azorult | d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020824e5aa9ecb744b1b94bd855a8f3a.exe
Size

1.2MB
MD5

020824e5aa9ecb744b1b94bd855a8f3a
SHA1

d6082fcfcfa6e7f1d719c2c02a3e761e46d48004
SHA256

d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
SHA512

d30c70279155b33f0c46e11ca4c591f00caf1574a0a02a7875226f0fea0b09327685ab2b6a52fa216d01032c362b2f119bea8aa4cbae0717e687a43eacbe8a33
SSDEEP

24576:o8oQcipzX0UCT88jNiyBHBhwCU2RUclLlsHD6tn4883JJRYI+fS3La:o8oQcipzX0UL8xHrhlUEUclLCD6tn4d9

Score

10^/10

azorult oski raccoon zgrat c81fb6015c832710f869f6911e1aec18747e0184 infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

c81fb6015c832710f869f6911e1aec18747e0184

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

hsagoi.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 36 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1192-9-0x0000000007500000-0x000000000761E000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-10-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-11-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-13-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-15-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-17-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-21-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-23-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-19-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-27-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-25-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-29-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-31-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-33-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-39-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-41-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-43-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-45-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-37-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-35-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-49-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-47-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-51-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-53-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-57-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-59-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-61-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-55-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-71-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-73-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-69-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-67-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-65-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/1192-63-0x0000000007500000-0x0000000007619000-memory.dmp	family_zgrat_v1
behavioral2/memory/2848-2341-0x0000000006C70000-0x0000000006D34000-memory.dmp	family_zgrat_v1
behavioral2/memory/4348-4333-0x0000000006B90000-0x0000000006C08000-memory.dmp	family_zgrat_v1

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/716-2335-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe020824e5aa9ecb744b1b94bd855a8f3a.exeWScript.exeLeoiinwzyjvulnfehmmmztvbaconsoleapp13.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	020824e5aa9ecb744b1b94bd855a8f3a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe

Executes dropped EXE 5 IoCs

Processes:

Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exeLeoiinwzyjvulnfehmmmztvbaconsoleapp13.exeZhmvsxlfcxwvbtywomhtfconsoleapp18.exeZhmvsxlfcxwvbtywomhtfconsoleapp18.exeZhmvsxlfcxwvbtywomhtfconsoleapp18.exe

pid	process
2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
1356	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
1392	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
1372	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

Processes:

020824e5aa9ecb744b1b94bd855a8f3a.exeLeoiinwzyjvulnfehmmmztvbaconsoleapp13.exeZhmvsxlfcxwvbtywomhtfconsoleapp18.exe

description	pid	process	target process
PID 1192 set thread context of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 2848 set thread context of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 4348 set thread context of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

632 1372 WerFault.exe Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

pid	pid_target	process	target process
632	1372	WerFault.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Modifies registry class 2 IoCs

Processes:

020824e5aa9ecb744b1b94bd855a8f3a.exeLeoiinwzyjvulnfehmmmztvbaconsoleapp13.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	020824e5aa9ecb744b1b94bd855a8f3a.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

020824e5aa9ecb744b1b94bd855a8f3a.exeLeoiinwzyjvulnfehmmmztvbaconsoleapp13.exeZhmvsxlfcxwvbtywomhtfconsoleapp18.exe

pid	process
1192	020824e5aa9ecb744b1b94bd855a8f3a.exe
1192	020824e5aa9ecb744b1b94bd855a8f3a.exe
2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

020824e5aa9ecb744b1b94bd855a8f3a.exeLeoiinwzyjvulnfehmmmztvbaconsoleapp13.exeZhmvsxlfcxwvbtywomhtfconsoleapp18.exe

description	pid	process
Token: SeDebugPrivilege	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe
Token: SeDebugPrivilege	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
Token: SeDebugPrivilege	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

020824e5aa9ecb744b1b94bd855a8f3a.exeWScript.exeLeoiinwzyjvulnfehmmmztvbaconsoleapp13.exeWScript.exeZhmvsxlfcxwvbtywomhtfconsoleapp18.exe

C:\Users\Admin\AppData\Local\Temp\020824e5aa9ecb744b1b94bd855a8f3a.exe
"C:\Users\Admin\AppData\Local\Temp\020824e5aa9ecb744b1b94bd855a8f3a.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fnpgaloxjuodppdmbufkms.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
    "C:\Users\Admin\AppData\Local\Temp\Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fyxzojheuxzdxbqlgokhton.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
        
        C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
        6⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1268
        7⤵
        Program crash
        
        PID:632
      - C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
        
        C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
        6⤵
        Executes dropped EXE
        
        PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
      C:\Users\Admin\AppData\Local\Temp\Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
      4⤵
      Executes dropped EXE
      PID:1356
- C:\Users\Admin\AppData\Local\Temp\020824e5aa9ecb744b1b94bd855a8f3a.exe
  C:\Users\Admin\AppData\Local\Temp\020824e5aa9ecb744b1b94bd855a8f3a.exe
  2⤵
  PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1372 -ip 1372
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fnpgaloxjuodppdmbufkms.vbs

Filesize
125B

MD5
ebc62dbe9191ecc89ba49b5f4f19f330

SHA1
07eebeea732df224f28287402e5f41d676d58d50

SHA256
cf50773404b420b9a2df26ef0a56c6b90d1d7c6538aa222bef920c039d203df3

SHA512
e68cd06b6a86f66e8033899c42afaac38ea01d5c11d42ffbc12f2998b665886aad9065ee5bbb313d01a475e8bf5893c95c4e9c46f16233866a990a8d77b4d76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fyxzojheuxzdxbqlgokhton.vbs

Filesize
121B

MD5
57d2e626d7a3f6ec32a9cedf0792c5b9

SHA1
f460923c6d4e57cbba8716027df4caa6d41f7f1f

SHA256
14920ae1c88247e4e2b9910be2cd5c465e0295962b5687057c368711a39f802f

SHA512
a2efcb2576f11801779c052fd858260e9110a5120b5cb4d4d3b7f0f1e22f7fb4ad80132f3da70c5ed51c400b3132fee7c63171d6b2ef76503551fa94ca1f4011

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe

Filesize
15KB

MD5
7483980869f03055b032dd370afdddb1

SHA1
d46d0326407c50d5cd41a72ea198b544364ff980

SHA256
7c9ae69a226d47ce1d2bb09ee38b9d337151f7dddb7e52c004917fe5e92997ea

SHA512
b10e9a5d4a689df531b43dde404e6b43f2bd257a8f0bb4fc34e912c5868567c3977f65d217091ed7be609d444959a43218d80d843a2aa06b8d7d80d638c256e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe

Filesize
75KB

MD5
e4d7c2e8fc9227b646abb53875de4e9e

SHA1
8792afa690e9349ba3ea3ef8914d60b52bc32a5f

SHA256
7d582cf6855198700906b06573d98654482c5b3eeffc22be7d00fdc7e776b996

SHA512
ca9294a54d204a6bb95a113113f7546d7c824dc17872f359b668365dcc48d187455965f2b88a1f08d5011b4d4cd0550c8d2260b1ecedf2c48e8ba76e18c88460

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe

Filesize
704KB

MD5
011ea7874d4283dd836277fa880e228b

SHA1
990de8c5104409e38bc9c33d246db07003c96dd0

SHA256
dec6b08ad93d22660e040ff56d4a6523428243741af91d0980efd00dc2521951

SHA512
06eda2f49680311c9d70015adfc0f05c3fadb92cde9d984a6852b088aafc1f39694e46dd97ecca19e97e42c22590d92b1e9a359d246227459350156d7feb7cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Filesize
397KB

MD5
f5e11b62f485aa1e95073c665a147cd2

SHA1
d71acedc812f72756b756e23fbc5c756d163ad48

SHA256
1b466bd2985862702ab9fb242e0c79e27dd2c4b4c676d9ba44d6bef3e93b1534

SHA512
df152055bb196822c638cf0a824907884076ebb65200535362d545a1d5c78e29631c8cef2651c1a944e43ac74b554ec4156efe36acf3465824a96f37e28fed96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Filesize
352KB

MD5
86dcf9b46b27b304899b02b3b2c213a1

SHA1
aeb50752aec8a53ee1180c956092ce9dfda920b6

SHA256
c205a7144119f2947803479a43d9a2d1844660b49cd50ac6b151afedab6c1d8a

SHA512
c4d404c2a1e8391e60b2328de79bc2713b6ce8715ebaff2115f7049b938350f8459a193a632e4bfed1b421521f301e1eb0680c2093ef3572bf2e53164876ab2e

Download Submit
memory/716-2335-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1192-51-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-23-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-5-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/1192-6-0x00000000071D0000-0x0000000007246000-memory.dmp

Filesize
472KB

Download
memory/1192-7-0x0000000007250000-0x000000000738A000-memory.dmp

Filesize
1.2MB

Download
memory/1192-8-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/1192-9-0x0000000007500000-0x000000000761E000-memory.dmp

Filesize
1.1MB

Download
memory/1192-10-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-11-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-13-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-15-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-17-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-21-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-55-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-19-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-27-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-25-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-29-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-31-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-33-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-39-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-41-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-43-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-45-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-37-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-35-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-49-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-47-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-3-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/1192-53-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-71-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-59-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-67-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-4-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1192-57-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-73-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-69-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-61-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-80-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/1192-65-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-63-0x0000000007500000-0x0000000007619000-memory.dmp

Filesize
1.1MB

Download
memory/1192-624-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1192-2333-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/1192-1-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/1192-0-0x0000000000BE0000-0x0000000000D26000-memory.dmp

Filesize
1.3MB

Download
memory/1192-2-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/1356-4325-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1356-4331-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1372-6716-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-6713-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-2339-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2848-2640-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2848-3481-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2848-2338-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2848-2337-0x00000000004B0000-0x0000000000566000-memory.dmp

Filesize
728KB

Download
memory/2848-2341-0x0000000006C70000-0x0000000006D34000-memory.dmp

Filesize
784KB

Download
memory/2848-2340-0x00000000068B0000-0x000000000695A000-memory.dmp

Filesize
680KB

Download
memory/2848-4324-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-4328-0x00000000005B0000-0x000000000061A000-memory.dmp

Filesize
424KB

Download
memory/4348-4332-0x0000000005BF0000-0x0000000005C4E000-memory.dmp

Filesize
376KB

Download
memory/4348-4333-0x0000000006B90000-0x0000000006C08000-memory.dmp

Filesize
480KB

Download
memory/4348-4727-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-5917-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4348-6712-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-4330-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4348-4329-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 1192 wrote to memory of 3832	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	WScript.exe
PID 1192 wrote to memory of 3832	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	WScript.exe
PID 1192 wrote to memory of 3832	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	WScript.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 1192 wrote to memory of 716	1192	020824e5aa9ecb744b1b94bd855a8f3a.exe	020824e5aa9ecb744b1b94bd855a8f3a.exe
PID 3832 wrote to memory of 2848	3832	WScript.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 3832 wrote to memory of 2848	3832	WScript.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 3832 wrote to memory of 2848	3832	WScript.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 3712	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	WScript.exe
PID 2848 wrote to memory of 3712	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	WScript.exe
PID 2848 wrote to memory of 3712	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	WScript.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 2848 wrote to memory of 1356	2848	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe	Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe
PID 3712 wrote to memory of 4348	3712	WScript.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 3712 wrote to memory of 4348	3712	WScript.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 3712 wrote to memory of 4348	3712	WScript.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1392	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1392	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1392	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
PID 4348 wrote to memory of 1372	4348	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe