Malware Analysis Report

2025-01-18 16:44

Sample ID 221011-yp5lqscac8
Target 60e92b87dd2db1de04ae1da0e43063b2277785fa853dcc867f33d7c1affd0428
SHA256 60e92b87dd2db1de04ae1da0e43063b2277785fa853dcc867f33d7c1affd0428
Tags
isrstealer collection evasion persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60e92b87dd2db1de04ae1da0e43063b2277785fa853dcc867f33d7c1affd0428

Threat Level: Known bad

The file 60e92b87dd2db1de04ae1da0e43063b2277785fa853dcc867f33d7c1affd0428 was found to be: Known bad.

Malicious Activity Summary

isrstealer collection evasion persistence stealer trojan upx

ISR Stealer payload

Modifies visiblity of hidden/system files in Explorer

ISR Stealer

NirSoft MailPassView

Nirsoft

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Accesses Microsoft Outlook accounts

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 19:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 19:58

Reported

2022-10-12 05:53

Platform

win7-20220812-en

Max time kernel

170s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 968 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 968 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 968 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 968 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 968 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 968 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 968 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1496 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1496 wrote to memory of 1268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1860 wrote to memory of 1068 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 1068 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 1068 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 1068 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 1068 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 1068 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 1068 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 588 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 588 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 588 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 588 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 588 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 588 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1860 wrote to memory of 588 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1068 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1068 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1068 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1068 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1068 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1068 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1068 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 588 wrote to memory of 1748 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 588 wrote to memory of 1748 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 588 wrote to memory of 1748 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe

"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\pMztWaijAM.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\o8A2iDpZkV.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\Ti2RrbYe8G.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\PGPHVGo5Dq.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\xSzBTPl72s.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ACbqwf6uMl.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

Network

Country Destination Domain Proto
US 8.8.8.8:53 easy.greyhatservices.com udp

Files

memory/968-54-0x0000000076091000-0x0000000076093000-memory.dmp

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1860-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\qVyh.BVI

MD5 9e013adda1d29031a077de6f7d5f4611
SHA1 30af3e0fd8de2a3a80ca8e00784724bb50ca572e
SHA256 653506def41220c523a49df251f861a84507174ff1e7bf0e5a2c4e662d30f8f0
SHA512 0e33d6670e88047509bf28c0e3c64327bf35d397908367b15404ac858e8f0506f38e2705f19aec32c74f49f7ba1dfc6fafa92ea0c8b285102990fbdd1f43c76d

C:\Users\Admin\fqNvzVucd.WFW

MD5 1228f4d84a443e3d51b75f8eb64c1512
SHA1 b50c2d7b56347eff07caaa9cb5a4e03e21efd17f
SHA256 5fb2f55f742ac03bd5a3abe456d0d20759d7edfe28019d7c1e537207371b51e1
SHA512 eb31a83149d55af2693e4658217dbbc510b0972be26ade4d9141f9a7693fff41d0cac68c94f5a7c4025acf77f0bce9ecf184345f6a125c1f8144b5922e9469be

C:\Users\Admin\hfOIwMh.IYB

MD5 ed3eca3289c83b6d3c968b39c7c5b62a
SHA1 2c61640cc67926638e7584a4045e7d29cb95b0ba
SHA256 2242aee6f8ecb743d05f06dddd20545d833bf1b11362b9f8cead0b2791eb8ecc
SHA512 ebb5ad68773bf5566ae7c2f93a667224a3060b18bbbf1638eb59c0a49475c3fc9d797ed77ed0895dcf5fdf1e6d37706dc0965db54828f496c6b92868206fdb36

memory/1496-65-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1496-67-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1496-68-0x0000000000401180-mapping.dmp

memory/1696-74-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1696-75-0x00000000004512E0-mapping.dmp

memory/1696-78-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1696-80-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1696-81-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1496-82-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1696-83-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1696-84-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pMztWaijAM.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1496-86-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1268-87-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1268-88-0x000000000041C410-mapping.dmp

memory/1268-91-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1268-93-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1268-94-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1268-95-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1268-96-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1496-97-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1068-98-0x0000000000000000-mapping.dmp

memory/588-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\run.vbs

MD5 a12b2136ef3b5697cff8528aafc904fe
SHA1 d911834b5f8b0c7b71f4f8e2258d510c1e42e9e9
SHA256 0738ae023c1220e39d62a54db1f19f8eab832c1e8787b0858574056bf2cfc43c
SHA512 99d58123ce2dbcc8a702da42c6bf8a2d2f1ee0bd5e4eba8f43da0ee757ca074fb3c57546ee103b4976109fdb7d7a0ad59cf2da75f4becde22055db315d8bdb47

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1608-105-0x0000000000000000-mapping.dmp

memory/1748-107-0x0000000000000000-mapping.dmp

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\start.lnk

MD5 a51a6246fedcfc84eb642358f8e93e6c
SHA1 5bb027d88b95888c38b11ed24e1865e5b25ee068
SHA256 4bc639a8de709ef5bc1ad49bd44d0e85c26f3ac076f066489b934afd406686a3
SHA512 3c45baa580060507215ff8707ef43301775664a5285cbe3415d2aa8998e62f1a0e0f0f2169ba2c91739f87a57ffa2f5a9faa9520bfa2b25af4cda3ef7eaa01c9

memory/1652-116-0x0000000000401180-mapping.dmp

memory/680-123-0x00000000004512E0-mapping.dmp

memory/532-127-0x0000000000401180-mapping.dmp

memory/1664-134-0x00000000004512E0-mapping.dmp

memory/1652-135-0x0000000000400000-0x0000000000442000-memory.dmp

memory/532-136-0x0000000000400000-0x0000000000442000-memory.dmp

memory/860-138-0x000000000041C410-mapping.dmp

memory/860-141-0x0000000000400000-0x000000000041F000-memory.dmp

memory/860-143-0x0000000000400000-0x000000000041F000-memory.dmp

memory/860-144-0x0000000000400000-0x000000000041F000-memory.dmp

memory/860-145-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1560-147-0x000000000041C410-mapping.dmp

memory/532-149-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1652-148-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1496-150-0x0000000000000000-mapping.dmp

memory/1396-152-0x0000000000000000-mapping.dmp

memory/1152-155-0x0000000000000000-mapping.dmp

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/1068-159-0x0000000000000000-mapping.dmp

\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 19:58

Reported

2022-10-12 05:53

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AcrbRd32.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AcrbRd32.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AcrbRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4zo2p4375w9716n = "C:\\Users\\Admin\\4zo2p4375w9716n\\79711.vbs" C:\Users\Admin\AcrbRd32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AcrbRd32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AcrbRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A
N/A N/A C:\Users\Admin\AcrbRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AcrbRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 3532 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 3532 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe C:\Users\Admin\AcrbRd32.exe
PID 340 wrote to memory of 1140 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 340 wrote to memory of 1140 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 340 wrote to memory of 1140 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 340 wrote to memory of 1140 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 340 wrote to memory of 1140 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1140 wrote to memory of 3204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 340 wrote to memory of 4884 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 340 wrote to memory of 4884 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 340 wrote to memory of 4884 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 4884 wrote to memory of 1672 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 4884 wrote to memory of 1672 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 4884 wrote to memory of 1672 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 1672 wrote to memory of 5092 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1672 wrote to memory of 5092 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1672 wrote to memory of 5092 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1672 wrote to memory of 3624 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1672 wrote to memory of 3624 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 1672 wrote to memory of 3624 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 3624 wrote to memory of 4792 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 3624 wrote to memory of 4792 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 3624 wrote to memory of 4792 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe
PID 4792 wrote to memory of 2760 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4792 wrote to memory of 2760 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4792 wrote to memory of 2760 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4792 wrote to memory of 2760 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4792 wrote to memory of 2760 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 4224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 4224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 4224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 4224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 4224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 4224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 4224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 4224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2760 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4792 wrote to memory of 4236 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 4792 wrote to memory of 4236 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 4792 wrote to memory of 4236 N/A C:\Users\Admin\AcrbRd32.exe C:\Windows\SysWOW64\WScript.exe
PID 4236 wrote to memory of 3844 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AcrbRd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe

"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\rtdIILBBIa.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\vU4OXBevH3.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ir3xVzKPbi.ini"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\OlGq0AQNXT.ini"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\run.vbs"

C:\Users\Admin\AcrbRd32.exe

"C:\Users\Admin\AcrbRd32.exe" qVyh.BVI

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
GB 51.132.193.104:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 easy.greyhatservices.com udp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 easy.greyhatservices.com udp

Files

memory/340-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\qVyh.BVI

MD5 9e013adda1d29031a077de6f7d5f4611
SHA1 30af3e0fd8de2a3a80ca8e00784724bb50ca572e
SHA256 653506def41220c523a49df251f861a84507174ff1e7bf0e5a2c4e662d30f8f0
SHA512 0e33d6670e88047509bf28c0e3c64327bf35d397908367b15404ac858e8f0506f38e2705f19aec32c74f49f7ba1dfc6fafa92ea0c8b285102990fbdd1f43c76d

C:\Users\Admin\fqNvzVucd.WFW

MD5 1228f4d84a443e3d51b75f8eb64c1512
SHA1 b50c2d7b56347eff07caaa9cb5a4e03e21efd17f
SHA256 5fb2f55f742ac03bd5a3abe456d0d20759d7edfe28019d7c1e537207371b51e1
SHA512 eb31a83149d55af2693e4658217dbbc510b0972be26ade4d9141f9a7693fff41d0cac68c94f5a7c4025acf77f0bce9ecf184345f6a125c1f8144b5922e9469be

C:\Users\Admin\hfOIwMh.IYB

MD5 ed3eca3289c83b6d3c968b39c7c5b62a
SHA1 2c61640cc67926638e7584a4045e7d29cb95b0ba
SHA256 2242aee6f8ecb743d05f06dddd20545d833bf1b11362b9f8cead0b2791eb8ecc
SHA512 ebb5ad68773bf5566ae7c2f93a667224a3060b18bbbf1638eb59c0a49475c3fc9d797ed77ed0895dcf5fdf1e6d37706dc0965db54828f496c6b92868206fdb36

memory/1140-141-0x0000000000000000-mapping.dmp

memory/1140-142-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1140-144-0x0000000000400000-0x0000000000442000-memory.dmp

memory/528-147-0x0000000000000000-mapping.dmp

memory/528-148-0x0000000000400000-0x0000000000453000-memory.dmp

memory/528-150-0x0000000000400000-0x0000000000453000-memory.dmp

memory/528-151-0x0000000000400000-0x0000000000453000-memory.dmp

memory/528-152-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1140-153-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rtdIILBBIa.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/3204-155-0x0000000000000000-mapping.dmp

memory/3204-156-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3204-158-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3204-159-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3204-160-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3204-161-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1140-162-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4884-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\run.vbs

MD5 a12b2136ef3b5697cff8528aafc904fe
SHA1 d911834b5f8b0c7b71f4f8e2258d510c1e42e9e9
SHA256 0738ae023c1220e39d62a54db1f19f8eab832c1e8787b0858574056bf2cfc43c
SHA512 99d58123ce2dbcc8a702da42c6bf8a2d2f1ee0bd5e4eba8f43da0ee757ca074fb3c57546ee103b4976109fdb7d7a0ad59cf2da75f4becde22055db315d8bdb47

memory/1672-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\start.lnk

MD5 09c9384728d33a4479e269feef2348ba
SHA1 fda8ea0f701f6adf4d50db35a3b17dd624dc2a1f
SHA256 50b7adf210f7f5bae90b7e3453cc41bbc2e9a829a0ed81af175feca7c4dba6db
SHA512 50550ef3e63631c18789f69a6de73b7ade1a31866510f6ac0f1a249ac4540bc395d19802ac2cc7143865c4ea214c9b373ee9d613eb063afc8d458645dbcaa253

memory/5092-168-0x0000000000000000-mapping.dmp

memory/3624-169-0x0000000000000000-mapping.dmp

memory/4792-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

memory/2760-172-0x0000000000000000-mapping.dmp

memory/2760-175-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4224-178-0x0000000000000000-mapping.dmp

memory/4224-181-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4224-182-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4224-183-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2760-184-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ir3xVzKPbi.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/396-186-0x0000000000000000-mapping.dmp

memory/396-189-0x0000000000400000-0x000000000041F000-memory.dmp

memory/396-190-0x0000000000400000-0x000000000041F000-memory.dmp

memory/396-191-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2760-192-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4236-193-0x0000000000000000-mapping.dmp

memory/3844-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AcrbRd32.exe

MD5 e01ced5c12390ff5256694eda890b33a
SHA1 0bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA256 66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA512 93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d