isrstealer | d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5

Analysis

max time kernel
75s
max time network
74s
platform
windows10_x64
resource
win10v20201028
submitted
15-11-2020 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe
Size

1.2MB
MD5

e9fea729bae2bd3a20d61829dc12c806
SHA1

d89fe8744aae2fa5164163045d6f91540cd49213
SHA256

d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5
SHA512

9d60873b85bb2128e35258789b7c40d3d29a8ff476272759844bb8f74fd665fb82dcbe9672e9311b0c7537d6ab1f8662ac43abe8bc7aa4b63519b03d0fb45ab3

Score

10^/10

isrstealer evasion persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/852-6-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/852-7-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/852-8-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/736-23-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/684-95-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/200-324-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/2792-510-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/3760-528-0x0000000000401180-mapping.dmp	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2504-17-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2236-33-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/900-267-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2504-17-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2236-33-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/900-267-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

eYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exe

pid process

936 eYmFqcBd.exe
188 eYmFqcBd.exe
204 eYmFqcBd.exe
2632 eYmFqcBd.exe
1516 eYmFqcBd.exe
2484 eYmFqcBd.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2504-14-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2504-16-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2504-17-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2236-32-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2236-33-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2084-108-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2084-112-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2084-114-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/900-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/900-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/492-516-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/492-517-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

eYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

eYmFqcBd.exeRegSvcs.exeeYmFqcBd.exeRegSvcs.exeeYmFqcBd.exeRegSvcs.exeeYmFqcBd.exeRegSvcs.exeeYmFqcBd.exeRegSvcs.exeeYmFqcBd.exeRegSvcs.exe

description	pid	process	target process
PID 936 set thread context of 852	936	eYmFqcBd.exe	RegSvcs.exe
PID 852 set thread context of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 set thread context of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 188 set thread context of 736	188	eYmFqcBd.exe	RegSvcs.exe
PID 736 set thread context of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 set thread context of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 204 set thread context of 684	204	eYmFqcBd.exe	RegSvcs.exe
PID 684 set thread context of 2084	684	RegSvcs.exe	RegSvcs.exe
PID 684 set thread context of 900	684	RegSvcs.exe	RegSvcs.exe
PID 2632 set thread context of 200	2632	eYmFqcBd.exe	RegSvcs.exe
PID 200 set thread context of 3496	200	RegSvcs.exe	RegSvcs.exe
PID 200 set thread context of 2240	200	RegSvcs.exe	RegSvcs.exe
PID 1516 set thread context of 2792	1516	eYmFqcBd.exe	RegSvcs.exe
PID 2792 set thread context of 492	2792	RegSvcs.exe	RegSvcs.exe
PID 2792 set thread context of 768	2792	RegSvcs.exe	RegSvcs.exe
PID 2484 set thread context of 3760	2484	eYmFqcBd.exe	RegSvcs.exe
PID 3760 set thread context of 2728	3760	RegSvcs.exe	RegSvcs.exe
PID 3760 set thread context of 2156	3760	RegSvcs.exe	RegSvcs.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1744	952	WerFault.exe	RegSvcs.exe
1900	2180	WerFault.exe	RegSvcs.exe
812	2240	WerFault.exe	RegSvcs.exe
2668	768	WerFault.exe	RegSvcs.exe
3480	2156	WerFault.exe	RegSvcs.exe

Modifies registry class 11 IoCs

Processes:

eYmFqcBd.exeWScript.exeeYmFqcBd.exeeYmFqcBd.exeWScript.exeeYmFqcBd.exeWScript.exeWScript.exeeYmFqcBd.exeeYmFqcBd.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe

Suspicious behavior: EnumeratesProcesses 612 IoCs

Processes:

eYmFqcBd.exe

pid	process
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe

Suspicious use of AdjustPrivilegeToken 138 IoCs

Processes:

eYmFqcBd.exeeYmFqcBd.exeeYmFqcBd.exe

description	pid	process
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

RegSvcs.exeRegSvcs.exeRegSvcs.exeRegSvcs.exeRegSvcs.exeRegSvcs.exe

pid process

852 RegSvcs.exe
736 RegSvcs.exe
684 RegSvcs.exe
200 RegSvcs.exe
2792 RegSvcs.exe
3760 RegSvcs.exe

pid	process
852	RegSvcs.exe
736	RegSvcs.exe
684	RegSvcs.exe
200	RegSvcs.exe
2792	RegSvcs.exe
3760	RegSvcs.exe

Suspicious use of WriteProcessMemory 162 IoCs

Processes:

d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exeeYmFqcBd.exeRegSvcs.exeWScript.exeeYmFqcBd.exeRegSvcs.exeWScript.exeeYmFqcBd.exeRegSvcs.exe

description	pid	process	target process
PID 1148 wrote to memory of 936	1148	d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe	eYmFqcBd.exe
PID 1148 wrote to memory of 936	1148	d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe	eYmFqcBd.exe
PID 1148 wrote to memory of 936	1148	d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe	eYmFqcBd.exe
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	RegSvcs.exe
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	RegSvcs.exe
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	RegSvcs.exe
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	RegSvcs.exe
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	RegSvcs.exe
PID 852 wrote to memory of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 952	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 852 wrote to memory of 2504	852	RegSvcs.exe	RegSvcs.exe
PID 936 wrote to memory of 2324	936	eYmFqcBd.exe	WScript.exe
PID 936 wrote to memory of 2324	936	eYmFqcBd.exe	WScript.exe
PID 936 wrote to memory of 2324	936	eYmFqcBd.exe	WScript.exe
PID 2324 wrote to memory of 188	2324	WScript.exe	eYmFqcBd.exe
PID 2324 wrote to memory of 188	2324	WScript.exe	eYmFqcBd.exe
PID 2324 wrote to memory of 188	2324	WScript.exe	eYmFqcBd.exe
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	RegSvcs.exe
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	RegSvcs.exe
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	RegSvcs.exe
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	RegSvcs.exe
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	RegSvcs.exe
PID 736 wrote to memory of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2180	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 736 wrote to memory of 2236	736	RegSvcs.exe	RegSvcs.exe
PID 188 wrote to memory of 2648	188	eYmFqcBd.exe	WScript.exe
PID 188 wrote to memory of 2648	188	eYmFqcBd.exe	WScript.exe
PID 188 wrote to memory of 2648	188	eYmFqcBd.exe	WScript.exe
PID 2648 wrote to memory of 204	2648	WScript.exe	eYmFqcBd.exe
PID 2648 wrote to memory of 204	2648	WScript.exe	eYmFqcBd.exe
PID 2648 wrote to memory of 204	2648	WScript.exe	eYmFqcBd.exe
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	RegSvcs.exe
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	RegSvcs.exe
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	RegSvcs.exe
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	RegSvcs.exe
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	RegSvcs.exe
PID 684 wrote to memory of 2084	684	RegSvcs.exe	RegSvcs.exe
PID 684 wrote to memory of 2084	684	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe
"C:\Users\Admin\AppData\Local\Temp\d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
"C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\ofRUoQ49WU.ini"
4⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 96
5⤵
- Program crash
PID:1744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\nYnW8KNIRm.ini"
4⤵
PID:2504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
"C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\uMMmxyOATf.ini"
6⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 88
7⤵
- Program crash
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\GBqVlhSSmI.ini"
6⤵
PID:2236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
"C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\cz8UktnVqM.ini"
8⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\7zEqC2V4fW.ini"
8⤵
PID:900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
7⤵
- Checks computer location settings
- Modifies registry class
PID:2404

C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
"C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\PrpMEBl4kp.ini"
10⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\TYoUF0KRz9.ini"
10⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 24
11⤵
- Program crash
PID:812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
9⤵
- Checks computer location settings
- Modifies registry class
PID:3616

C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
"C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
10⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\mJljVBJszD.ini"
12⤵
PID:492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\5hLs4VqvXU.ini"
12⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 88
13⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
11⤵
- Checks computer location settings
- Modifies registry class
PID:1732

C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
"C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
12⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\vr6kRLoNTj.ini"
14⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\FDnVD61O8h.ini"
14⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 88
15⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
13⤵
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BB09BEEC155258835C193A7AA85AA5B_3845DF03166CA2D5DB57F5E3A5A9D74C
MD5
219c21a027bbafa812fd4db6af683e1d

SHA1
68e0d95256ed31f16f2542fbce6136e1bc4b6b7a

SHA256
21ce70e9baddc1498cfe64fb1eed585983367a9f416522ef5acf8c8ab5656b26

SHA512
3fa914f9358974fb513aaadafafd6dca28327d6c0979a2dae618d71bc4520fedabd6b598a36d0bb5e5bd30dca0d2ab2cbf9d7b5c55bb024e9e081afdf5c9ad8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220
MD5
777593edab076fc433a6d653fd6a0ea2

SHA1
cc9c41ce8081841ad90a201f39fdad51142c1a61

SHA256
ffd150b84a3a1649cb98da4eee7cdce2deab31d2557af2837d7371ca407cc5a3

SHA512
699b4f3b29d21b41fdb6bba6517aaad5ae180a8fc4468fb6ef36eec1dbaabf421e71e5c2465dac5dcf21c2cdb2580fa685f830bf24582433c623fac53609d1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
6b04fcb2133ddcc5d5611152ba03d804

SHA1
a43fd79838b9b1012dae67ed4f7c523736c5e94c

SHA256
309f80c9df767632dc4baa4dfd00bc716fce56c63a78b267c7c22df89f03aeee

SHA512
46a09be04f30e972023ae1e690caaeee416dcc577e30a2c39a50cc5f7176d9cd115fd1d70688c26c6b2703e1af8d93a13821cf80bddd8deff665b93ebc193d2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1BB09BEEC155258835C193A7AA85AA5B_3845DF03166CA2D5DB57F5E3A5A9D74C
MD5
2bd1b1fef69a981c93e12b5d4926322f

SHA1
3a0cc2df4e2279118b3e63e8eb2d2af0bcd8c95f

SHA256
1febec58f95086a8f88d29bb32587c6fbacc0f540fa30d1c0269f8a5e8c081c4

SHA512
6bde5db14477c0c001cb423687a5cff2882afcfb634c7abf83ddee3aa808e37d52505f54f03c094fd988f95bdafa317593652a2ee524167dbea50d265cd6cb70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220
MD5
32991b16ee0758a70a3305f39cd6681e

SHA1
d16a6e2bbb1601d5e5c0ede94fe27cfd3ab6603f

SHA256
fe81114862977cdb2b292c60336dabe349b4ce93d64763aaeb95b1de5e57736f

SHA512
f20e516d7182ba1da43cdba7ec1cda6d28fd26dba2ebeea1d834e7b050571f0ceb1237970cc25ea1667f19760b688a6bbc0d80f6c3f87077f56ca20a78c7d2c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
2f028bbc6b5a33d3b354df4e876c1d8a

SHA1
11b73c57a0a13cc793c7dd721665c0e1dea858ae

SHA256
cb88d64cdab4c4cf2474380e8cfa47b45807242b6b77382033a9c1b68759689c

SHA512
0ef0cf122381397f5556a0e58471b87e862a7eec2837e451996c60cd1186e8f7b3a0c5c423277754e531eff9a89fbb98926a44a52bdf25a47553c449ccc00457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\index[1].htm
MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\index[1].htm
MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\index[1].htm
MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ODCP24MO.cookie
MD5
bfbc02104e24490954a6d9e0204c2365

SHA1
c858820c77ca0d0f92758573a5868084fbb029c7

SHA256
14e90dc88d7e05820c7dfc666a48ad670e97b7a379c9d799eac6e89bf3b3bd43

SHA512
14182ad4b39b0fca3e455c44142fb0ad983688ec735ae9cec2cddcdbb1c0ef6852a07eb9426a28df65c56481acc6765fa81dc249d606e36e15a22878ff6b2214

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrpMEBl4kp.ini
MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cz8UktnVqM.ini
MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJljVBJszD.ini
MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr6kRLoNTj.ini
MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\e9h2a4n\CTHiXWASNE.ELH
MD5
14ba8e475ed28ce69ef4d6d940d9443a

SHA1
2c8f0a2241471120aeef5c8522edf9969a80a151

SHA256
0fdccd810af0baa1283c94252773869acb72ff0fae0c0c2c05255fce696fb1c3

SHA512
40729caabf109de887e7c7ab027fddcc913f85486da47d12f7705f1506c17dc26d82750259014a977dd92d07bcccceace6cca583e6d33c55e479d522e7481188

Download Submit
C:\Users\Admin\e9h2a4n\MQGHDY~1.DNU
MD5
ef43ac1c8fffb96c9656a1a443740413

SHA1
33cc563ec129531afd95b170f60ab2ee155ef2ed

SHA256
2b55fd145b23d874eb72c15ebe167f95ea124998b4266ee8c2011dee77f27e63

SHA512
b34c28502a5141080bf08313797940a13d3de7a60d60dd4f713cfdfacaa35679177f99927012cb0769e4af979ca8d4804223cf4b4fc7ab6dea198722ec34b01c

Download Submit
C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\e9h2a4n\run.vbs
MD5
da0e01692a845978e83c09cf515c5272

SHA1
09ecb39cac01fac85a547edae95ffd3455ef40c5

SHA256
e2c648e694a3705227be467dc6489643fd6f9f3a4c73e22391a004f3000f9ca6

SHA512
9b53cb6f53fcf55afa4727d4278dc5535b071736a54476cbcc5c0214b813535c02ccc6ee4eccfd2949ad5094dcbcf78da6bfb23763ff1522524137ae0fb12e56

Download Submit
C:\Users\Admin\e9h2a4n\tFIqlT.PUS
MD5
5e9812186011e7fc7c178bf6adb7b455

SHA1
670fad7414b7d8df2ef3b2dfc0a76512ef134efe

SHA256
48065461902c964380e29bff2172285e2b01f8b4d5f2f803169b84acdba08557

SHA512
44eb7958a5a59efc06794f8dc8b17d0a2347857d0cb1bdba631d17b20cd99f0f54d58610fc47ff60e46dd88bc203173772a8836b2bb7656e7eaee4064005cfc4

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/188-20-0x0000000000000000-mapping.dmp

Download
memory/200-324-0x0000000000401180-mapping.dmp

Download
memory/204-74-0x0000000000000000-mapping.dmp

Download
memory/492-516-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/492-517-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/492-515-0x00000000004512E0-mapping.dmp

Download
memory/684-95-0x0000000000401180-mapping.dmp

Download
memory/736-23-0x0000000000401180-mapping.dmp

Download
memory/768-521-0x000000000041C410-mapping.dmp

Download
memory/812-505-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/852-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-7-0x0000000000401180-mapping.dmp

Download
memory/900-265-0x000000000041C410-mapping.dmp

Download
memory/900-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/900-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/936-0-0x0000000000000000-mapping.dmp

Download
memory/952-12-0x00000000004512E0-mapping.dmp

Download
memory/1352-831-0x0000000000000000-mapping.dmp

Download
memory/1516-507-0x0000000000000000-mapping.dmp

Download
memory/1732-523-0x0000000000000000-mapping.dmp

Download
memory/1744-13-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1900-29-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2084-114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-109-0x00000000004512E0-mapping.dmp

Download
memory/2084-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2156-539-0x000000000041C410-mapping.dmp

Download
memory/2180-28-0x00000000004512E0-mapping.dmp

Download
memory/2236-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-31-0x000000000041C410-mapping.dmp

Download
memory/2240-504-0x000000000041C410-mapping.dmp

Download
memory/2324-18-0x0000000000000000-mapping.dmp

Download
memory/2404-268-0x0000000000000000-mapping.dmp

Download
memory/2484-525-0x0000000000000000-mapping.dmp

Download
memory/2504-15-0x000000000041C410-mapping.dmp

Download
memory/2504-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-302-0x0000000000000000-mapping.dmp

Download
memory/2648-34-0x0000000000000000-mapping.dmp

Download
memory/2668-522-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/2696-541-0x0000000000000000-mapping.dmp

Download
memory/2728-533-0x00000000004512E0-mapping.dmp

Download
memory/2792-510-0x0000000000401180-mapping.dmp

Download
memory/3024-583-0x0000000000000000-mapping.dmp

Download
memory/3480-540-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/3496-338-0x00000000004512E0-mapping.dmp

Download
memory/3616-506-0x0000000000000000-mapping.dmp

Download
memory/3760-528-0x0000000000401180-mapping.dmp

Download