Analysis Overview
SHA256
dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
Threat Level: Known bad
The file dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
ISR Stealer payload
Nirsoft
NirSoft WebBrowserPassView
UPX packed file
Executes dropped EXE
Modifies Installed Components in the registry
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 20:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 20:03
Reported
2022-10-12 03:29
Platform
win7-20220812-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AUFAV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AUFAV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AUFAV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DWHCX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DWHCX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DWHCX.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\StubPath = "'C:\\Users\\Admin\\AppData\\Roaming\\Host.exe'" | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Samadbond = "C:\\Users\\Admin\\AppData\\Roaming\\Host.exe" | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AUFAV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AUFAV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AUFAV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AUFAV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DWHCX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DWHCX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DWHCX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DWHCX.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AUFAV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DWHCX.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"
C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"
C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"
C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe" C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
"C:\Users\Admin\AppData\Local\Temp\AUFAV.exe"
C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
"C:\Users\Admin\AppData\Local\Temp\AUFAV.exe"
C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
"C:\Users\Admin\AppData\Local\Temp\AUFAV.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe"
C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe"
C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
"C:\Users\Admin\AppData\Local\Temp\DWHCX.exe"
C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
"C:\Users\Admin\AppData\Local\Temp\DWHCX.exe"
C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
"C:\Users\Admin\AppData\Local\Temp\DWHCX.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
Network
| Country | Destination | Domain | Proto |
| CA | 67.215.4.78:3360 | tcp | |
| US | 8.8.8.8:53 | rapidgens.info | udp |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp |
Files
memory/1456-85-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1456-86-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1456-88-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1456-89-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1456-90-0x0000000000456730-mapping.dmp
memory/584-92-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1456-94-0x0000000000400000-0x0000000000459000-memory.dmp
memory/584-93-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1456-97-0x0000000000400000-0x0000000000459000-memory.dmp
memory/584-96-0x0000000000400000-0x0000000000414000-memory.dmp
memory/584-99-0x0000000000400000-0x0000000000414000-memory.dmp
memory/584-100-0x0000000000400000-0x0000000000414000-memory.dmp
memory/584-102-0x0000000000401F7F-mapping.dmp
memory/584-105-0x0000000075F81000-0x0000000075F83000-memory.dmp
memory/1456-106-0x0000000000400000-0x0000000000459000-memory.dmp
memory/584-108-0x0000000000400000-0x0000000000414000-memory.dmp
memory/584-109-0x0000000000400000-0x0000000000414000-memory.dmp
memory/536-112-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
C:\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/780-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1948-127-0x0000000000400000-0x0000000000441000-memory.dmp
\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1948-128-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1948-130-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1948-131-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1948-132-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1948-133-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1948-134-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1948-136-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1948-137-0x0000000000408DF8-mapping.dmp
memory/1948-139-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1948-140-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1464-142-0x0000000000400000-0x0000000000454000-memory.dmp
\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1464-144-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1464-145-0x000000000043F420-mapping.dmp
memory/1948-147-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1464-151-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1464-152-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1464-153-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
memory/1504-160-0x0000000000456730-mapping.dmp
C:\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
memory/1592-175-0x0000000000401F7F-mapping.dmp
C:\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1396-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1104-201-0x0000000000408DF8-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\data.dmp
| MD5 | c10dbeca73f8835240e08e4511284b83 |
| SHA1 | 0032f8f941cc07768189ca6ba32b1beede6b6917 |
| SHA256 | 0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e |
| SHA512 | 34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967 |
C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/2024-211-0x000000000043F420-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1104-214-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2024-217-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1504-218-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1592-219-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1456-220-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1456-221-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1504-222-0x0000000000400000-0x0000000000459000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-11 20:03
Reported
2022-10-12 03:29
Platform
win10v2004-20220812-en
Max time kernel
156s
Max time network
173s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\StubPath = "'C:\\Users\\Admin\\AppData\\Roaming\\Host.exe'" | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Samadbond = "C:\\Users\\Admin\\AppData\\Roaming\\Host.exe" | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JEOJF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WRCWS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"
C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"
C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"
C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
"C:\Users\Admin\AppData\Local\Temp\JEOJF.exe"
C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe" C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
"C:\Users\Admin\AppData\Local\Temp\JEOJF.exe"
C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
"C:\Users\Admin\AppData\Local\Temp\JEOJF.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe"
C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe"
C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
"C:\Users\Admin\AppData\Local\Temp\WRCWS.exe"
C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
"C:\Users\Admin\AppData\Local\Temp\WRCWS.exe"
C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
"C:\Users\Admin\AppData\Local\Temp\WRCWS.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
Network
| Country | Destination | Domain | Proto |
| US | 72.21.91.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | rapidgens.info | udp |
| CA | 67.215.4.78:3360 | tcp | |
| US | 8.8.8.8:53 | rapidgens.info | udp |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp | |
| CA | 67.215.4.78:1604 | tcp | |
| CA | 67.215.4.78:3360 | tcp |
Files
memory/1292-134-0x0000000000000000-mapping.dmp
memory/1292-135-0x0000000000400000-0x0000000000459000-memory.dmp
memory/5088-137-0x0000000000000000-mapping.dmp
memory/5088-138-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1292-140-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1292-139-0x0000000000400000-0x0000000000459000-memory.dmp
memory/5088-144-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1292-145-0x0000000000400000-0x0000000000459000-memory.dmp
memory/5088-146-0x0000000000400000-0x0000000000414000-memory.dmp
memory/316-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
C:\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
memory/1104-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1572-157-0x0000000000000000-mapping.dmp
memory/1572-158-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1572-160-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1572-161-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2760-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/2760-164-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1572-167-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/1572-163-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2760-168-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2760-169-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1292-170-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2372-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
memory/5020-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Host.exe
| MD5 | 7b3ff7f2f522779c5bd0cc9862190210 |
| SHA1 | efbbee045ba78058f6735a472343fe9748834be8 |
| SHA256 | dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 |
| SHA512 | ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6 |
memory/2372-184-0x0000000000400000-0x0000000000459000-memory.dmp
memory/5020-185-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4956-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/2560-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/4188-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\data.dmp
| MD5 | c10dbeca73f8835240e08e4511284b83 |
| SHA1 | 0032f8f941cc07768189ca6ba32b1beede6b6917 |
| SHA256 | 0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e |
| SHA512 | 34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967 |
C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
| MD5 | ccc2260269cb43ddadda9444e3d112f7 |
| SHA1 | ddab46acc12d7c60a15fa363f88030f1dd539fcb |
| SHA256 | 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911 |
| SHA512 | 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde |
memory/2560-201-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4188-202-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4188-203-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2372-204-0x0000000000400000-0x0000000000459000-memory.dmp
memory/5020-205-0x0000000000400000-0x0000000000414000-memory.dmp