Malware Analysis Report

2025-01-03 04:59

Sample ID 241127-lc75waxnew
Target 819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
SHA256 819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4
Tags
azorult oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4

Threat Level: Known bad

The file 819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan

Azorult

Oski family

Oski

Azorult family

Raccoon

Raccoon family

Raccoon Stealer V1 payload

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 09:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 09:24

Reported

2024-11-27 09:26

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Oski

infostealer oski

Oski family

oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Windows\SysWOW64\WScript.exe
PID 2644 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Windows\SysWOW64\WScript.exe
PID 2644 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Windows\SysWOW64\WScript.exe
PID 2644 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Windows\SysWOW64\WScript.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2644 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 2676 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2676 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2676 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2676 wrote to memory of 2568 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 2568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 2568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 2568 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2216 wrote to memory of 1580 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2216 wrote to memory of 1580 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2216 wrote to memory of 1580 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2216 wrote to memory of 1580 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 536 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Windows\SysWOW64\WerFault.exe
PID 536 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Windows\SysWOW64\WerFault.exe
PID 536 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Windows\SysWOW64\WerFault.exe
PID 536 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe

"C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"

C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe

C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

"C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

"C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 756

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegka.top udp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 milsom.ac.ug udp
US 8.8.8.8:53 milsom.ac.ug udp
US 107.178.223.183:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 scarsa.ac.ug udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp

Files

memory/2644-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

memory/2644-1-0x00000000009C0000-0x0000000000AD8000-memory.dmp

memory/2644-2-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

memory/2644-3-0x0000000004E10000-0x0000000004F1A000-memory.dmp

memory/2644-6-0x0000000074E10000-0x00000000754FE000-memory.dmp

memory/2644-10-0x0000000002190000-0x00000000021EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs

MD5 affb5ef06d9491a7792bb095d79c76de
SHA1 fa1f67d95cd8c6e92175a013dd85e249e07f58cd
SHA256 ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900
SHA512 75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02

memory/2136-11-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2136-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2136-13-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2136-27-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2136-25-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2136-23-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2136-19-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2136-17-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2136-15-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2568-31-0x0000000000810000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

MD5 1597ffd4b1262d1d25f34f0de7aed129
SHA1 936fcc97ca39f39aaa05635b95da5a7698785546
SHA256 f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b
SHA512 29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad

memory/2644-28-0x0000000074E10000-0x00000000754FE000-memory.dmp

memory/2568-32-0x0000000004620000-0x00000000046B0000-memory.dmp

memory/2136-33-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2568-38-0x00000000041C0000-0x00000000041E0000-memory.dmp

memory/2396-48-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2396-51-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2396-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2396-54-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs

MD5 6b0154ea182640615f31706030f68c68
SHA1 9ffdfde77609c938a2d34483a9d6066f22bc791b
SHA256 78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043
SHA512 a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28

memory/2396-46-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

MD5 960586bdf44ca1fcb8e80cd5846a77b6
SHA1 50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb
SHA256 92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305
SHA512 1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b

memory/1580-58-0x0000000000870000-0x00000000008C4000-memory.dmp

memory/2396-44-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2396-42-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2396-40-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1580-59-0x00000000001E0000-0x0000000000228000-memory.dmp

memory/1580-60-0x0000000000490000-0x00000000004B8000-memory.dmp

memory/536-75-0x0000000000400000-0x0000000000434000-memory.dmp

memory/536-73-0x0000000000400000-0x0000000000434000-memory.dmp

memory/536-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/536-70-0x0000000000400000-0x0000000000434000-memory.dmp

memory/536-68-0x0000000000400000-0x0000000000434000-memory.dmp

memory/536-66-0x0000000000400000-0x0000000000434000-memory.dmp

memory/536-64-0x0000000000400000-0x0000000000434000-memory.dmp

memory/536-62-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 09:24

Reported

2024-11-27 09:26

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Oski

infostealer oski

Oski family

oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Windows\SysWOW64\WScript.exe
PID 4004 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Windows\SysWOW64\WScript.exe
PID 4004 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Windows\SysWOW64\WScript.exe
PID 4004 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 4004 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
PID 1456 wrote to memory of 4780 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1456 wrote to memory of 4780 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1456 wrote to memory of 4780 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 4780 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 4780 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4780 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1512 wrote to memory of 1780 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1512 wrote to memory of 1780 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1512 wrote to memory of 1780 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1780 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe

"C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"

C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe

C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe

C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe

C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

"C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

"C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1324

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 telegka.top udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 milsom.ac.ug udp
US 8.8.8.8:53 milsom.ac.ug udp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 scarsa.ac.ug udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4004-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

memory/4004-1-0x0000000000510000-0x0000000000628000-memory.dmp

memory/4004-2-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

memory/4004-3-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

memory/4004-6-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/4004-9-0x0000000005000000-0x000000000505A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs

MD5 affb5ef06d9491a7792bb095d79c76de
SHA1 fa1f67d95cd8c6e92175a013dd85e249e07f58cd
SHA256 ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900
SHA512 75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02

memory/1932-11-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1932-12-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1932-14-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4004-15-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/1932-16-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

MD5 1597ffd4b1262d1d25f34f0de7aed129
SHA1 936fcc97ca39f39aaa05635b95da5a7698785546
SHA256 f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b
SHA512 29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad

memory/4780-19-0x0000000000050000-0x00000000000EC000-memory.dmp

memory/1932-20-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4780-21-0x0000000004870000-0x0000000004900000-memory.dmp

memory/4780-26-0x0000000004910000-0x0000000004930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs

MD5 6b0154ea182640615f31706030f68c68
SHA1 9ffdfde77609c938a2d34483a9d6066f22bc791b
SHA256 78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043
SHA512 a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28

memory/3676-30-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3676-28-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

MD5 960586bdf44ca1fcb8e80cd5846a77b6
SHA1 50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb
SHA256 92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305
SHA512 1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b

memory/1780-34-0x0000000000060000-0x00000000000B4000-memory.dmp

memory/3676-35-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1780-36-0x0000000004A60000-0x0000000004AA8000-memory.dmp

memory/1780-37-0x0000000004860000-0x0000000004888000-memory.dmp

memory/4476-38-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4476-41-0x0000000000400000-0x0000000000434000-memory.dmp