Malware Analysis Report

2024-09-22 21:48

Sample ID 240112-yql6saeeer
Target 575f6a65c28682f88fa808ba8e862d7f
SHA256 5e08ef6445c40ba0c1216c04291b0d9ef48f0983a9aebd25f214e6fc988daa53
Tags
azorult oski raccoon c81fb6015c832710f869f6911e1aec18747e0184 infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e08ef6445c40ba0c1216c04291b0d9ef48f0983a9aebd25f214e6fc988daa53

Threat Level: Known bad

The file 575f6a65c28682f88fa808ba8e862d7f was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon c81fb6015c832710f869f6911e1aec18747e0184 infostealer spyware stealer trojan

Azorult

Raccoon

Raccoon Stealer V1 payload

Oski

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-12 19:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-12 19:59

Reported

2024-01-12 20:02

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Vdgfgjkhsdwr.exe N/A
N/A N/A C:\ProgramData\Dropakcx.exe N/A
N/A N/A C:\ProgramData\Dropakcx.exe N/A
N/A N/A C:\ProgramData\Vdgfgjkhsdwr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4532 set thread context of 2516 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 3868 set thread context of 4100 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 3300 set thread context of 2200 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\Dropakcx.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe N/A
N/A N/A C:\ProgramData\Dropakcx.exe N/A
N/A N/A C:\ProgramData\Vdgfgjkhsdwr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe N/A
N/A N/A C:\ProgramData\Vdgfgjkhsdwr.exe N/A
N/A N/A C:\ProgramData\Dropakcx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 4532 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 4532 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 4532 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Dropakcx.exe
PID 4532 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Dropakcx.exe
PID 4532 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Dropakcx.exe
PID 4532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 4532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 4532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 4532 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 3868 wrote to memory of 4100 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 3868 wrote to memory of 4100 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 3868 wrote to memory of 4100 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 3868 wrote to memory of 4100 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 3300 wrote to memory of 2200 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 3300 wrote to memory of 2200 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 3300 wrote to memory of 2200 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 3300 wrote to memory of 2200 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe

"C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe"

C:\ProgramData\Vdgfgjkhsdwr.exe

"C:\ProgramData\Vdgfgjkhsdwr.exe"

C:\ProgramData\Dropakcx.exe

"C:\ProgramData\Dropakcx.exe"

C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe

"C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe"

C:\ProgramData\Dropakcx.exe

"C:\ProgramData\Dropakcx.exe"

C:\ProgramData\Vdgfgjkhsdwr.exe

"C:\ProgramData\Vdgfgjkhsdwr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4100 -ip 4100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1288

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 telete.in udp
US 8.8.8.8:53 myproskxa.ac.ug udp
US 8.8.8.8:53 kullasa.ac.ug udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 myproskxa.ac.ug udp
US 8.8.8.8:53 54.177.53.185.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/4532-2-0x0000000077882000-0x0000000077883000-memory.dmp

memory/4532-3-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

C:\ProgramData\Vdgfgjkhsdwr.exe

MD5 b92b398d4e25a976dc699f2099fa8452
SHA1 900e6fedf9898adbbc5f3dc7185372ffb811c8ad
SHA256 6deb2679783cdd1f005ef86488a11de88fe52443f31f0c6e481b51f307271177
SHA512 5b854a34d489a94d2b193af192cb0d9f224ef1b7d2d0cd50b119a9cd24693c720482e9ddf910b2e9e0ef44e8ad263aa4a69094b503a01ff9a177d8c2cef5f1ed

C:\ProgramData\Dropakcx.exe

MD5 e21551a13085e0ba0fad3e733d807559
SHA1 87aeaaf58c1d8cf23755697489267f289e7c5780
SHA256 abf5833a2ffa007792753f5d49fd21f00a2c8d20e623f57d9e3748c41fb1435a
SHA512 21497f7f742b5c2e61bd5b04e10eb71538d6bafd9c00aa793f9798a7035b9c02ac80bce3baa38d6e97a10239df726246a157b8c7db5ceffc31937187659ac189

memory/3300-29-0x0000000000720000-0x0000000000721000-memory.dmp

memory/3868-31-0x0000000000630000-0x0000000000631000-memory.dmp

memory/2516-35-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4100-34-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4532-33-0x00000000036E0000-0x00000000036E8000-memory.dmp

memory/2516-32-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4100-37-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2516-38-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2516-41-0x0000000077882000-0x0000000077883000-memory.dmp

memory/2200-44-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2516-43-0x0000000000610000-0x0000000000611000-memory.dmp

memory/4100-45-0x0000000077882000-0x0000000077883000-memory.dmp

memory/4100-48-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4100-50-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/2200-49-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2200-53-0x0000000077882000-0x0000000077883000-memory.dmp

memory/2200-52-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2200-54-0x0000000002040000-0x0000000002041000-memory.dmp

memory/4100-39-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2200-55-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2200-57-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2516-60-0x0000000000400000-0x0000000000492000-memory.dmp

memory/4100-61-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4100-63-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4100-62-0x0000000000440000-0x0000000000509000-memory.dmp

memory/2516-65-0x0000000000400000-0x0000000000497000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-12 19:59

Reported

2024-01-12 20:02

Platform

win7-20231215-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Vdgfgjkhsdwr.exe N/A
N/A N/A C:\ProgramData\Dropakcx.exe N/A
N/A N/A C:\ProgramData\Dropakcx.exe N/A
N/A N/A C:\ProgramData\Vdgfgjkhsdwr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2748 set thread context of 2756 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 2784 set thread context of 2948 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 2848 set thread context of 2632 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\Dropakcx.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Dropakcx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe N/A
N/A N/A C:\ProgramData\Vdgfgjkhsdwr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe N/A
N/A N/A C:\ProgramData\Dropakcx.exe N/A
N/A N/A C:\ProgramData\Vdgfgjkhsdwr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2784 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2784 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2784 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Dropakcx.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Dropakcx.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Dropakcx.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\ProgramData\Dropakcx.exe
PID 2784 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 2784 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 2784 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 2784 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 2748 wrote to memory of 2756 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 2748 wrote to memory of 2756 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 2748 wrote to memory of 2756 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 2748 wrote to memory of 2756 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 2748 wrote to memory of 2756 N/A C:\ProgramData\Dropakcx.exe C:\ProgramData\Dropakcx.exe
PID 2848 wrote to memory of 2632 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2848 wrote to memory of 2632 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2848 wrote to memory of 2632 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2848 wrote to memory of 2632 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2784 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe
PID 2848 wrote to memory of 2632 N/A C:\ProgramData\Vdgfgjkhsdwr.exe C:\ProgramData\Vdgfgjkhsdwr.exe
PID 2756 wrote to memory of 1524 N/A C:\ProgramData\Dropakcx.exe C:\Windows\SysWOW64\WerFault.exe
PID 2756 wrote to memory of 1524 N/A C:\ProgramData\Dropakcx.exe C:\Windows\SysWOW64\WerFault.exe
PID 2756 wrote to memory of 1524 N/A C:\ProgramData\Dropakcx.exe C:\Windows\SysWOW64\WerFault.exe
PID 2756 wrote to memory of 1524 N/A C:\ProgramData\Dropakcx.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe

"C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe"

C:\ProgramData\Vdgfgjkhsdwr.exe

"C:\ProgramData\Vdgfgjkhsdwr.exe"

C:\ProgramData\Dropakcx.exe

"C:\ProgramData\Dropakcx.exe"

C:\ProgramData\Dropakcx.exe

"C:\ProgramData\Dropakcx.exe"

C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe

"C:\Users\Admin\AppData\Local\Temp\575f6a65c28682f88fa808ba8e862d7f.exe"

C:\ProgramData\Vdgfgjkhsdwr.exe

"C:\ProgramData\Vdgfgjkhsdwr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 760

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
US 8.8.8.8:53 myproskxa.ac.ug udp
US 8.8.8.8:53 kullasa.ac.ug udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 myproskxa.ac.ug udp

Files

memory/2784-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

\ProgramData\Vdgfgjkhsdwr.exe

MD5 b92b398d4e25a976dc699f2099fa8452
SHA1 900e6fedf9898adbbc5f3dc7185372ffb811c8ad
SHA256 6deb2679783cdd1f005ef86488a11de88fe52443f31f0c6e481b51f307271177
SHA512 5b854a34d489a94d2b193af192cb0d9f224ef1b7d2d0cd50b119a9cd24693c720482e9ddf910b2e9e0ef44e8ad263aa4a69094b503a01ff9a177d8c2cef5f1ed

C:\ProgramData\Dropakcx.exe

MD5 e21551a13085e0ba0fad3e733d807559
SHA1 87aeaaf58c1d8cf23755697489267f289e7c5780
SHA256 abf5833a2ffa007792753f5d49fd21f00a2c8d20e623f57d9e3748c41fb1435a
SHA512 21497f7f742b5c2e61bd5b04e10eb71538d6bafd9c00aa793f9798a7035b9c02ac80bce3baa38d6e97a10239df726246a157b8c7db5ceffc31937187659ac189

memory/2784-21-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/2632-33-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2948-32-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2756-29-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2748-28-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2632-39-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2756-41-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2756-43-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2948-44-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2948-46-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2632-47-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2632-48-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2632-50-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2948-51-0x0000000000400000-0x0000000000492000-memory.dmp

memory/2756-52-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2756-53-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2948-59-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2756-62-0x0000000000400000-0x0000000000434000-memory.dmp