Malware Analysis Report

2025-01-18 16:49

Sample ID 221011-ksggesfafj
Target 9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b
SHA256 9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b
Tags
isrstealer collection spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b

Threat Level: Known bad

The file 9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b was found to be: Known bad.

Malicious Activity Summary

isrstealer collection spyware stealer trojan upx

ISR Stealer

ISR Stealer payload

Nirsoft

NirSoft MailPassView

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 08:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 08:51

Reported

2022-10-11 11:37

Platform

win7-20220812-en

Max time kernel

55s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

"C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"

C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\YXOwgCYCpE.ini"

C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\uMy62lgWP0.ini"

Network

N/A

Files

memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

memory/784-55-0x0000000074200000-0x00000000747AB000-memory.dmp

memory/784-56-0x0000000074200000-0x00000000747AB000-memory.dmp

memory/1268-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cc.vbs

MD5 f5ec4fc2583140af38d881b70f9f04c3
SHA1 b559eb4886d7964cb06aa98da909af2ac33080ba
SHA256 ac0d8a6cc319a857d66b734232f8a02888f093b2994c972f64c4f743d078cfe6
SHA512 076d81bf7af57e8871682e4d59d3d5348b4c552671335e86a39e485d2a4b1cd3138aada8d4dbeb2fccbe612d49797f30bf0a70ee298d62ab83ed64fa107f6f5e

memory/940-61-0x0000000000401180-mapping.dmp

memory/940-60-0x0000000000400000-0x0000000000442000-memory.dmp

memory/784-66-0x0000000074200000-0x00000000747AB000-memory.dmp

memory/784-67-0x0000000000C76000-0x0000000000C87000-memory.dmp

memory/1704-69-0x00000000004512E0-mapping.dmp

memory/1704-68-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1704-72-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1704-73-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1704-74-0x0000000000400000-0x0000000000453000-memory.dmp

memory/940-75-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1704-76-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YXOwgCYCpE.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1536-78-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1536-79-0x000000000041C410-mapping.dmp

memory/1536-82-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1536-83-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1536-84-0x0000000000400000-0x000000000041F000-memory.dmp

memory/940-85-0x0000000000400000-0x0000000000442000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 08:51

Reported

2022-10-11 11:38

Platform

win10v2004-20220812-en

Max time kernel

162s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Windows\SysWOW64\WScript.exe
PID 4916 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Windows\SysWOW64\WScript.exe
PID 4916 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Windows\SysWOW64\WScript.exe
PID 4916 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 4916 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 4916 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 4916 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 4916 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 4916 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 4916 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe
PID 4916 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

"C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"

C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

C:\Users\Admin\AppData\Local\Temp\9c3c1faa29b96b6e6841a7c8699c06b3474ddbbd2f29dac518455eca19aaeb2b.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4616 -ip 4616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 80

Network

Country Destination Domain Proto
NL 95.101.78.106:80 tcp
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
US 93.184.220.29:80 tcp
US 20.44.10.122:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
NL 104.110.191.133:80 tcp
NL 96.16.53.133:80 tcp
NL 96.16.53.133:80 tcp

Files

memory/4916-132-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/4288-133-0x0000000000000000-mapping.dmp

memory/4616-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cc.vbs

MD5 f5ec4fc2583140af38d881b70f9f04c3
SHA1 b559eb4886d7964cb06aa98da909af2ac33080ba
SHA256 ac0d8a6cc319a857d66b734232f8a02888f093b2994c972f64c4f743d078cfe6
SHA512 076d81bf7af57e8871682e4d59d3d5348b4c552671335e86a39e485d2a4b1cd3138aada8d4dbeb2fccbe612d49797f30bf0a70ee298d62ab83ed64fa107f6f5e

memory/4916-136-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/4916-138-0x0000000074660000-0x0000000074C11000-memory.dmp