Malware Analysis Report

2024-09-22 21:55

Sample ID 240129-m9y4xahhbj
Target 7fb10b8ea68c1e0064730018fca3cb39
SHA256 29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
Tags
azorult oski raccoon fe25b858c52ebb889260990dc343e5dbcf4a96e4 infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a

Threat Level: Known bad

The file 7fb10b8ea68c1e0064730018fca3cb39 was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon fe25b858c52ebb889260990dc343e5dbcf4a96e4 infostealer spyware stealer trojan

Raccoon Stealer V1 payload

Azorult

Raccoon

Oski

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-29 11:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 11:10

Reported

2024-01-29 11:13

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 960 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 960 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 960 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 960 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 960 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3708 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3708 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3708 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 960 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 960 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 960 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 3708 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 960 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 1456 wrote to memory of 3040 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1456 wrote to memory of 3040 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1456 wrote to memory of 3040 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1456 wrote to memory of 3040 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1300

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 danielmax.ac.ug udp
US 8.8.8.8:53 telete.in udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 danielmi.ac.ug udp
US 8.8.8.8:53 danielmi.ac.ug udp
US 8.8.8.8:53 54.177.53.185.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/960-2-0x00000000776A2000-0x00000000776A3000-memory.dmp

memory/960-3-0x00000000006C0000-0x00000000006C1000-memory.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/1456-28-0x0000000000600000-0x0000000000601000-memory.dmp

memory/3708-31-0x0000000000710000-0x0000000000711000-memory.dmp

memory/3708-32-0x0000000000720000-0x0000000000728000-memory.dmp

memory/3312-33-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3312-37-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2568-39-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3312-42-0x00000000776A2000-0x00000000776A3000-memory.dmp

memory/3312-46-0x0000000002050000-0x0000000002051000-memory.dmp

memory/3040-47-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3040-50-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2568-45-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-52-0x00000000776A2000-0x00000000776A3000-memory.dmp

memory/2568-44-0x00000000776A2000-0x00000000776A3000-memory.dmp

memory/2568-43-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3312-38-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2568-35-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2568-34-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3040-54-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-53-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3312-58-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3312-59-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2568-60-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2568-61-0x0000000000400000-0x000000000049A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 11:10

Reported

2024-01-29 11:13

Platform

win7-20231215-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1208 wrote to memory of 2664 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1208 wrote to memory of 2664 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1208 wrote to memory of 2664 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1208 wrote to memory of 2664 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1208 wrote to memory of 2664 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2080 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2080 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2080 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2080 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2080 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 2080 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 2080 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 2080 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 2080 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 2852 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2852 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2852 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2852 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2852 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2676 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 772

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
US 8.8.8.8:53 danielmi.ac.ug udp
US 8.8.8.8:53 danielmax.ac.ug udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 danielmi.ac.ug udp

Files

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/2664-40-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2676-47-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2676-45-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2692-44-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2676-39-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2692-38-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2852-35-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2692-30-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2664-22-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2664-18-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1208-15-0x0000000000280000-0x0000000000288000-memory.dmp

memory/2080-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2664-49-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2664-48-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2692-50-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2676-51-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2692-58-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2676-60-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2676-61-0x0000000000400000-0x0000000000439000-memory.dmp