Malware Analysis Report

2025-01-03 04:58

Sample ID 220411-dg6tlsbca2
Target asdf.EXEkeacgpkh
SHA256 857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
Tags
oski raccoon 125d9f8ed76e486f6563be097a710bd4cba7f7f2 infostealer spyware stealer azorult trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d

Threat Level: Known bad

The file asdf.EXEkeacgpkh was found to be: Known bad.

Malicious Activity Summary

oski raccoon 125d9f8ed76e486f6563be097a710bd4cba7f7f2 infostealer spyware stealer azorult trojan

Oski

Raccoon

Azorult

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-11 02:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-11 02:59

Reported

2022-04-11 03:10

Platform

win7-20220310-en

Max time kernel

4294183s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdf.exe"

Signatures

Oski

infostealer oski

Raccoon

stealer raccoon

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1920 set thread context of 1644 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 2036 set thread context of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1920 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1920 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1920 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1920 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1920 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1920 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1920 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1920 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 1920 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 1920 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 1920 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 1920 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 2036 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 2036 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 2036 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 2036 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 2036 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1320 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Windows\SysWOW64\WerFault.exe
PID 1320 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Windows\SysWOW64\WerFault.exe
PID 1320 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Windows\SysWOW64\WerFault.exe
PID 1320 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\asdf.exe

"C:\Users\Admin\AppData\Local\Temp\asdf.exe"

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"

C:\Users\Admin\AppData\Local\Temp\asdf.exe

"C:\Users\Admin\AppData\Local\Temp\asdf.exe"

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 776

Network

Country Destination Domain Proto
RO 5.252.178.180:80 tcp
RO 5.252.178.180:80 tcp
US 8.8.8.8:53 pretorian.ug udp
SC 185.215.113.77:80 pretorian.ug tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp

Files

memory/1920-56-0x00000000753C1000-0x00000000753C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/2036-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/1136-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/1644-71-0x0000000000440D8F-mapping.dmp

memory/1920-73-0x00000000024D0000-0x00000000024D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/1320-76-0x0000000000417A8B-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/1320-79-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1644-80-0x0000000000400000-0x0000000000493000-memory.dmp

memory/1760-81-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-11 02:59

Reported

2022-04-11 03:05

Platform

win10v2004-20220331-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdf.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\asdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1600 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1600 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1600 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1600 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1600 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 2972 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 2972 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 2972 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 2972 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
PID 1600 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 1600 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 1600 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 1600 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\asdf.exe C:\Users\Admin\AppData\Local\Temp\asdf.exe
PID 1288 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1288 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1288 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
PID 1288 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

Processes

C:\Users\Admin\AppData\Local\Temp\asdf.exe

"C:\Users\Admin\AppData\Local\Temp\asdf.exe"

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"

C:\Users\Admin\AppData\Local\Temp\asdf.exe

"C:\Users\Admin\AppData\Local\Temp\asdf.exe"

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 920 -ip 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 216 -ip 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1204

Network

Country Destination Domain Proto
FI 62.115.252.112:80 tcp
NL 52.109.88.35:443 tcp
US 20.189.173.7:443 tcp
US 8.8.8.8:53 pretorian.ug udp
RO 5.252.178.180:80 tcp
US 8.8.8.8:53 underdohag.ac.ug udp
SC 185.215.113.77:80 underdohag.ac.ug tcp
SC 185.215.113.77:80 underdohag.ac.ug tcp
RO 5.252.178.180:80 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
NL 149.154.167.99:443 t.me tcp
DE 172.104.232.134:80 172.104.232.134 tcp

Files

memory/2972-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/1288-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/920-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

MD5 3466dbd3779c31dc2fccfe73e6d6a44e
SHA1 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA256 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA512 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

memory/2972-138-0x0000000002090000-0x0000000002096000-memory.dmp

memory/216-139-0x0000000000000000-mapping.dmp

memory/3736-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

MD5 bead6aca8d274c82140361874ca95b59
SHA1 33d6cade432ebc63043170e1a8b049f51b093e59
SHA256 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

memory/920-142-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3736-143-0x0000000000400000-0x0000000000420000-memory.dmp

memory/216-144-0x0000000000400000-0x0000000000493000-memory.dmp