Malware Analysis Report

2025-01-18 16:43

Sample ID 221011-yp3r5scac5
Target 7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e
SHA256 7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e
Tags
isrstealer collection evasion persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e

Threat Level: Known bad

The file 7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e was found to be: Known bad.

Malicious Activity Summary

isrstealer collection evasion persistence stealer trojan upx

ISR Stealer

Modifies visiblity of hidden/system files in Explorer

ISR Stealer payload

Nirsoft

NirSoft MailPassView

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 19:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 19:58

Reported

2022-10-12 05:50

Platform

win7-20220901-en

Max time kernel

148s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 1376 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 1376 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 1376 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 1376 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 1376 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 1376 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 1412 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1412 wrote to memory of 1980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1316 wrote to memory of 368 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1316 wrote to memory of 368 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1316 wrote to memory of 368 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1316 wrote to memory of 368 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1316 wrote to memory of 368 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1316 wrote to memory of 368 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1316 wrote to memory of 368 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 368 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 368 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 368 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 368 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 368 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 368 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 368 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1164 wrote to memory of 560 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe

"C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\6ZHHUCInfu.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\iRGkZeVYnL.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\DeoMJeE96z.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ddkzjdAoNY.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

Network

Country Destination Domain Proto
US 8.8.8.8:53 easy.greyhatservices.com udp

Files

memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1316-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\qVyh.BVI

MD5 9e013adda1d29031a077de6f7d5f4611
SHA1 30af3e0fd8de2a3a80ca8e00784724bb50ca572e
SHA256 653506def41220c523a49df251f861a84507174ff1e7bf0e5a2c4e662d30f8f0
SHA512 0e33d6670e88047509bf28c0e3c64327bf35d397908367b15404ac858e8f0506f38e2705f19aec32c74f49f7ba1dfc6fafa92ea0c8b285102990fbdd1f43c76d

C:\Users\Admin\fqNvzVucd.WFW

MD5 1228f4d84a443e3d51b75f8eb64c1512
SHA1 b50c2d7b56347eff07caaa9cb5a4e03e21efd17f
SHA256 5fb2f55f742ac03bd5a3abe456d0d20759d7edfe28019d7c1e537207371b51e1
SHA512 eb31a83149d55af2693e4658217dbbc510b0972be26ade4d9141f9a7693fff41d0cac68c94f5a7c4025acf77f0bce9ecf184345f6a125c1f8144b5922e9469be

C:\Users\Admin\hfOIwMh.IYB

MD5 ed3eca3289c83b6d3c968b39c7c5b62a
SHA1 2c61640cc67926638e7584a4045e7d29cb95b0ba
SHA256 2242aee6f8ecb743d05f06dddd20545d833bf1b11362b9f8cead0b2791eb8ecc
SHA512 ebb5ad68773bf5566ae7c2f93a667224a3060b18bbbf1638eb59c0a49475c3fc9d797ed77ed0895dcf5fdf1e6d37706dc0965db54828f496c6b92868206fdb36

memory/1412-65-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1412-67-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1412-68-0x0000000000401180-mapping.dmp

memory/2032-74-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2032-75-0x00000000004512E0-mapping.dmp

memory/2032-78-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2032-80-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2032-81-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1412-82-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2032-83-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2032-84-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ZHHUCInfu.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1980-86-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1980-87-0x000000000041C410-mapping.dmp

memory/1980-90-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1980-92-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1980-93-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1980-94-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1980-95-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1412-96-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1412-97-0x0000000000400000-0x0000000000442000-memory.dmp

memory/368-98-0x0000000000000000-mapping.dmp

C:\Users\Admin\run.vbs

MD5 a12b2136ef3b5697cff8528aafc904fe
SHA1 d911834b5f8b0c7b71f4f8e2258d510c1e42e9e9
SHA256 0738ae023c1220e39d62a54db1f19f8eab832c1e8787b0858574056bf2cfc43c
SHA512 99d58123ce2dbcc8a702da42c6bf8a2d2f1ee0bd5e4eba8f43da0ee757ca074fb3c57546ee103b4976109fdb7d7a0ad59cf2da75f4becde22055db315d8bdb47

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1164-103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\start.lnk

MD5 c04372dac2a74e3235d151d993f30861
SHA1 542f13d91b84d19a3f406dfbcfd7a034068f8456
SHA256 f16f1a42ef06ce47370687db860ce5bf5e22bac80975c1f952f55cb30dadd84d
SHA512 577f83dd572515b9ac887ef4fda4844793f68c151e1c6c8687d429bd1a958f79ce967f7c75973291bb03f11e02e33e3446ee36236696b3c7fd5f58b3c118044a

memory/560-110-0x0000000000401180-mapping.dmp

memory/2044-117-0x00000000004512E0-mapping.dmp

memory/2044-120-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2044-122-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2044-123-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2044-124-0x0000000000400000-0x0000000000453000-memory.dmp

memory/560-125-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DeoMJeE96z.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1808-128-0x000000000041C410-mapping.dmp

memory/560-129-0x0000000000400000-0x0000000000442000-memory.dmp

memory/920-130-0x0000000000000000-mapping.dmp

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1688-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 19:58

Reported

2022-10-12 05:53

Platform

win10v2004-20220812-en

Max time kernel

170s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 4180 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 4180 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe C:\Users\Admin\AcrbRd32.exe
PID 3908 wrote to memory of 2448 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3908 wrote to memory of 2448 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3908 wrote to memory of 2448 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3908 wrote to memory of 2448 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3908 wrote to memory of 2448 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2448 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3908 wrote to memory of 5048 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 3908 wrote to memory of 5048 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 3908 wrote to memory of 5048 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 3908 wrote to memory of 2392 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 3908 wrote to memory of 2392 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 3908 wrote to memory of 2392 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 5048 wrote to memory of 4892 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 5048 wrote to memory of 4892 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 5048 wrote to memory of 4892 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 2392 wrote to memory of 1588 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 2392 wrote to memory of 1588 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 2392 wrote to memory of 1588 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1588 wrote to memory of 4676 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1588 wrote to memory of 4676 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1588 wrote to memory of 4676 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1588 wrote to memory of 4676 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1588 wrote to memory of 4676 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4892 wrote to memory of 4940 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4892 wrote to memory of 4940 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4892 wrote to memory of 4940 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4676 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4892 wrote to memory of 2308 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 4892 wrote to memory of 2308 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 4892 wrote to memory of 2308 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1588 wrote to memory of 3484 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe

"C:\Users\Admin\AppData\Local\Temp\7b6570a85ef1600456266810593fd5e2de186f34ed7868ace12148ec14f8812e.exe"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\4BwpM4AeZf.ini"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 80

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\EHXa50i5iy.ini"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 80

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\4U9sBeIi8m.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\EgB1fegXEo.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 104.80.225.205:443 tcp
US 52.182.143.208:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
US 13.107.21.200:443 tcp

Files

memory/3908-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\qVyh.BVI

MD5 9e013adda1d29031a077de6f7d5f4611
SHA1 30af3e0fd8de2a3a80ca8e00784724bb50ca572e
SHA256 653506def41220c523a49df251f861a84507174ff1e7bf0e5a2c4e662d30f8f0
SHA512 0e33d6670e88047509bf28c0e3c64327bf35d397908367b15404ac858e8f0506f38e2705f19aec32c74f49f7ba1dfc6fafa92ea0c8b285102990fbdd1f43c76d

C:\Users\Admin\fqNvzVucd.WFW

MD5 1228f4d84a443e3d51b75f8eb64c1512
SHA1 b50c2d7b56347eff07caaa9cb5a4e03e21efd17f
SHA256 5fb2f55f742ac03bd5a3abe456d0d20759d7edfe28019d7c1e537207371b51e1
SHA512 eb31a83149d55af2693e4658217dbbc510b0972be26ade4d9141f9a7693fff41d0cac68c94f5a7c4025acf77f0bce9ecf184345f6a125c1f8144b5922e9469be

C:\Users\Admin\hfOIwMh.IYB

MD5 ed3eca3289c83b6d3c968b39c7c5b62a
SHA1 2c61640cc67926638e7584a4045e7d29cb95b0ba
SHA256 2242aee6f8ecb743d05f06dddd20545d833bf1b11362b9f8cead0b2791eb8ecc
SHA512 ebb5ad68773bf5566ae7c2f93a667224a3060b18bbbf1638eb59c0a49475c3fc9d797ed77ed0895dcf5fdf1e6d37706dc0965db54828f496c6b92868206fdb36

memory/2448-139-0x0000000000000000-mapping.dmp

memory/2448-140-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2448-142-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4272-145-0x0000000000000000-mapping.dmp

memory/2448-147-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4780-148-0x0000000000000000-mapping.dmp

memory/2448-150-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2448-151-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5048-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\run.vbs

MD5 a12b2136ef3b5697cff8528aafc904fe
SHA1 d911834b5f8b0c7b71f4f8e2258d510c1e42e9e9
SHA256 0738ae023c1220e39d62a54db1f19f8eab832c1e8787b0858574056bf2cfc43c
SHA512 99d58123ce2dbcc8a702da42c6bf8a2d2f1ee0bd5e4eba8f43da0ee757ca074fb3c57546ee103b4976109fdb7d7a0ad59cf2da75f4becde22055db315d8bdb47

memory/2392-154-0x0000000000000000-mapping.dmp

memory/1588-156-0x0000000000000000-mapping.dmp

memory/4892-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\start.lnk

MD5 19e1277ec84cdcd8ccead517dcb2ba13
SHA1 4ad38d0c833494aa6fc51b11fc7742fb98020d56
SHA256 bf3a373d0908870cbbab3933aef651e4208634072469b2b47297faeded9af708
SHA512 26b8842ff830a35d86d4a8db69eab4b58d32e6eea22133ca3c05863091d15e1c99c6085f45969d7257d00a78a4babbf89fcf1bc6cea272baaee49a7d283045f9

memory/4676-160-0x0000000000000000-mapping.dmp

memory/4676-163-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4856-166-0x0000000000000000-mapping.dmp

memory/4856-167-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4940-168-0x0000000000000000-mapping.dmp

memory/4856-170-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4676-171-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4856-172-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4856-173-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4056-174-0x0000000000000000-mapping.dmp

memory/4056-175-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4056-177-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4056-178-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4856-179-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4056-180-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4056-181-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4676-182-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2308-183-0x0000000000000000-mapping.dmp

memory/3484-184-0x0000000000000000-mapping.dmp

memory/1988-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1664-187-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d