Malware Analysis Report

2025-01-18 16:45

Sample ID 220621-ex85cadfg3
Target 3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507
SHA256 3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507
Tags
isrstealer collection spyware stealer suricata trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507

Threat Level: Known bad

The file 3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507 was found to be: Known bad.

Malicious Activity Summary

isrstealer collection spyware stealer suricata trojan upx

ISR Stealer

ISR Stealer Payload

suricata: ET MALWARE ISRStealer Checkin

Nirsoft

NirSoft MailPassView

UPX packed file

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-21 04:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 04:20

Reported

2022-06-21 04:23

Platform

win7-20220414-en

Max time kernel

39s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE ISRStealer Checkin

suricata

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1664 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1664 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1664 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1664 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1664 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1664 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1664 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 1716 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

"C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe"

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\STeuSlCJQb.ini"

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\8TDgKgVOrU.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dogrusu.net udp
US 64.32.8.67:80 dogrusu.net tcp
US 8.8.8.8:53 ww4.dogrusu.net udp
US 199.59.243.220:80 ww4.dogrusu.net tcp

Files

memory/1664-56-0x0000000000400000-0x0000000000500000-memory.dmp

memory/1664-57-0x0000000000330000-0x0000000000390000-memory.dmp

memory/1664-58-0x00000000035F0000-0x00000000036F0000-memory.dmp

memory/1664-59-0x00000000035F0000-0x00000000036F0000-memory.dmp

memory/1716-60-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1716-61-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1716-63-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1716-67-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1716-69-0x0000000000401180-mapping.dmp

memory/1664-71-0x0000000000400000-0x0000000000500000-memory.dmp

memory/1664-72-0x0000000000330000-0x0000000000390000-memory.dmp

memory/1720-75-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1720-76-0x00000000004512E0-mapping.dmp

memory/1720-78-0x00000000754A1000-0x00000000754A3000-memory.dmp

memory/1720-79-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1720-80-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1716-81-0x0000000002760000-0x0000000002860000-memory.dmp

memory/1720-82-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1720-83-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\STeuSlCJQb.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1968-87-0x000000000041C410-mapping.dmp

memory/1968-86-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1968-90-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1968-91-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1968-92-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1716-93-0x00000000033D0000-0x00000000034D0000-memory.dmp

memory/1716-94-0x0000000002760000-0x0000000002860000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 04:20

Reported

2022-06-21 04:22

Platform

win10v2004-20220414-en

Max time kernel

90s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE ISRStealer Checkin

suricata

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 4504 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 4504 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 4504 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 4504 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 4504 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 4504 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 4504 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
PID 952 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

"C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe"

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\z8vMLLjxkt.ini"

C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\j8n9Hp98RC.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dogrusu.net udp
US 64.32.8.67:80 dogrusu.net tcp
US 8.8.8.8:53 ww4.dogrusu.net udp
US 199.59.243.220:80 ww4.dogrusu.net tcp
BE 67.27.154.126:80 tcp
US 20.42.65.89:443 tcp
BE 67.27.154.126:80 tcp
BE 67.27.154.126:80 tcp
BE 67.27.154.126:80 tcp

Files

memory/4504-130-0x0000000000400000-0x0000000000500000-memory.dmp

memory/4504-133-0x00000000022F0000-0x0000000002350000-memory.dmp

memory/4504-134-0x0000000003B30000-0x0000000003C30000-memory.dmp

memory/4504-135-0x0000000003B30000-0x0000000003C30000-memory.dmp

memory/952-136-0x0000000000000000-mapping.dmp

memory/952-137-0x0000000000400000-0x0000000000442000-memory.dmp

memory/952-139-0x0000000000400000-0x0000000000442000-memory.dmp

memory/952-141-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4504-142-0x0000000000400000-0x0000000000500000-memory.dmp

memory/4504-143-0x00000000022F0000-0x0000000002350000-memory.dmp

memory/1844-146-0x0000000000000000-mapping.dmp

memory/1844-147-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1844-149-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1844-150-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1844-151-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\z8vMLLjxkt.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/4552-153-0x0000000000000000-mapping.dmp

memory/4552-154-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4552-156-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4552-157-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4552-158-0x0000000000400000-0x000000000041F000-memory.dmp