Malware Analysis Report

2025-01-18 16:49

Sample ID 221003-s4cllsdbf2
Target 9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016
SHA256 9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016
Tags
isrstealer spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016

Threat Level: Known bad

The file 9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016 was found to be: Known bad.

Malicious Activity Summary

isrstealer spyware stealer trojan upx

ISR Stealer payload

ISR Stealer

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-03 15:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-03 15:40

Reported

2022-10-03 16:19

Platform

win7-20220901-en

Max time kernel

44s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1964 set thread context of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1368 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1368 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1368 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1368 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1964 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe

"C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"

Network

N/A

Files

memory/1368-54-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp

memory/1368-55-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

memory/1964-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 0d52e0a349759ad3c5187c7977c90c29
SHA1 3dec01284642a30dfd5912c81036de52202862f7
SHA256 a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4
SHA512 66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

memory/1504-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 6da200844baa9ce4f9952e48eefced54
SHA1 d245932e01f8a4d55383c602d06a0116752d5619
SHA256 a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273
SHA512 d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

memory/1504-61-0x0000000074E41000-0x0000000074E43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 6da200844baa9ce4f9952e48eefced54
SHA1 d245932e01f8a4d55383c602d06a0116752d5619
SHA256 a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273
SHA512 d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

\Users\Admin\AppData\Local\Temp\1.exe

MD5 0d52e0a349759ad3c5187c7977c90c29
SHA1 3dec01284642a30dfd5912c81036de52202862f7
SHA256 a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4
SHA512 66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 0d52e0a349759ad3c5187c7977c90c29
SHA1 3dec01284642a30dfd5912c81036de52202862f7
SHA256 a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4
SHA512 66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

memory/664-66-0x0000000000400000-0x0000000000453000-memory.dmp

memory/664-67-0x00000000004512E0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 0d52e0a349759ad3c5187c7977c90c29
SHA1 3dec01284642a30dfd5912c81036de52202862f7
SHA256 a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4
SHA512 66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

\Users\Admin\AppData\Local\Temp\2.exe

MD5 6da200844baa9ce4f9952e48eefced54
SHA1 d245932e01f8a4d55383c602d06a0116752d5619
SHA256 a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273
SHA512 d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

\Users\Admin\AppData\Local\Temp\2.exe

MD5 6da200844baa9ce4f9952e48eefced54
SHA1 d245932e01f8a4d55383c602d06a0116752d5619
SHA256 a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273
SHA512 d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

\Users\Admin\AppData\Local\Temp\2.exe

MD5 6da200844baa9ce4f9952e48eefced54
SHA1 d245932e01f8a4d55383c602d06a0116752d5619
SHA256 a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273
SHA512 d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

\Temp\0VK5IPQA\unpack.dll

MD5 705aa1dc6f5fb72a2182ffd2c95bfa2e
SHA1 08de4589e01d3f0f589209baf8b669fae04b5875
SHA256 ec8361e43f0f83d0da13261718b8791e5517375fce67b4055d390353a5b2ca00
SHA512 5d00edf396efc5c130e1e7071fe027afaaa35d4d746441a1f0e0736c4828941e55e49f5319f5c1739bd75d2b5e03504d59284b2754430e0053e3f8d5f2702e4d

memory/664-75-0x0000000000400000-0x0000000000453000-memory.dmp

memory/664-76-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1504-77-0x0000000000400000-0x0000000000468000-memory.dmp

memory/664-78-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1504-79-0x0000000000240000-0x00000000002A8000-memory.dmp

memory/1504-80-0x0000000000240000-0x00000000002A8000-memory.dmp

\Temp\0VK5IPQA\2\plugins\0\CustomUI.dll

MD5 04eecd03af7eafb84b6581a5b37d275e
SHA1 3351059d04a2e9f9f0a3719083eeda03dab0f124
SHA256 39ba967edebb288f921c37348d7c21b05e3af40033e0eb386f35b4be2b04be50
SHA512 19088141aa48e1bb74202d09751006fa9182568750caa7e3132169c66c9fee4a784cb1139c954b1c940f9578cfa51be7474c09780cc6fda3022e69eeec9c21d9

memory/1504-82-0x0000000002760000-0x00000000027BC000-memory.dmp

memory/664-83-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1504-84-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1504-85-0x0000000000240000-0x00000000002A8000-memory.dmp

memory/1504-86-0x0000000000240000-0x00000000002A8000-memory.dmp

memory/1504-87-0x0000000000240000-0x00000000002A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-03 15:40

Reported

2022-10-03 16:19

Platform

win10v2004-20220901-en

Max time kernel

85s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3344 set thread context of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1292 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1292 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1292 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1292 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1292 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 3344 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3344 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3344 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3344 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3344 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3344 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3344 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3344 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe

"C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 20.42.73.24:443 tcp
NL 178.79.208.1:80 tcp
NL 104.80.225.205:443 tcp

Files

memory/1292-132-0x00007FFBFD270000-0x00007FFBFDCA6000-memory.dmp

memory/3344-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 0d52e0a349759ad3c5187c7977c90c29
SHA1 3dec01284642a30dfd5912c81036de52202862f7
SHA256 a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4
SHA512 66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

memory/212-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 6da200844baa9ce4f9952e48eefced54
SHA1 d245932e01f8a4d55383c602d06a0116752d5619
SHA256 a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273
SHA512 d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 6da200844baa9ce4f9952e48eefced54
SHA1 d245932e01f8a4d55383c602d06a0116752d5619
SHA256 a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273
SHA512 d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 0d52e0a349759ad3c5187c7977c90c29
SHA1 3dec01284642a30dfd5912c81036de52202862f7
SHA256 a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4
SHA512 66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

C:\Temp\0VK5IQH2\unpack.dll

MD5 705aa1dc6f5fb72a2182ffd2c95bfa2e
SHA1 08de4589e01d3f0f589209baf8b669fae04b5875
SHA256 ec8361e43f0f83d0da13261718b8791e5517375fce67b4055d390353a5b2ca00
SHA512 5d00edf396efc5c130e1e7071fe027afaaa35d4d746441a1f0e0736c4828941e55e49f5319f5c1739bd75d2b5e03504d59284b2754430e0053e3f8d5f2702e4d

memory/212-142-0x0000000002300000-0x0000000002327000-memory.dmp

memory/212-143-0x0000000002301000-0x000000000231E000-memory.dmp

memory/3748-144-0x0000000000000000-mapping.dmp

memory/3748-145-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 0d52e0a349759ad3c5187c7977c90c29
SHA1 3dec01284642a30dfd5912c81036de52202862f7
SHA256 a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4
SHA512 66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

memory/3748-148-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3748-149-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3748-150-0x0000000000400000-0x0000000000453000-memory.dmp

memory/212-151-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Temp\0VK5IQH2\2\plugins\0\CustomUI.dll

MD5 04eecd03af7eafb84b6581a5b37d275e
SHA1 3351059d04a2e9f9f0a3719083eeda03dab0f124
SHA256 39ba967edebb288f921c37348d7c21b05e3af40033e0eb386f35b4be2b04be50
SHA512 19088141aa48e1bb74202d09751006fa9182568750caa7e3132169c66c9fee4a784cb1139c954b1c940f9578cfa51be7474c09780cc6fda3022e69eeec9c21d9

C:\Temp\0VK5IQH2\2\plugins\0\CustomUI.dll

MD5 04eecd03af7eafb84b6581a5b37d275e
SHA1 3351059d04a2e9f9f0a3719083eeda03dab0f124
SHA256 39ba967edebb288f921c37348d7c21b05e3af40033e0eb386f35b4be2b04be50
SHA512 19088141aa48e1bb74202d09751006fa9182568750caa7e3132169c66c9fee4a784cb1139c954b1c940f9578cfa51be7474c09780cc6fda3022e69eeec9c21d9

memory/212-154-0x0000000002B70000-0x0000000002BCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/212-156-0x0000000000400000-0x0000000000468000-memory.dmp