Malware Analysis Report

2025-01-18 16:47

Sample ID 220530-tcfpmaeghm
Target 0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5
SHA256 0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5
Tags
isrstealer collection spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5

Threat Level: Known bad

The file 0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5 was found to be: Known bad.

Malicious Activity Summary

isrstealer collection spyware stealer trojan upx

ISR Stealer Payload

ISR Stealer

Nirsoft

NirSoft MailPassView

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops desktop.ini file(s)

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-30 15:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-30 15:54

Reported

2022-05-30 16:12

Platform

win7-20220414-en

Max time kernel

46s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1260 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1588 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1588 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1588 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1588 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1588 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1588 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1588 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1588 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1240 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe

"C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\jg2ltS7XmW.ini"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\3vBlCnzPP3.ini"

Network

N/A

Files

memory/1588-54-0x0000000076191000-0x0000000076193000-memory.dmp

memory/1260-55-0x0000000000000000-mapping.dmp

memory/1468-56-0x0000000000000000-mapping.dmp

memory/1588-57-0x0000000074580000-0x0000000074B2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 066d70aad37e93ff30dfea3cd49ccc79
SHA1 0de81c392d9eaa47c2a42e2ea8e0cc33519448b8
SHA256 0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5
SHA512 8d53f0c36c0207ac1cfffee70d6070a24d47bf5e7f5c93d1d21eb6a2f931b08c6680ecb78c4e3c47d5e35737d35363837942c9f42321693059dce84a0008e587

\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 066d70aad37e93ff30dfea3cd49ccc79
SHA1 0de81c392d9eaa47c2a42e2ea8e0cc33519448b8
SHA256 0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5
SHA512 8d53f0c36c0207ac1cfffee70d6070a24d47bf5e7f5c93d1d21eb6a2f931b08c6680ecb78c4e3c47d5e35737d35363837942c9f42321693059dce84a0008e587

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1240-62-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1588-61-0x0000000072CC0000-0x00000000737B8000-memory.dmp

memory/1240-63-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1240-65-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1240-67-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1240-68-0x0000000000401180-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1588-71-0x0000000073C50000-0x00000000743EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1588-78-0x0000000073AC0000-0x0000000073C48000-memory.dmp

memory/564-79-0x00000000004512E0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/564-77-0x0000000000400000-0x0000000000453000-memory.dmp

memory/564-83-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1588-85-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/564-84-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1588-86-0x0000000072CC0000-0x00000000737B8000-memory.dmp

memory/1588-87-0x0000000073C50000-0x00000000743EC000-memory.dmp

memory/1588-88-0x0000000071F40000-0x00000000720DB000-memory.dmp

memory/1588-89-0x00000000720E0000-0x0000000072CBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1584-91-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1584-92-0x000000000041C410-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1584-96-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1584-97-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1240-99-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1584-98-0x0000000000400000-0x000000000041F000-memory.dmp

memory/564-100-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1240-101-0x0000000000400000-0x0000000000442000-memory.dmp

memory/564-102-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1584-103-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1588-104-0x00000000720E0000-0x0000000072CBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-30 15:54

Reported

2022-05-30 16:10

Platform

win10v2004-20220414-en

Max time kernel

91s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4668 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4636 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4636 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1948 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe

"C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\lJwfLZJKJA.ini"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\xyu2yhbVAT.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cf23112.tmweb.ru udp
NL 104.110.191.133:80 tcp
US 20.189.173.13:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 95.101.78.209:80 tcp

Files

memory/4668-130-0x0000000075360000-0x0000000075911000-memory.dmp

memory/4636-131-0x0000000000000000-mapping.dmp

memory/456-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 066d70aad37e93ff30dfea3cd49ccc79
SHA1 0de81c392d9eaa47c2a42e2ea8e0cc33519448b8
SHA256 0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5
SHA512 8d53f0c36c0207ac1cfffee70d6070a24d47bf5e7f5c93d1d21eb6a2f931b08c6680ecb78c4e3c47d5e35737d35363837942c9f42321693059dce84a0008e587

memory/4668-134-0x0000000074160000-0x0000000074C60000-memory.dmp

memory/1948-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/1948-136-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/1948-140-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4668-142-0x00000000738D0000-0x0000000074078000-memory.dmp

memory/2828-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/2828-145-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2828-148-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2828-149-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2828-150-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1948-151-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lJwfLZJKJA.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/3424-153-0x0000000000000000-mapping.dmp

memory/3424-154-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/3424-157-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3424-158-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3424-159-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3424-160-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4668-161-0x0000000075360000-0x0000000075911000-memory.dmp

memory/4668-162-0x00000000738D0000-0x0000000074078000-memory.dmp

memory/4668-163-0x0000000074160000-0x0000000074C60000-memory.dmp

memory/4668-164-0x0000000075360000-0x0000000075911000-memory.dmp

memory/1948-165-0x0000000000400000-0x0000000000442000-memory.dmp