Malware Analysis Report

2025-01-18 16:44

Sample ID 221011-yspppaccgp
Target dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
Tags
isrstealer persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9

Threat Level: Known bad

The file dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9 was found to be: Known bad.

Malicious Activity Summary

isrstealer persistence spyware stealer trojan upx

ISR Stealer

ISR Stealer payload

Nirsoft

NirSoft WebBrowserPassView

UPX packed file

Executes dropped EXE

Modifies Installed Components in the registry

Reads user/profile data of web browsers

Checks computer location settings

Reads data files stored by FTP clients

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 20:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 20:03

Reported

2022-10-12 03:29

Platform

win7-20220812-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ C:\Users\Admin\AppData\Roaming\Host.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\StubPath = "'C:\\Users\\Admin\\AppData\\Roaming\\Host.exe'" C:\Users\Admin\AppData\Roaming\Host.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Roaming\Host.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Samadbond = "C:\\Users\\Admin\\AppData\\Roaming\\Host.exe" C:\Users\Admin\AppData\Roaming\Host.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 2044 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 584 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 584 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 584 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 584 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 1456 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1456 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1456 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1456 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 780 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1948 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1948 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1948 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1948 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1948 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 1948 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\AUFAV.exe C:\Users\Admin\AppData\Local\Temp\AUFAV.exe
PID 536 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 536 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 1504 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
PID 1504 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
PID 1504 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Local\Temp\DWHCX.exe
PID 1504 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Local\Temp\DWHCX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe

"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"

C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe

"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"

C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe

"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"

C:\Users\Admin\AppData\Roaming\Host.exe

"C:\Users\Admin\AppData\Roaming\Host.exe" C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe

C:\Users\Admin\AppData\Local\Temp\AUFAV.exe

"C:\Users\Admin\AppData\Local\Temp\AUFAV.exe"

C:\Users\Admin\AppData\Local\Temp\AUFAV.exe

"C:\Users\Admin\AppData\Local\Temp\AUFAV.exe"

C:\Users\Admin\AppData\Local\Temp\AUFAV.exe

"C:\Users\Admin\AppData\Local\Temp\AUFAV.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp

C:\Users\Admin\AppData\Roaming\Host.exe

"C:\Users\Admin\AppData\Roaming\Host.exe"

C:\Users\Admin\AppData\Roaming\Host.exe

"C:\Users\Admin\AppData\Roaming\Host.exe"

C:\Users\Admin\AppData\Local\Temp\DWHCX.exe

"C:\Users\Admin\AppData\Local\Temp\DWHCX.exe"

C:\Users\Admin\AppData\Local\Temp\DWHCX.exe

"C:\Users\Admin\AppData\Local\Temp\DWHCX.exe"

C:\Users\Admin\AppData\Local\Temp\DWHCX.exe

"C:\Users\Admin\AppData\Local\Temp\DWHCX.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp

Network

Country Destination Domain Proto
CA 67.215.4.78:3360 tcp
US 8.8.8.8:53 rapidgens.info udp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp

Files

memory/1456-85-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1456-86-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1456-88-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1456-89-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1456-90-0x0000000000456730-mapping.dmp

memory/584-92-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1456-94-0x0000000000400000-0x0000000000459000-memory.dmp

memory/584-93-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1456-97-0x0000000000400000-0x0000000000459000-memory.dmp

memory/584-96-0x0000000000400000-0x0000000000414000-memory.dmp

memory/584-99-0x0000000000400000-0x0000000000414000-memory.dmp

memory/584-100-0x0000000000400000-0x0000000000414000-memory.dmp

memory/584-102-0x0000000000401F7F-mapping.dmp

memory/584-105-0x0000000075F81000-0x0000000075F83000-memory.dmp

memory/1456-106-0x0000000000400000-0x0000000000459000-memory.dmp

memory/584-108-0x0000000000400000-0x0000000000414000-memory.dmp

memory/584-109-0x0000000000400000-0x0000000000414000-memory.dmp

memory/536-112-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

C:\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/780-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

C:\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1948-127-0x0000000000400000-0x0000000000441000-memory.dmp

\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1948-128-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1948-130-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1948-131-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1948-132-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1948-133-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1948-134-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1948-136-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1948-137-0x0000000000408DF8-mapping.dmp

memory/1948-139-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1948-140-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1464-142-0x0000000000400000-0x0000000000454000-memory.dmp

\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1464-144-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1464-145-0x000000000043F420-mapping.dmp

memory/1948-147-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUFAV.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1464-151-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1464-152-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1464-153-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

memory/1504-160-0x0000000000456730-mapping.dmp

C:\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

memory/1592-175-0x0000000000401F7F-mapping.dmp

C:\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1396-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

C:\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1104-201-0x0000000000408DF8-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\data.dmp

MD5 c10dbeca73f8835240e08e4511284b83
SHA1 0032f8f941cc07768189ca6ba32b1beede6b6917
SHA256 0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA512 34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

C:\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/2024-211-0x000000000043F420-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DWHCX.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1104-214-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2024-217-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1504-218-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1592-219-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1456-220-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1456-221-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1504-222-0x0000000000400000-0x0000000000459000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 20:03

Reported

2022-10-12 03:29

Platform

win10v2004-20220812-en

Max time kernel

156s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ C:\Users\Admin\AppData\Roaming\Host.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\StubPath = "'C:\\Users\\Admin\\AppData\\Roaming\\Host.exe'" C:\Users\Admin\AppData\Roaming\Host.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Host.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Roaming\Host.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Samadbond = "C:\\Users\\Admin\\AppData\\Roaming\\Host.exe" C:\Users\Admin\AppData\Roaming\Host.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 4828 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe
PID 1292 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1292 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1292 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 5088 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 5088 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 5088 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1104 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1572 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1572 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1572 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1572 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 1572 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\JEOJF.exe C:\Users\Admin\AppData\Local\Temp\JEOJF.exe
PID 316 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 316 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Roaming\Host.exe
PID 2372 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
PID 2372 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
PID 2372 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\Host.exe C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
PID 4956 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\WRCWS.exe C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
PID 4956 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\WRCWS.exe C:\Users\Admin\AppData\Local\Temp\WRCWS.exe
PID 4956 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\WRCWS.exe C:\Users\Admin\AppData\Local\Temp\WRCWS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe

"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"

C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe

"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"

C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe

"C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe"

C:\Users\Admin\AppData\Local\Temp\JEOJF.exe

"C:\Users\Admin\AppData\Local\Temp\JEOJF.exe"

C:\Users\Admin\AppData\Roaming\Host.exe

"C:\Users\Admin\AppData\Roaming\Host.exe" C:\Users\Admin\AppData\Local\Temp\dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9.exe

C:\Users\Admin\AppData\Local\Temp\JEOJF.exe

"C:\Users\Admin\AppData\Local\Temp\JEOJF.exe"

C:\Users\Admin\AppData\Local\Temp\JEOJF.exe

"C:\Users\Admin\AppData\Local\Temp\JEOJF.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp

C:\Users\Admin\AppData\Roaming\Host.exe

"C:\Users\Admin\AppData\Roaming\Host.exe"

C:\Users\Admin\AppData\Roaming\Host.exe

"C:\Users\Admin\AppData\Roaming\Host.exe"

C:\Users\Admin\AppData\Local\Temp\WRCWS.exe

"C:\Users\Admin\AppData\Local\Temp\WRCWS.exe"

C:\Users\Admin\AppData\Local\Temp\WRCWS.exe

"C:\Users\Admin\AppData\Local\Temp\WRCWS.exe"

C:\Users\Admin\AppData\Local\Temp\WRCWS.exe

"C:\Users\Admin\AppData\Local\Temp\WRCWS.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp

Network

Country Destination Domain Proto
US 72.21.91.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 104.80.225.205:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 rapidgens.info udp
CA 67.215.4.78:3360 tcp
US 8.8.8.8:53 rapidgens.info udp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp
CA 67.215.4.78:1604 tcp
CA 67.215.4.78:3360 tcp

Files

memory/1292-134-0x0000000000000000-mapping.dmp

memory/1292-135-0x0000000000400000-0x0000000000459000-memory.dmp

memory/5088-137-0x0000000000000000-mapping.dmp

memory/5088-138-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1292-140-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1292-139-0x0000000000400000-0x0000000000459000-memory.dmp

memory/5088-144-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1292-145-0x0000000000400000-0x0000000000459000-memory.dmp

memory/5088-146-0x0000000000400000-0x0000000000414000-memory.dmp

memory/316-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

C:\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

memory/1104-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\JEOJF.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

C:\Users\Admin\AppData\Local\Temp\JEOJF.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1572-157-0x0000000000000000-mapping.dmp

memory/1572-158-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1572-160-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1572-161-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2760-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\JEOJF.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/2760-164-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1572-167-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JEOJF.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/1572-163-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2760-168-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2760-169-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1292-170-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2372-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

memory/5020-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Host.exe

MD5 7b3ff7f2f522779c5bd0cc9862190210
SHA1 efbbee045ba78058f6735a472343fe9748834be8
SHA256 dc5225380dea039e3ce7b5156361fc68bc205cfdba8c9976f77192f4979f14d9
SHA512 ca3acc3d41a819fb37fd7a37c27fb19250846f5174c4d132e8d4e9f30caaa84aa3405d8c65cafba08328b1c11c445d28136de5bca934aee10156304b43ecf9b6

memory/2372-184-0x0000000000400000-0x0000000000459000-memory.dmp

memory/5020-185-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4956-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WRCWS.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

C:\Users\Admin\AppData\Local\Temp\WRCWS.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/2560-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WRCWS.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/4188-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\data.dmp

MD5 c10dbeca73f8835240e08e4511284b83
SHA1 0032f8f941cc07768189ca6ba32b1beede6b6917
SHA256 0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA512 34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

C:\Users\Admin\AppData\Local\Temp\WRCWS.exe

MD5 ccc2260269cb43ddadda9444e3d112f7
SHA1 ddab46acc12d7c60a15fa363f88030f1dd539fcb
SHA256 8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911
SHA512 787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

memory/2560-201-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4188-202-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4188-203-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2372-204-0x0000000000400000-0x0000000000459000-memory.dmp

memory/5020-205-0x0000000000400000-0x0000000000414000-memory.dmp