Malware Analysis Report

2024-09-22 21:47

Sample ID 240113-3jz7aagabm
Target 59b1a1f58b7ca014b73a2eebda7eae53
SHA256 e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
Tags
azorult raccoon zgrat c81fb6015c832710f869f6911e1aec18747e0184 infostealer rat stealer trojan oski spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9

Threat Level: Known bad

The file 59b1a1f58b7ca014b73a2eebda7eae53 was found to be: Known bad.

Malicious Activity Summary

azorult raccoon zgrat c81fb6015c832710f869f6911e1aec18747e0184 infostealer rat stealer trojan oski spyware

Detect ZGRat V1

Azorult

Raccoon

Raccoon Stealer V1 payload

ZGRat

Oski

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-13 23:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-13 23:33

Reported

2024-01-13 23:36

Platform

win7-20231215-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe"

Signatures

Azorult

trojan infostealer azorult

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Windows\SysWOW64\WScript.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Windows\SysWOW64\WScript.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Windows\SysWOW64\WScript.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Windows\SysWOW64\WScript.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2428 wrote to memory of 584 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 2428 wrote to memory of 584 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 2428 wrote to memory of 584 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 2428 wrote to memory of 584 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 2204 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 584 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Windows\SysWOW64\WScript.exe
PID 584 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Windows\SysWOW64\WScript.exe
PID 584 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Windows\SysWOW64\WScript.exe
PID 584 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Windows\SysWOW64\WScript.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 748 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 748 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 748 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 748 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 584 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1560 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1560 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2152 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2152 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2152 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2152 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe

"C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nrwclnomc.vbs"

C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe

C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

"C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs"

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

"C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe"

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 112

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 gordonas.ac.ug udp
US 8.8.8.8:53 gordonas.ac.ug udp

Files

memory/2204-0-0x0000000001180000-0x00000000012BA000-memory.dmp

memory/2204-1-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2204-2-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/2204-3-0x0000000005F40000-0x000000000606E000-memory.dmp

memory/2204-4-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2204-5-0x0000000008470000-0x000000000857A000-memory.dmp

memory/2204-6-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-7-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-11-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-9-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-13-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-15-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-21-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-19-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-17-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-29-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-27-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-25-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-23-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-35-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-33-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-31-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-41-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-43-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-39-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-37-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-47-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-45-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-49-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-51-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-53-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-55-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-57-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-63-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-61-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-59-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-65-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-69-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-67-0x0000000008470000-0x0000000008573000-memory.dmp

memory/2204-71-0x0000000004F10000-0x0000000004F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nrwclnomc.vbs

MD5 f7b6cda2dca4391f30cf8df1f0605418
SHA1 656a46ae3716bf4e883b1bfb13723b92feb26b84
SHA256 97cb704bd02eb625b99a8cac924c826be3435912f220352bf21ccbcb9370e7ed
SHA512 6be78872227b0a8c328d177b0f7a7670834c7c803aa7eacc77f1ffa7c824541a895ea255b6b4777f9fd7753a4c975eaf50f4b63a51cf8c9164d56ccd86300725

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

MD5 4cb2b6e2c86e81a6b2ddd2aca707e66a
SHA1 f13428a8ea50c72c6a24bd552804ab7a11428ec1
SHA256 157e30e05a61154cbc5bb5e36dc43b33e500bd552f8a0624d3a02d9f1249665a
SHA512 156e0c11011753cf46fd4817888c56294ab001c98fc32613e70104d9fd900be874baa30ac3bf5c09e7140eaf336b06f06e85568c7c6a7de0617f06e270048ce7

memory/584-1780-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/584-1781-0x0000000000190000-0x0000000000244000-memory.dmp

memory/584-1784-0x0000000004760000-0x00000000047A0000-memory.dmp

memory/2204-1792-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2368-1793-0x0000000000400000-0x0000000000492000-memory.dmp

memory/584-1794-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/584-1795-0x00000000050C0000-0x000000000516A000-memory.dmp

memory/584-1796-0x0000000006110000-0x00000000061D4000-memory.dmp

memory/584-1920-0x0000000004760000-0x00000000047A0000-memory.dmp

memory/2368-2278-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs

MD5 078aaa3bf115f219f01322a31f475c54
SHA1 e95ad53a3ad196dfb5384824d213f64056fb8155
SHA256 db761125f2f3e644b56284126bdb2ebeec230ddaea1540e41e61188e38a845b4
SHA512 98b4016beda2682652dfdef3f0b25432c1444b52064949e9ecd20d7533b76f17ebaf514b91e5bd967d20ed8025b0d8a8f6e387331806418cfef00ff3e1fd1734

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 efd30cfcab12aa54745c2145a2ee763f
SHA1 4bfa0e547c820b576bb57fb109e6d95996e981f3
SHA256 1c01c74fd903447e61c5824271ab41ed22f4217ac85f3c9e2a6d0f083897bfc3
SHA512 57ffda0b59997a32df775cbc281a594312d4cccf22c6c86404435cace951765aeff8b702ff362078e403f7f1b3ce37b655bb96bfba84d19f06dd250ad05bcb8c

memory/1560-3766-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/1560-3769-0x0000000000D70000-0x0000000000DD8000-memory.dmp

memory/1560-3772-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/584-3775-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2464-3774-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2464-3776-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1560-3777-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/1560-3778-0x0000000000410000-0x000000000046E000-memory.dmp

memory/1560-3779-0x0000000005F00000-0x0000000005F78000-memory.dmp

memory/1560-4692-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/1560-6173-0x0000000074C50000-0x000000007533E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 28ef291e4e82fe00e58b3e239ecf1ca5
SHA1 164978ae23be1ebbc7c1a265e4b21eb6ce48eab8
SHA256 332550fb3b430ba3430d9518b36948ba92c60cc905959489e57848a01baa131a
SHA512 19d3efd094f70d040041f6eed20827dd21bc124f23a5049930e9e11388ff853bbe41c038e6a4bb450c60276867516762a8334f4a947ac96f1833ed5c387ae711

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 acf368d12ace361955ca56cf379b286a
SHA1 58e7e72ac7855bb51ecff68736f7fa4668e74f6b
SHA256 07f36b6c43f6f3928e1b687a225bc81dbfe0e9f1c1293467ae78a19f000f8b7f
SHA512 a4ddfcff5598cd5099676cdf41573820a00c87804ff93cdcd642af87562e5da0e3eb7383412982a6eff5df6ac3dab1ed8cdd9355fc74eeaef4ea1882d4650a84

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-13 23:33

Reported

2024-01-13 23:36

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe"

Signatures

Azorult

trojan infostealer azorult

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Windows\SysWOW64\WScript.exe
PID 5076 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Windows\SysWOW64\WScript.exe
PID 5076 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Windows\SysWOW64\WScript.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 5076 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
PID 1812 wrote to memory of 1956 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1812 wrote to memory of 1956 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1812 wrote to memory of 1956 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Windows\SysWOW64\WScript.exe
PID 1956 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Windows\SysWOW64\WScript.exe
PID 1956 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Windows\SysWOW64\WScript.exe
PID 1956 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 1956 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
PID 5068 wrote to memory of 4660 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 5068 wrote to memory of 4660 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 5068 wrote to memory of 4660 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe

"C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nrwclnomc.vbs"

C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe

C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

"C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs"

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

"C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe"

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1300

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 telete.in udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 54.177.53.185.in-addr.arpa udp
US 8.8.8.8:53 gordonas.ac.ug udp
US 8.8.8.8:53 gordonas.ac.ug udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp
US 8.8.8.8:53 gordonhk.ac.ug udp

Files

memory/5076-0-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/5076-1-0x00000000001F0000-0x000000000032A000-memory.dmp

memory/5076-2-0x00000000053E0000-0x0000000005984000-memory.dmp

memory/5076-3-0x0000000004D00000-0x0000000004D92000-memory.dmp

memory/5076-4-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/5076-5-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

memory/5076-6-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/5076-7-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/5076-8-0x0000000006810000-0x000000000693E000-memory.dmp

memory/5076-9-0x00000000069C0000-0x0000000006A36000-memory.dmp

memory/5076-10-0x0000000006C80000-0x0000000006D8A000-memory.dmp

memory/5076-11-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-12-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-14-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-16-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-18-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-20-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-22-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-24-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-26-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-28-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-30-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-32-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-34-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-36-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-38-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-40-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-42-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-44-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-46-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-50-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-48-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-52-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-54-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-56-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-58-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-60-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-62-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-64-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-66-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-68-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-70-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-72-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-74-0x0000000006C80000-0x0000000006D83000-memory.dmp

memory/5076-1773-0x0000000000740000-0x000000000075E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nrwclnomc.vbs

MD5 f7b6cda2dca4391f30cf8df1f0605418
SHA1 656a46ae3716bf4e883b1bfb13723b92feb26b84
SHA256 97cb704bd02eb625b99a8cac924c826be3435912f220352bf21ccbcb9370e7ed
SHA512 6be78872227b0a8c328d177b0f7a7670834c7c803aa7eacc77f1ffa7c824541a895ea255b6b4777f9fd7753a4c975eaf50f4b63a51cf8c9164d56ccd86300725

memory/4996-1783-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe

MD5 4cb2b6e2c86e81a6b2ddd2aca707e66a
SHA1 f13428a8ea50c72c6a24bd552804ab7a11428ec1
SHA256 157e30e05a61154cbc5bb5e36dc43b33e500bd552f8a0624d3a02d9f1249665a
SHA512 156e0c11011753cf46fd4817888c56294ab001c98fc32613e70104d9fd900be874baa30ac3bf5c09e7140eaf336b06f06e85568c7c6a7de0617f06e270048ce7

memory/5076-1785-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/1956-1787-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/1956-1788-0x0000000000350000-0x0000000000404000-memory.dmp

memory/1956-1789-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/4996-1790-0x0000000000400000-0x0000000000492000-memory.dmp

memory/1956-1791-0x00000000067A0000-0x000000000684A000-memory.dmp

memory/1956-1792-0x0000000006D10000-0x0000000006DD4000-memory.dmp

memory/1956-1848-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/1956-2290-0x0000000004F00000-0x0000000004F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs

MD5 078aaa3bf115f219f01322a31f475c54
SHA1 e95ad53a3ad196dfb5384824d213f64056fb8155
SHA256 db761125f2f3e644b56284126bdb2ebeec230ddaea1540e41e61188e38a845b4
SHA512 98b4016beda2682652dfdef3f0b25432c1444b52064949e9ecd20d7533b76f17ebaf514b91e5bd967d20ed8025b0d8a8f6e387331806418cfef00ff3e1fd1734

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 efd30cfcab12aa54745c2145a2ee763f
SHA1 4bfa0e547c820b576bb57fb109e6d95996e981f3
SHA256 1c01c74fd903447e61c5824271ab41ed22f4217ac85f3c9e2a6d0f083897bfc3
SHA512 57ffda0b59997a32df775cbc281a594312d4cccf22c6c86404435cace951765aeff8b702ff362078e403f7f1b3ce37b655bb96bfba84d19f06dd250ad05bcb8c

memory/4660-3762-0x00000000009C0000-0x0000000000A28000-memory.dmp

memory/4660-3761-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/1956-3760-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3340-3763-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4660-3764-0x0000000005160000-0x0000000005170000-memory.dmp

memory/3340-3765-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4660-3766-0x0000000006ED0000-0x0000000006F2E000-memory.dmp

memory/4660-3767-0x0000000007290000-0x0000000007308000-memory.dmp

memory/4660-3961-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4660-4627-0x0000000005160000-0x0000000005170000-memory.dmp

memory/4660-6152-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/756-6153-0x0000000000400000-0x0000000000434000-memory.dmp