azorult | 9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6

Analysis

max time kernel
122s
max time network
132s
platform
windows10_x64
resource
win10-en-20211104
submitted
13-11-2021 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
Size

1.1MB
MD5

6966182dd20351152ea815d31e735067
SHA1

69a2df785f37d2d7d2d9a5f9120c679870ff3872
SHA256

9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
SHA512

aa8e0c7ad305ab0b99807f0b579b54d2f99dc3b837d512de8c08681333bff53b7a56eaa93e66261b66b25524e416f20cdac6c0cffaa9c2621b678475f73dfbc7

Score

10^/10

azorult oski raccoon 7632dffeb03da57edca98c8bfb2611868e8eb0a7 discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

7632dffeb03da57edca98c8bfb2611868e8eb0a7

Attributes

url4cnc
http://91.219.236.162/brikitiki
http://185.163.47.176/brikitiki
http://193.38.54.238/brikitiki
http://74.119.192.122/brikitiki
http://91.219.236.240/brikitiki
https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

colonna.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1460 created 4416 1460 WerFault.exe 9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
Downloads MZ/PE file

description	pid	process	target process
PID 1460 created 4416	1460	WerFault.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe

Executes dropped EXE 7 IoCs

Processes:

Tyjigybwjylnokucizpstzjwazconsoleapp18.exeTyjigybwjylnokucizpstzjwazconsoleapp18.exeTyjigybwjylnokucizpstzjwazconsoleapp18.exeTyjigybwjylnokucizpstzjwazconsoleapp18.exeVcinpeamqerjfxlsvutgosconsoleapp11.exeVcinpeamqerjfxlsvutgosconsoleapp11.exeVcinpeamqerjfxlsvutgosconsoleapp11.exe

pid	process
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
1500	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
1612	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
3136	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
2672	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
2668	Vcinpeamqerjfxlsvutgosconsoleapp11.exe

Loads dropped DLL 3 IoCs

Processes:

Vcinpeamqerjfxlsvutgosconsoleapp11.exe

pid process

2668 Vcinpeamqerjfxlsvutgosconsoleapp11.exe
2668 Vcinpeamqerjfxlsvutgosconsoleapp11.exe
2668 Vcinpeamqerjfxlsvutgosconsoleapp11.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2668	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
2668	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
2668	Vcinpeamqerjfxlsvutgosconsoleapp11.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exeTyjigybwjylnokucizpstzjwazconsoleapp18.exeVcinpeamqerjfxlsvutgosconsoleapp11.exe

description	pid	process	target process
PID 2256 set thread context of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 4528 set thread context of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 1804 set thread context of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1460 4416 WerFault.exe 9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe

pid	pid_target	process	target process
1460	4416	WerFault.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vcinpeamqerjfxlsvutgosconsoleapp11.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Vcinpeamqerjfxlsvutgosconsoleapp11.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4176 taskkill.exe

pid	process
4176	taskkill.exe

Modifies registry class 2 IoCs

Processes:

9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exeTyjigybwjylnokucizpstzjwazconsoleapp18.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exeTyjigybwjylnokucizpstzjwazconsoleapp18.exeVcinpeamqerjfxlsvutgosconsoleapp11.exeWerFault.exe

pid	process
2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exeTyjigybwjylnokucizpstzjwazconsoleapp18.exeVcinpeamqerjfxlsvutgosconsoleapp11.exetaskkill.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
Token: SeDebugPrivilege	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
Token: SeDebugPrivilege	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeRestorePrivilege	1460	WerFault.exe
Token: SeBackupPrivilege	1460	WerFault.exe
Token: SeDebugPrivilege	1460	WerFault.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exeWScript.exeTyjigybwjylnokucizpstzjwazconsoleapp18.exeWScript.exeVcinpeamqerjfxlsvutgosconsoleapp11.exeVcinpeamqerjfxlsvutgosconsoleapp11.execmd.exe

C:\Users\Admin\AppData\Local\Temp\9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
"C:\Users\Admin\AppData\Local\Temp\9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ilzzmljftcwfeldyujdcyqy.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
"C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ksyuxjtrazuidxiqmg.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
"C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
6⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2668 & erase C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe & RD /S /Q C:\\ProgramData\\251337842500102\\* & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2668
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4⤵
- Executes dropped EXE
PID:1500

C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
4⤵
- Executes dropped EXE
PID:3136

C:\Users\Admin\AppData\Local\Temp\9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
C:\Users\Admin\AppData\Local\Temp\9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
2⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1152
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ilzzmljftcwfeldyujdcyqy.vbs
MD5
debe463c5bca9eeca3ddcda011fe8bf4

SHA1
e14c0a0a960514fd939c76aebd0d28546f753b30

SHA256
80145f654521d465d9209fb73881b0234bc09dea900c4bedc59faecc997e9d32

SHA512
9863080ddc0c8433cef5616405ac7c7b2dae6db50cf244aa490eb7d96474c931b72525aa3cd6f9b37d795e580d41095bcf69ceb7c339886792c98fbef575525a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksyuxjtrazuidxiqmg.vbs
MD5
ef4cad82e49042dbc78c55437d760e7e

SHA1
a5d942dc36d213360ae0124dd359e3a1b3ef5ec0

SHA256
4ee70d80282017c724358fadbd5eb7128a1e44da724f527c50e62e66bcb73d03

SHA512
8a4153ae4233c3d7c10dc53e61dd1fe0d010aeecfac72fedfaaf295fe32e11af40b0838e4bec3a5a21e471c03086c594f696aa9ef6ec5449ef15ee54184815c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
MD5
8a1593e3f73a5d753950ae385e6d069f

SHA1
71171b68859bdc504bb7428f6a92562ffbeee5d9

SHA256
1f9ce51663421a302c5627f4a0ed07e23af1424f863308e328227194a2523bfa

SHA512
480b62e431bcd8a8e8e891a48881818c0070217946b3808df92e8028ce4562ffd6f2f6ce62334b2bc835222390b03e1aa128a3f9af199398b6d45bc56a8d0712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
MD5
8a1593e3f73a5d753950ae385e6d069f

SHA1
71171b68859bdc504bb7428f6a92562ffbeee5d9

SHA256
1f9ce51663421a302c5627f4a0ed07e23af1424f863308e328227194a2523bfa

SHA512
480b62e431bcd8a8e8e891a48881818c0070217946b3808df92e8028ce4562ffd6f2f6ce62334b2bc835222390b03e1aa128a3f9af199398b6d45bc56a8d0712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
MD5
8a1593e3f73a5d753950ae385e6d069f

SHA1
71171b68859bdc504bb7428f6a92562ffbeee5d9

SHA256
1f9ce51663421a302c5627f4a0ed07e23af1424f863308e328227194a2523bfa

SHA512
480b62e431bcd8a8e8e891a48881818c0070217946b3808df92e8028ce4562ffd6f2f6ce62334b2bc835222390b03e1aa128a3f9af199398b6d45bc56a8d0712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
MD5
8a1593e3f73a5d753950ae385e6d069f

SHA1
71171b68859bdc504bb7428f6a92562ffbeee5d9

SHA256
1f9ce51663421a302c5627f4a0ed07e23af1424f863308e328227194a2523bfa

SHA512
480b62e431bcd8a8e8e891a48881818c0070217946b3808df92e8028ce4562ffd6f2f6ce62334b2bc835222390b03e1aa128a3f9af199398b6d45bc56a8d0712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
MD5
8a1593e3f73a5d753950ae385e6d069f

SHA1
71171b68859bdc504bb7428f6a92562ffbeee5d9

SHA256
1f9ce51663421a302c5627f4a0ed07e23af1424f863308e328227194a2523bfa

SHA512
480b62e431bcd8a8e8e891a48881818c0070217946b3808df92e8028ce4562ffd6f2f6ce62334b2bc835222390b03e1aa128a3f9af199398b6d45bc56a8d0712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
MD5
99e3b588033258cb52bdd0f56b58a2e7

SHA1
d4f14a37264f21522010bc2cd91cc2d81e7e9297

SHA256
d262fbed9803de908040fb4e7d6bc446786acc95d207db1ba3800e85435d3a62

SHA512
94b3cf1537ba63fea1ad9df9c3c487e570e8bd4d1fc74ce91ae4435e795a63e3ebd4b8ed66a983ebdd23953a232279b8dff2c9967b670b1d7a6ad90fd2f6e127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
MD5
99e3b588033258cb52bdd0f56b58a2e7

SHA1
d4f14a37264f21522010bc2cd91cc2d81e7e9297

SHA256
d262fbed9803de908040fb4e7d6bc446786acc95d207db1ba3800e85435d3a62

SHA512
94b3cf1537ba63fea1ad9df9c3c487e570e8bd4d1fc74ce91ae4435e795a63e3ebd4b8ed66a983ebdd23953a232279b8dff2c9967b670b1d7a6ad90fd2f6e127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
MD5
99e3b588033258cb52bdd0f56b58a2e7

SHA1
d4f14a37264f21522010bc2cd91cc2d81e7e9297

SHA256
d262fbed9803de908040fb4e7d6bc446786acc95d207db1ba3800e85435d3a62

SHA512
94b3cf1537ba63fea1ad9df9c3c487e570e8bd4d1fc74ce91ae4435e795a63e3ebd4b8ed66a983ebdd23953a232279b8dff2c9967b670b1d7a6ad90fd2f6e127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcinpeamqerjfxlsvutgosconsoleapp11.exe
MD5
99e3b588033258cb52bdd0f56b58a2e7

SHA1
d4f14a37264f21522010bc2cd91cc2d81e7e9297

SHA256
d262fbed9803de908040fb4e7d6bc446786acc95d207db1ba3800e85435d3a62

SHA512
94b3cf1537ba63fea1ad9df9c3c487e570e8bd4d1fc74ce91ae4435e795a63e3ebd4b8ed66a983ebdd23953a232279b8dff2c9967b670b1d7a6ad90fd2f6e127

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/1260-139-0x0000000000000000-mapping.dmp

Download
memory/1804-157-0x0000000004F20000-0x0000000004F43000-memory.dmp

Filesize
140KB

Download
memory/1804-154-0x0000000004CA0000-0x0000000004CFE000-memory.dmp

Filesize
376KB

Download
memory/1804-153-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1804-150-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1804-147-0x0000000000000000-mapping.dmp

Download
memory/2256-118-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2256-120-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/2256-125-0x0000000005B70000-0x0000000005BC6000-memory.dmp

Filesize
344KB

Download
memory/2256-122-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/2256-121-0x0000000005880000-0x000000000598E000-memory.dmp

Filesize
1.1MB

Download
memory/2256-123-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/2556-166-0x0000000000000000-mapping.dmp

Download
memory/2668-160-0x0000000000417A8B-mapping.dmp

Download
memory/2668-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-146-0x000000000041A684-mapping.dmp

Download
memory/3136-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3136-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4176-167-0x0000000000000000-mapping.dmp

Download
memory/4416-132-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4416-127-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4416-128-0x000000000043F176-mapping.dmp

Download
memory/4444-124-0x0000000000000000-mapping.dmp

Download
memory/4528-136-0x00000000054D0000-0x0000000005564000-memory.dmp

Filesize
592KB

Download
memory/4528-141-0x00000000055D0000-0x00000000055EB000-memory.dmp

Filesize
108KB

Download
memory/4528-135-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4528-133-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/4528-130-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2256 wrote to memory of 4444	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	WScript.exe
PID 2256 wrote to memory of 4444	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	WScript.exe
PID 2256 wrote to memory of 4444	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	WScript.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 2256 wrote to memory of 4416	2256	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe	9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6.exe
PID 4444 wrote to memory of 4528	4444	WScript.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4444 wrote to memory of 4528	4444	WScript.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4444 wrote to memory of 4528	4444	WScript.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 1260	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	WScript.exe
PID 4528 wrote to memory of 1260	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	WScript.exe
PID 4528 wrote to memory of 1260	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	WScript.exe
PID 4528 wrote to memory of 1500	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 1500	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 1500	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 1612	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 1612	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 1612	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 4528 wrote to memory of 3136	4528	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe	Tyjigybwjylnokucizpstzjwazconsoleapp18.exe
PID 1260 wrote to memory of 1804	1260	WScript.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1260 wrote to memory of 1804	1260	WScript.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1260 wrote to memory of 1804	1260	WScript.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2672	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2672	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2672	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 1804 wrote to memory of 2668	1804	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	Vcinpeamqerjfxlsvutgosconsoleapp11.exe
PID 2668 wrote to memory of 2556	2668	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	cmd.exe
PID 2668 wrote to memory of 2556	2668	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	cmd.exe
PID 2668 wrote to memory of 2556	2668	Vcinpeamqerjfxlsvutgosconsoleapp11.exe	cmd.exe
PID 2556 wrote to memory of 4176	2556	cmd.exe	taskkill.exe
PID 2556 wrote to memory of 4176	2556	cmd.exe	taskkill.exe
PID 2556 wrote to memory of 4176	2556	cmd.exe	taskkill.exe