf.gl.at.ply.gg:55284

wiz.bounceme.net:6000
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

thing-wine.gl.at.ply.gg:55280

Mutex

EFhpy3TPM7sR

Attributes
  • delay

    3

  • install

    true

  • install_file

    Ass.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Xworm Payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe
    "C:\Users\Admin\AppData\Local\Temp\41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe
      "C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4140
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4984
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB575.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4724
        • C:\Users\Admin\AppData\Local\Temp\Ass.exe
          "C:\Users\Admin\AppData\Local\Temp\Ass.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2456
    • C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ChainPortsessionbroker\QV4mcYA2Sc8KOpCoQlEXh.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ChainPortsessionbroker\G0RgA51UzNSlvJ.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\ChainPortsessionbroker\Fontsession.exe
            "C:\ChainPortsessionbroker\Fontsession.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3FZpp5vCKE.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4536
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2776
                • C:\Users\Admin\Contacts\smss.exe
                  "C:\Users\Admin\Contacts\smss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4904
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:372
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ChainPortsessionbroker\file.vbs"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:560
      • C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe
        "C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\SysWOW64\WindowsInput.exe
          "C:\Windows\SysWOW64\WindowsInput.exe" --install
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:3640
        • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3968
      • C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe
        "C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4184
        • C:\Windows\system32\SubDir\Client.exe
          "C:\Windows\system32\SubDir\Client.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3188
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3556
      • C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe
        "C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:756
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWormStub.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizWormStub.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4652
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWormStub" /tr "C:\ProgramData\WizWormStub.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "AudioDriverA" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\AudioDriver.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "AudioDriver" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\AudioDriver.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "AudioDriverA" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\AudioDriver.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Contacts\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\ChainPortsessionbroker\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\ChainPortsessionbroker\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\ChainPortsessionbroker\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\wscript.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\wscript.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\wscript.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3132
    • C:\ProgramData\WizWormStub.exe
      C:\ProgramData\WizWormStub.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\ProgramData\WizWormStub.exe
      C:\ProgramData\WizWormStub.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2948

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ChainPortsessionbroker\Fontsession.exe
      Filesize

      2.3MB

      MD5

      e68c730d5e9eea130b20f99f8380e644

      SHA1

      d5387728b7aa9724e5f49d9ebe871c4bcc447c01

      SHA256

      44a30d53788ccbbef510a68b894c40a093ecc4a934b6a7c91037d3180987bf71

      SHA512

      4389361097a762576b0ed8da4ebec4d4189af80decbe0b4e2e7c12a6b2f206107ad0597be557690cac73f0e5875057e48a7338a52403288527329e276cbc6041

      Download Submit

    • C:\ChainPortsessionbroker\G0RgA51UzNSlvJ.bat
      Filesize

      166B

      MD5

      eff3710eb6f094ac204ff6b4d7d7107e

      SHA1

      2ec3eebb2037ee862dfd7984101bbec687c7ad7b

      SHA256

      5a27f828660d67faae0e0c7c9d201c543f9e16db4ef1cb5f0883899b86e321d7

      SHA512

      19becb062d3cf759b820fb45170e9aab11e6179475c0090f9306ca2e722f24b74274263fbb4783096ceb10d311dc8f1f3261ef9f44ee0235a70aa0f004cb508c

      Download Submit

    • C:\ChainPortsessionbroker\QV4mcYA2Sc8KOpCoQlEXh.vbe
      Filesize

      224B

      MD5

      55733945e00baace8cd6236206f9acf6

      SHA1

      61a590cb6acb3e6bfaac1fc5752162fc60647ce5

      SHA256

      d7f4a58ae89de59a45958e9a78eb6d3e83ff45d9843747850fc4f4974f24e3e3

      SHA512

      58ac06c815cc508dc6281cae24a78ac98fce1bd310809f0311a4613adf2f103e92ccd65e073787ef682d9a37adc3ef6fd1c81f7eebdc5f7a0f7b28636caa76c8

      Download Submit

    • C:\ChainPortsessionbroker\file.vbs
      Filesize

      34B

      MD5

      677cc4360477c72cb0ce00406a949c61

      SHA1

      b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

      SHA256

      f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

      SHA512

      7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWormStub.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ecceac16628651c18879d836acfcb062

      SHA1

      420502b3e5220a01586c59504e94aa1ee11982c9

      SHA256

      58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

      SHA512

      be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      54522d22658e4f8f87ecb947b71b8feb

      SHA1

      6a6144bdf9c445099f52211b6122a2ecf72b77e9

      SHA256

      af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

      SHA512

      55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3FZpp5vCKE.bat
      Filesize

      197B

      MD5

      70c3d3c83b00b39940a31de72eff0043

      SHA1

      dcd3fc7d1ad3de33e62101556ec8c6f0e8bf1c6f

      SHA256

      516f8dc2444736a3627b210df72be82e30e01e57341b996598e6034f1a1f6785

      SHA512

      8dea8c1c9107565e18630467c9cae0501766337c7a5a5589f3ab497b4755245d8a95ce9ec01f69f0126fac1c5800850ce168153be4ffe7f669f0378fa95bbed5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe
      Filesize

      47KB

      MD5

      2498d43b33fdf705d23a044d0704271b

      SHA1

      79b2ee6e706d561533936cde87a46830fbfeec9b

      SHA256

      d1ba8885bb27b8b53e8754181b474f47d0afc57ce406ca4c18edf111cbb63226

      SHA512

      79b0ff8be1762e31c20ae5b5440958bbe652b11f219a5542d9cd2fa789c90dd5898b14be2245ae03f49c5ada54db0547df5eacc7d143f9c0ea608fb4600b4690

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe
      Filesize

      2.6MB

      MD5

      9d479998ab307798514e77b13fa5a38a

      SHA1

      2cdd52a5496e45d74a8acce3b19456ef5241130b

      SHA256

      b83e03ed28f61bcfa07e3a06b73d7e0a3b6e8469fe8d8137549cc12ae3911b08

      SHA512

      122bf95d3e56c366db4e1a1af4c2c44d980a54a7a2dca3ef7376587d8e5bcf32d0e06b2bf6465f164763c5f8954302704ead062a9de0729aa4e6e6161051a6f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe
      Filesize

      841KB

      MD5

      3de8bb77473e360e1b15d2f80f489248

      SHA1

      507f0223797e077f25775908d911dbbdc64e04a9

      SHA256

      be6c566ca9e0f0c620ccbd0581b48ba0cdf616135195dc4f5b9236f985b3172f

      SHA512

      4addcce355f43e392b30b78195372ae8618fdf42f976a6bc88c369708efa3ce2c1222f7f1e20cc49491cc475c970c687445062c51c026d0bf7ecdea3fb26017c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe
      Filesize

      3.1MB

      MD5

      6940c38a8661b0b8713afd4c63b12456

      SHA1

      cc78ac6b4974bb3352890b8e89d038ddc4c4eae4

      SHA256

      42a913fedb31db5ba0cf28abd0fe6afc3b9807aac7045a1c02579c2b3282a3b1

      SHA512

      df2e75e842f22802a43e155c0667147933d17f8902df880d3738d29a5bcaae5ae199c759642bf2414c10a1eca4721966b3d7759e06ddeca5b69c698689e71b05

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe
      Filesize

      81KB

      MD5

      cdff2cee70c00c73f066e1c9a7515a95

      SHA1

      f8bfe41193a917830dc13450c2665d862fea08d1

      SHA256

      f52798a690f661a2b30e2fb3a3689a0aa09fcc0f7ea4efe669e265670742254e

      SHA512

      747a63e7bc184d7fd09f842c176090bc37c88166155b4429faf430760cd8af182c853cc173c62a25ce3c94ccd74b66106b145f80bf5bb151e6b9bb865f23a939

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3hk34vg.twi.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB575.tmp.bat
      Filesize

      150B

      MD5

      0a259bc053981a2f4060ffc9a4c4b525

      SHA1

      e5a5702e0f6319657d52ecf66295b0fda48ea3e7

      SHA256

      d2f0841d0ac2e389d35b67df5b35518faae3e7b2a4079c14e5c0c73e1a0d7d7c

      SHA512

      fb87da89c4bc4aed6f9d39457010a00ceda77465be7c4cfb438ba30626c45db877fb68b2eee79f3d2c95197d79c503b7d5b098aaea0c291ea0f8b43d3f7d9eb7

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.InstallLog
      Filesize

      224B

      MD5

      e469dda91ae810a1f94c96060f3f8a65

      SHA1

      0b4b3b0f6f937016b1e045ce5313ee2a65a38630

      SHA256

      d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

      SHA512

      2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.InstallLog
      Filesize

      597B

      MD5

      c2291863df7c2d3038ce3c22fa276506

      SHA1

      7b7d2bc07a6c35523807342c747c9b6a19f3184e

      SHA256

      14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

      SHA512

      00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe
      Filesize

      21KB

      MD5

      e854a4636afc652b320e12e50ba4080e

      SHA1

      8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

      SHA256

      94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

      SHA512

      30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

      Download Submit

    • memory/216-59-0x0000000000F70000-0x0000000001294000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/756-152-0x0000019E7F9C0000-0x0000019E7F9E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1984-135-0x0000000000390000-0x00000000005E2000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1984-169-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1984-161-0x00000000027F0000-0x0000000002840000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1984-167-0x0000000000E80000-0x0000000000E92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1984-162-0x0000000000E60000-0x0000000000E76000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1984-163-0x0000000000EE0000-0x0000000000F36000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1984-160-0x0000000000E40000-0x0000000000E5C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1984-170-0x0000000000F30000-0x0000000000F38000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1984-171-0x000000001B320000-0x000000001B328000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1984-168-0x000000001C190000-0x000000001C6B8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2720-40-0x0000000000B90000-0x0000000000BA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2720-26-0x0000000073B3E000-0x0000000073B3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2720-165-0x0000000005460000-0x00000000054FC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3188-172-0x000000001C690000-0x000000001C742000-memory.dmp

      Filesize

      712KB

      Download

    • memory/3640-90-0x0000000001330000-0x0000000001348000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3640-109-0x000000001CB50000-0x000000001CBEC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3640-108-0x000000001C5E0000-0x000000001CAAE000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3640-95-0x000000001BC80000-0x000000001BCA4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3640-91-0x0000000001370000-0x0000000001390000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3880-57-0x00000000003A0000-0x00000000003BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3880-236-0x000000001AF30000-0x000000001AF3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3968-158-0x00000000059E0000-0x00000000059F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3968-159-0x0000000006230000-0x00000000063F2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3968-164-0x0000000005A70000-0x0000000005A80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3968-166-0x00000000061E0000-0x00000000061EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3980-55-0x0000000000400000-0x0000000000AB3000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3988-62-0x00000000054F0000-0x000000000553C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3988-61-0x0000000005580000-0x0000000005612000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3988-131-0x00000000062D0000-0x00000000062E8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3988-130-0x0000000006270000-0x00000000062BE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3988-72-0x0000000005570000-0x0000000005578000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3988-73-0x0000000005C40000-0x0000000005C62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3988-76-0x0000000005640000-0x000000000564C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3988-157-0x0000000073B30000-0x00000000742E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3988-60-0x0000000005690000-0x0000000005C34000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3988-51-0x0000000073B30000-0x00000000742E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3988-56-0x0000000000780000-0x0000000000858000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3988-58-0x0000000002AB0000-0x0000000002ABA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4904-235-0x000000001BFE0000-0x000000001BFF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4904-234-0x000000001D400000-0x000000001D456000-memory.dmp

      Filesize

      344KB

      Download