Malware Analysis Report

2025-01-18 16:49

Sample ID 221002-2zrdmsfgfn
Target f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6
SHA256 f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6
Tags
isrstealer collection spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6

Threat Level: Known bad

The file f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6 was found to be: Known bad.

Malicious Activity Summary

isrstealer collection spyware stealer trojan upx

ISR Stealer payload

ISR Stealer

NirSoft MailPassView

Nirsoft

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-02 23:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-02 23:01

Reported

2022-10-03 03:26

Platform

win7-20220812-en

Max time kernel

50s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\QLUQL.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\QLUQL.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\QLUQL.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\QLUQL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 560 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe
PID 952 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 952 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 952 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 952 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe
PID 672 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\QLUQL.exe C:\Users\Admin\AppData\Local\Temp\QLUQL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe

"C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe"

C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe

"C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe"

C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe

"C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe"

C:\Users\Admin\AppData\Local\Temp\QLUQL.exe

"C:\Users\Admin\AppData\Local\Temp\QLUQL.exe"

C:\Users\Admin\AppData\Local\Temp\QLUQL.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\izGbnYURxF.ini"

C:\Users\Admin\AppData\Local\Temp\QLUQL.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\g8PeqvOjiC.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 skajyneos.hostzi.com udp
US 153.92.0.100:80 skajyneos.hostzi.com tcp
US 8.8.8.8:53 www.000webhost.com udp
US 104.19.184.120:443 www.000webhost.com tcp

Files

memory/560-57-0x00000000005C0000-0x00000000005C4000-memory.dmp

memory/560-56-0x00000000005C0000-0x00000000005C4000-memory.dmp

memory/560-58-0x00000000005C0000-0x00000000005C4000-memory.dmp

memory/560-59-0x00000000024F0000-0x00000000025AA000-memory.dmp

memory/952-63-0x0000000000400000-0x0000000000449000-memory.dmp

memory/952-64-0x0000000000400000-0x0000000000449000-memory.dmp

memory/952-66-0x0000000000400000-0x0000000000449000-memory.dmp

memory/952-67-0x0000000000400000-0x0000000000449000-memory.dmp

memory/952-68-0x00000000004472A0-mapping.dmp

memory/1368-72-0x0000000000400000-0x0000000000417000-memory.dmp

memory/952-74-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1368-77-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1368-75-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1368-73-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1368-79-0x0000000000400000-0x0000000000417000-memory.dmp

memory/952-71-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1368-70-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1368-80-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1368-81-0x000000000040102B-mapping.dmp

memory/1368-84-0x0000000000400000-0x0000000000417000-memory.dmp

memory/952-85-0x0000000076041000-0x0000000076043000-memory.dmp

memory/952-86-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1368-87-0x0000000000400000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Local\Temp\dup2patcher.dll

MD5 43bcd632e19ac3fdc43e7958465ce835
SHA1 30454241e95b78ddb125a4c784f160609589ee5f
SHA256 7694627600115240b503f214cbfb9106415802c345e982c3bf9c8d05910a1a7c
SHA512 ffe7507bcc2413a5b846ec62b9edd3ec94d79a2fd3ecaf4ce2ddb96a7d42facdfa9aabd84d06e15ab644ae478715c566a91e9bb8ba12fc9ff9a3b8390ca6d886

memory/1368-90-0x00000000747D0000-0x00000000747F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

memory/672-96-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

C:\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

memory/640-102-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

memory/640-103-0x00000000004512E0-mapping.dmp

memory/640-107-0x0000000000400000-0x0000000000453000-memory.dmp

memory/640-108-0x0000000000400000-0x0000000000453000-memory.dmp

memory/640-109-0x0000000000400000-0x0000000000453000-memory.dmp

memory/640-110-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\izGbnYURxF.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

memory/1124-114-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1124-115-0x000000000041C410-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QLUQL.exe

MD5 82ce6a2616f9b8e7c9037df683083524
SHA1 bcdef4e3b26634d84f5c02148a7b720a3c434407
SHA256 5f178dd7febe66cf37bb293133a99315fc3b8b3b903655381a7404e79a969b42
SHA512 10d326f05eaa5e16b7d087fb54ce59a772e67f00b33b82356b47d73ad775fff74588d4bcee3760430c5de49d9220ca4f1e1eeacf87caad11d55e4fc5be133a4c

memory/1124-119-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1124-120-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1124-121-0x0000000000400000-0x000000000041F000-memory.dmp

memory/952-122-0x0000000000400000-0x0000000000449000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-02 23:01

Reported

2022-10-03 03:26

Platform

win10v2004-20220901-en

Max time kernel

134s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe

"C:\Users\Admin\AppData\Local\Temp\f842d68c4fc549af6ee798769fc0e2eaf3f50f2207d7aadd86b11c1826ef31d6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3036 -ip 3036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 468

Network

Country Destination Domain Proto
US 20.42.73.24:443 tcp
FR 2.18.109.224:443 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
NL 88.221.25.155:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
NL 87.248.202.1:80 tcp

Files

N/A