Malware Analysis Report

2025-01-18 16:49

Sample ID 221011-khj5kaeefj
Target 201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e
SHA256 201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e
Tags
isrstealer collection evasion persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e

Threat Level: Known bad

The file 201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e was found to be: Known bad.

Malicious Activity Summary

isrstealer collection evasion persistence stealer trojan upx

ISR Stealer payload

ISR Stealer

Nirsoft

NirSoft MailPassView

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Accesses Microsoft Outlook accounts

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 08:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 08:36

Reported

2022-10-11 11:05

Platform

win10v2004-20220812-en

Max time kernel

53s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c794iancyy78 = "C:\\Users\\Admin\\c794iancyy78\\57076.vbs" C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 5048 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 5048 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 4464 wrote to memory of 4388 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4464 wrote to memory of 4388 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4464 wrote to memory of 4388 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4464 wrote to memory of 4388 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4464 wrote to memory of 4388 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 4192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 4192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 4192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 4192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 4192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 4192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 4192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4388 wrote to memory of 4192 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4464 wrote to memory of 3316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 4464 wrote to memory of 3316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 4464 wrote to memory of 3316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe

"C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe"

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

"C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe" mtxFlv.DIN

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\lewalvXr7Z.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\DlmeWsa0J7.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\C794IA~1\run.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\C794IA~1\run.vbs"

Network

Country Destination Domain Proto
IE 13.69.239.72:443 tcp
US 8.8.8.8:53 rightctrewsreouad.net23.net udp
US 153.92.0.100:80 rightctrewsreouad.net23.net tcp
US 8.8.8.8:53 www.000webhost.com udp
US 104.19.185.120:443 www.000webhost.com tcp

Files

memory/4464-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\c794iancyy78\mtxFlv.DIN

MD5 509beeb65de89099db6d1e8c01da920a
SHA1 b8cb9b4afe15abf52221f4024e6aef925d7752f1
SHA256 475a6827e54a04b4e38f929e4fd01ca95015949a3ca64ab12db2e5fe471c5d10
SHA512 c47efc14e990ec15d13ef3ab2c10fc89fc24e5051abd802b517d623fee5604b8c76e223d30d7b84ff647ce5ceb50921b5b3f1fb9ab52a32220ab7117356c55a5

C:\Users\Admin\C794IA~1\hztwzQgTDNh.BNB

MD5 8073adab69cdd3df4c6507b7abc36da0
SHA1 daf374b7ef1fd2099f1cd3bd34b445947be36bd2
SHA256 7abeaf9caa0d821556de8a7eccedf0779cbe84fb6c4f9b2042abde42ee152ab2
SHA512 457dd38ecd277e717423bcce11129b0fbcacd2d5baa4e0d0cf7b7a090b6360027c90657b120f790680d10de931efce9c61f63573984bc854b41fe9c9dd46ad37

C:\Users\Admin\C794IA~1\NCEyjI.FUL

MD5 38da5a8f4795f1773e399a47d2a4f5f0
SHA1 db243b8afeeb1a8e917e882179bbbb8fd38c2cd1
SHA256 51fde7624aacae5d06a01127c17a83095b82c514d80ef332c1b7ac0ed282536f
SHA512 58b0cbaa4047d4a9ae91c8fb3d1a9b9c48192e75c95248a9f0320fdab69896548a03349c238d6191bd19d6a176778c13c542db2ee1bf66d6320e93eb452c8219

memory/4388-138-0x0000000000000000-mapping.dmp

memory/4388-139-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4388-141-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1888-144-0x0000000000000000-mapping.dmp

memory/1888-145-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1888-147-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1888-148-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1888-149-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4388-150-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lewalvXr7Z.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/4192-152-0x0000000000000000-mapping.dmp

memory/4192-153-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4192-155-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4192-156-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4192-157-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4388-158-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4388-159-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3316-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\C794IA~1\run.vbs

MD5 82ba923c8e5bc5c33edbdfde4d0906ff
SHA1 5cf7b2e9f48d5d6a6b927c1972037cce7f20f1c1
SHA256 1848f5da2d881bba471623052e7e1f1aeac1b4f0d29d8e8124440def4d97231d
SHA512 15ac03b84f06a2f0c35e2d75ea027a11371ae1c2bbef761998f9381080b7b0858c500db8d32239a691f6490745206cf6a2dd3cb345030684e3152145ac425f96

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 08:36

Reported

2022-10-11 11:05

Platform

win7-20220812-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\c794iancyy78 = "C:\\Users\\Admin\\c794iancyy78\\57076.vbs" C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\c794iancyy78 = "C:\\Users\\Admin\\c794iancyy78\\57076.vbs" C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\c794iancyy78 = "C:\\Users\\Admin\\c794iancyy78\\57076.vbs" C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
N/A N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 1280 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 1280 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 1280 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 1280 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 1280 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 1280 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 1952 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1952 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1456 wrote to memory of 316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 1456 wrote to memory of 316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 1456 wrote to memory of 316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 1456 wrote to memory of 316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 1456 wrote to memory of 316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 1456 wrote to memory of 316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 1456 wrote to memory of 316 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\SysWOW64\WScript.exe
PID 316 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 316 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 316 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 316 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 316 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 316 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 316 wrote to memory of 804 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 804 wrote to memory of 1492 N/A C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1492 wrote to memory of 1348 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe

"C:\Users\Admin\AppData\Local\Temp\201d2ae7d7de9c5df15b1690808e85d6eb87dc695bfbbd4140b5e6186b8fb81e.exe"

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

"C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe" mtxFlv.DIN

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\8vw8Z9vTzr.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\LW6wqIAnOV.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\C794IA~1\run.vbs"

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

"C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe" mtxFlv.DIN

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\7k29Zy1S4R.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\cR7UMEvs4j.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\C794IA~1\run.vbs"

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

"C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe" mtxFlv.DIN

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\njCMlq1gjP.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\Mf4sZavbm5.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rightctrewsreouad.net23.net udp
US 153.92.0.100:80 rightctrewsreouad.net23.net tcp
US 8.8.8.8:53 www.000webhost.com udp
US 104.19.184.120:443 www.000webhost.com tcp
US 153.92.0.100:80 rightctrewsreouad.net23.net tcp
US 104.19.184.120:443 www.000webhost.com tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1456-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\c794iancyy78\mtxFlv.DIN

MD5 509beeb65de89099db6d1e8c01da920a
SHA1 b8cb9b4afe15abf52221f4024e6aef925d7752f1
SHA256 475a6827e54a04b4e38f929e4fd01ca95015949a3ca64ab12db2e5fe471c5d10
SHA512 c47efc14e990ec15d13ef3ab2c10fc89fc24e5051abd802b517d623fee5604b8c76e223d30d7b84ff647ce5ceb50921b5b3f1fb9ab52a32220ab7117356c55a5

C:\Users\Admin\C794IA~1\hztwzQgTDNh.BNB

MD5 8073adab69cdd3df4c6507b7abc36da0
SHA1 daf374b7ef1fd2099f1cd3bd34b445947be36bd2
SHA256 7abeaf9caa0d821556de8a7eccedf0779cbe84fb6c4f9b2042abde42ee152ab2
SHA512 457dd38ecd277e717423bcce11129b0fbcacd2d5baa4e0d0cf7b7a090b6360027c90657b120f790680d10de931efce9c61f63573984bc854b41fe9c9dd46ad37

C:\Users\Admin\C794IA~1\NCEyjI.FUL

MD5 38da5a8f4795f1773e399a47d2a4f5f0
SHA1 db243b8afeeb1a8e917e882179bbbb8fd38c2cd1
SHA256 51fde7624aacae5d06a01127c17a83095b82c514d80ef332c1b7ac0ed282536f
SHA512 58b0cbaa4047d4a9ae91c8fb3d1a9b9c48192e75c95248a9f0320fdab69896548a03349c238d6191bd19d6a176778c13c542db2ee1bf66d6320e93eb452c8219

memory/1952-65-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1952-67-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1952-68-0x0000000000401180-mapping.dmp

memory/472-74-0x0000000000400000-0x0000000000453000-memory.dmp

memory/472-75-0x00000000004512E0-mapping.dmp

memory/472-78-0x0000000000400000-0x0000000000453000-memory.dmp

memory/472-80-0x0000000000400000-0x0000000000453000-memory.dmp

memory/472-81-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1952-82-0x0000000000400000-0x0000000000442000-memory.dmp

memory/472-83-0x0000000000400000-0x0000000000453000-memory.dmp

memory/472-84-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8vw8Z9vTzr.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1900-87-0x000000000041C410-mapping.dmp

memory/1900-86-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1900-90-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1900-92-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1900-93-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1900-94-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1952-95-0x0000000000400000-0x0000000000442000-memory.dmp

memory/316-96-0x0000000000000000-mapping.dmp

C:\Users\Admin\C794IA~1\run.vbs

MD5 82ba923c8e5bc5c33edbdfde4d0906ff
SHA1 5cf7b2e9f48d5d6a6b927c1972037cce7f20f1c1
SHA256 1848f5da2d881bba471623052e7e1f1aeac1b4f0d29d8e8124440def4d97231d
SHA512 15ac03b84f06a2f0c35e2d75ea027a11371ae1c2bbef761998f9381080b7b0858c500db8d32239a691f6490745206cf6a2dd3cb345030684e3152145ac425f96

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/804-101-0x0000000000000000-mapping.dmp

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1492-107-0x0000000000401180-mapping.dmp

memory/1348-114-0x00000000004512E0-mapping.dmp

memory/1348-117-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1348-119-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1348-120-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1348-121-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1492-122-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7k29Zy1S4R.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1576-125-0x000000000041C410-mapping.dmp

memory/1576-128-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1576-130-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1576-131-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1576-132-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1492-133-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1820-134-0x0000000000000000-mapping.dmp

\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1592-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\c794iancyy78\JMpbiEfXrrXD.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1952-143-0x0000000000401180-mapping.dmp

memory/1892-150-0x00000000004512E0-mapping.dmp

memory/1892-153-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1892-155-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1892-156-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1952-157-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1892-158-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\njCMlq1gjP.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\index[1].htm

MD5 4f8e702cc244ec5d4de32740c0ecbd97
SHA1 3adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA256 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA512 21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 0698dbc93ba7b6bef73ba316695f8317
SHA1 a444078ff1eb7c88f52cb4e324365926b491ed47
SHA256 263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c
SHA512 ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fb420faf1a8060e26787c59802035b4e
SHA1 1f522ff9cb2a5f78e1321e0b888127184b585114
SHA256 7ff1d04af52b1251b58e4d018ddcacb0a1621b2c41e6f2f24b6105fbb5fa4ae6
SHA512 8a2404f6396e7b4125e1bf6da5f094c6960d7b2143bc450a2c3f70fbf25e4966dee3b858132cc9604628bfeaa93aec723f516dcfaa9a9c39ea797ad18722e0af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 6f59ed058aa06aaf5ec6213b955aabd4
SHA1 baf7b828a563b8fb6111e4ce35e0055575ad80b4
SHA256 2d82e2629fa2e08f28b43b15da43dff56c7f4b23b39d66109c7c61998e35b4d5
SHA512 6b0f041dafb98b9eaf70ac0d20a98c56e1c42231c4a4ae6e11582b20d20bf8f96dfd7747739a10d77368994441adb0e181b356f8569697b1f22ab4fe931170ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 952173ff1855723f2f4e5c282844b5e5
SHA1 6b1d0ccf8cc2c1e39ce78ed7ad8e531a14be50d2
SHA256 c577344517d26b9aeda2b9f547de6aac7e8373e37791f2c640755429c3a8356c
SHA512 11eea3173f221d19d5d05eaa0f3e3aacfba5a7806df0475ec9c95ebc8bd6658db4eb2eea0022e2767bd07a941de698ba4ac73346308b74b4ea17b0afa596620d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 d15aaa7c9be910a9898260767e2490e1
SHA1 2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256 f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA512 7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85735e5f1bf0aac778861db816de4248
SHA1 6c7908563c40f9676fb1312e753f0dbb7869fe46
SHA256 ab0ac690956356bcdd0e58a3099ddeee7b93ce3cdb66362025518be456774dfb
SHA512 be239460ded5dd02ef397143c25ce069182004993f2d864369c483da0cf396bbd9d09f9c2c7ccae91e5d4546081b2b7bbf1fea49ce65c4eec7eb643ca32fe144

memory/1100-168-0x000000000041C410-mapping.dmp

memory/1100-175-0x0000000000400000-0x000000000041F000-memory.dmp