Malware Analysis Report

2025-01-03 04:57

Sample ID 220411-d72btacdh6
Target zxcvb.exeqpaaijwv
SHA256 857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
Tags
azorult oski raccoon 125d9f8ed76e486f6563be097a710bd4cba7f7f2 infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d

Threat Level: Known bad

The file zxcvb.exeqpaaijwv was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon 125d9f8ed76e486f6563be097a710bd4cba7f7f2 infostealer spyware stealer trojan

Raccoon

Oski

Azorult

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-11 03:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-11 03:39

Reported

2022-04-11 04:58

Platform

win7-20220331-en

Max time kernel

43s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1360 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1360 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1360 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1360 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1360 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1360 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1360 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1360 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 1360 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 1360 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 1360 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 1632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1360 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 1632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 824 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 824 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 824 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 824 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 824 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1724 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 772

Network

Country Destination Domain Proto
RO 5.252.178.180:80 tcp
RO 5.252.178.180:80 tcp
US 8.8.8.8:53 pretorian.ug udp
US 8.8.8.8:53 underdohag.ac.ug udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
SC 185.215.113.77:80 underdohag.ac.ug tcp
SC 185.215.113.77:80 underdohag.ac.ug tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp

Files

memory/1360-56-0x00000000754A1000-0x00000000754A3000-memory.dmp

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/1632-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/824-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/1724-73-0x0000000000417A8B-mapping.dmp

memory/1216-74-0x0000000000440D8F-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/2036-79-0x000000000041A684-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/1632-80-0x0000000000260000-0x0000000000266000-memory.dmp

memory/1216-86-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2036-85-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1724-84-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1708-87-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-11 03:39

Reported

2022-04-11 04:59

Platform

win10v2004-20220331-en

Max time kernel

124s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4700 set thread context of 2952 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 1032 set thread context of 4824 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 4928 set thread context of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 4700 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 4700 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 4700 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 4700 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 4700 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1032 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1032 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1032 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 4700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 4700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 4700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 4700 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
PID 1032 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 4928 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 4928 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 4928 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 4928 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2952 -ip 2952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4136 -ip 4136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1340

Network

Country Destination Domain Proto
RU 23.196.236.146:80 tcp
NL 20.50.201.200:443 tcp
RO 5.252.178.180:80 tcp
US 8.8.8.8:53 underdohag.ac.ug udp
SC 185.215.113.77:80 underdohag.ac.ug tcp
US 8.8.8.8:53 pretorian.ug udp
SC 185.215.113.77:80 pretorian.ug tcp
RO 5.252.178.180:80 tcp
FI 62.115.252.112:80 tcp
FI 62.115.252.112:80 tcp
FI 62.115.252.112:80 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 172.104.232.134:80 172.104.232.134 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
SC 185.215.113.77:80 pretorian.ug tcp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
NL 8.238.23.254:13222 ctldl.windowsupdate.com tcp
NL 8.238.23.254:7544 ctldl.windowsupdate.com tcp
NL 8.238.23.254:41547 ctldl.windowsupdate.com tcp
NL 8.238.23.254:40772 ctldl.windowsupdate.com tcp
NL 8.238.23.254:61570 ctldl.windowsupdate.com tcp
NL 8.238.23.254:55953 ctldl.windowsupdate.com tcp
NL 8.238.23.254:29074 ctldl.windowsupdate.com tcp
NL 8.238.23.254:33585 ctldl.windowsupdate.com tcp
NL 8.238.23.254:15469 ctldl.windowsupdate.com tcp
NL 8.238.23.254:60170 ctldl.windowsupdate.com tcp
NL 8.238.23.254:45069 ctldl.windowsupdate.com tcp
NL 8.238.23.254:2666 ctldl.windowsupdate.com tcp
NL 8.238.23.254:52317 ctldl.windowsupdate.com tcp
NL 8.238.23.254:45554 ctldl.windowsupdate.com tcp
NL 8.238.23.254:39754 ctldl.windowsupdate.com tcp
NL 8.238.23.254:42329 ctldl.windowsupdate.com tcp
NL 8.238.23.254:19803 ctldl.windowsupdate.com tcp
NL 8.238.23.254:21874 ctldl.windowsupdate.com tcp
NL 8.238.23.254:41961 ctldl.windowsupdate.com tcp
NL 8.238.23.254:20518 ctldl.windowsupdate.com tcp
NL 8.238.23.254:31468 ctldl.windowsupdate.com tcp
NL 8.238.23.254:56852 ctldl.windowsupdate.com tcp
NL 8.238.23.254:51379 ctldl.windowsupdate.com tcp
NL 8.238.23.254:22553 ctldl.windowsupdate.com tcp
NL 8.238.23.254:7615 ctldl.windowsupdate.com tcp
NL 8.238.23.254:3087 ctldl.windowsupdate.com tcp
NL 8.238.23.254:44689 ctldl.windowsupdate.com tcp
NL 8.238.23.254:17940 ctldl.windowsupdate.com tcp
NL 8.238.23.254:63048 ctldl.windowsupdate.com tcp
NL 8.238.23.254:32062 ctldl.windowsupdate.com tcp
NL 8.238.23.254:38751 ctldl.windowsupdate.com tcp
NL 8.238.23.254:56763 ctldl.windowsupdate.com tcp
NL 8.238.23.254:43804 ctldl.windowsupdate.com tcp
NL 8.238.23.254:56271 ctldl.windowsupdate.com tcp
NL 8.238.23.254:46951 ctldl.windowsupdate.com tcp
NL 8.238.23.254:45938 ctldl.windowsupdate.com tcp
NL 8.238.23.254:20459 ctldl.windowsupdate.com tcp
NL 8.238.23.254:43759 ctldl.windowsupdate.com tcp
NL 8.238.23.254:45188 ctldl.windowsupdate.com tcp
NL 8.238.23.254:10527 ctldl.windowsupdate.com tcp
NL 8.238.23.254:52870 ctldl.windowsupdate.com tcp
NL 8.238.23.254:62867 ctldl.windowsupdate.com tcp
US 8.253.208.121:13222 ctldl.windowsupdate.com tcp
US 8.253.208.121:7544 ctldl.windowsupdate.com tcp
US 8.253.208.121:41547 ctldl.windowsupdate.com tcp
US 8.253.208.121:40772 ctldl.windowsupdate.com tcp
US 8.253.208.121:61570 ctldl.windowsupdate.com tcp
US 8.253.208.121:55953 ctldl.windowsupdate.com tcp
US 8.253.208.121:29074 ctldl.windowsupdate.com tcp
US 8.253.208.121:33585 ctldl.windowsupdate.com tcp
US 8.253.208.121:15469 ctldl.windowsupdate.com tcp
US 8.253.208.121:60170 ctldl.windowsupdate.com tcp
US 8.253.208.121:45069 ctldl.windowsupdate.com tcp
US 8.253.208.121:2666 ctldl.windowsupdate.com tcp
US 8.253.208.121:52317 ctldl.windowsupdate.com tcp
US 8.253.208.121:45554 ctldl.windowsupdate.com tcp
US 8.253.208.121:39754 ctldl.windowsupdate.com tcp
US 8.253.208.121:42329 ctldl.windowsupdate.com tcp
US 8.253.208.121:19803 ctldl.windowsupdate.com tcp
US 8.253.208.121:21874 ctldl.windowsupdate.com tcp
US 8.253.208.121:41961 ctldl.windowsupdate.com tcp
US 8.253.208.121:20518 ctldl.windowsupdate.com tcp
US 8.253.208.121:31468 ctldl.windowsupdate.com tcp
US 8.253.208.121:56852 ctldl.windowsupdate.com tcp
US 8.253.208.121:51379 ctldl.windowsupdate.com tcp
US 8.253.208.121:22553 ctldl.windowsupdate.com tcp
US 8.253.208.121:7615 ctldl.windowsupdate.com tcp
US 8.253.208.121:3087 ctldl.windowsupdate.com tcp
US 8.253.208.121:44689 ctldl.windowsupdate.com tcp
US 8.253.208.121:17940 ctldl.windowsupdate.com tcp
US 8.253.208.121:63048 ctldl.windowsupdate.com tcp
US 8.253.208.121:32062 ctldl.windowsupdate.com tcp
US 8.253.208.121:38751 ctldl.windowsupdate.com tcp
US 8.253.208.121:56763 ctldl.windowsupdate.com tcp
US 8.253.208.121:43804 ctldl.windowsupdate.com tcp
US 8.253.208.121:56271 ctldl.windowsupdate.com tcp
US 8.253.208.121:46951 ctldl.windowsupdate.com tcp
US 8.253.208.121:45938 ctldl.windowsupdate.com tcp
US 8.253.208.121:20459 ctldl.windowsupdate.com tcp
US 8.253.208.121:43759 ctldl.windowsupdate.com tcp
US 8.253.208.121:45188 ctldl.windowsupdate.com tcp
US 8.253.208.121:10527 ctldl.windowsupdate.com tcp
US 8.253.208.121:52870 ctldl.windowsupdate.com tcp
US 8.253.208.121:62867 ctldl.windowsupdate.com tcp

Files

memory/4928-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/1032-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/2952-136-0x0000000000000000-mapping.dmp

memory/4824-137-0x0000000000000000-mapping.dmp

memory/1032-138-0x00000000006E0000-0x00000000006E6000-memory.dmp

memory/2952-140-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/4824-141-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4136-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/4136-144-0x0000000000400000-0x0000000000434000-memory.dmp