Analysis Overview
SHA256
819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4
Threat Level: Known bad
The file 819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Oski family
Oski
Azorult family
Raccoon
Raccoon family
Raccoon Stealer V1 payload
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 09:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 09:24
Reported
2024-11-27 09:26
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Azorult
Azorult family
Oski
Oski family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2644 set thread context of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe |
| PID 2568 set thread context of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe |
| PID 1580 set thread context of 536 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
"C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"
C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
"C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
"C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 756
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | milsom.ac.ug | udp |
| US | 8.8.8.8:53 | milsom.ac.ug | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | scarsa.ac.ug | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
memory/2644-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp
memory/2644-1-0x00000000009C0000-0x0000000000AD8000-memory.dmp
memory/2644-2-0x0000000074E1E000-0x0000000074E1F000-memory.dmp
memory/2644-3-0x0000000004E10000-0x0000000004F1A000-memory.dmp
memory/2644-6-0x0000000074E10000-0x00000000754FE000-memory.dmp
memory/2644-10-0x0000000002190000-0x00000000021EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs
| MD5 | affb5ef06d9491a7792bb095d79c76de |
| SHA1 | fa1f67d95cd8c6e92175a013dd85e249e07f58cd |
| SHA256 | ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900 |
| SHA512 | 75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02 |
memory/2136-11-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2136-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2136-13-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2136-27-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2136-25-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2136-23-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2136-19-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2136-17-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2136-15-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2568-31-0x0000000000810000-0x00000000008AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
| MD5 | 1597ffd4b1262d1d25f34f0de7aed129 |
| SHA1 | 936fcc97ca39f39aaa05635b95da5a7698785546 |
| SHA256 | f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b |
| SHA512 | 29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad |
memory/2644-28-0x0000000074E10000-0x00000000754FE000-memory.dmp
memory/2568-32-0x0000000004620000-0x00000000046B0000-memory.dmp
memory/2136-33-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2568-38-0x00000000041C0000-0x00000000041E0000-memory.dmp
memory/2396-48-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2396-51-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2396-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2396-54-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs
| MD5 | 6b0154ea182640615f31706030f68c68 |
| SHA1 | 9ffdfde77609c938a2d34483a9d6066f22bc791b |
| SHA256 | 78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043 |
| SHA512 | a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28 |
memory/2396-46-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
| MD5 | 960586bdf44ca1fcb8e80cd5846a77b6 |
| SHA1 | 50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb |
| SHA256 | 92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305 |
| SHA512 | 1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b |
memory/1580-58-0x0000000000870000-0x00000000008C4000-memory.dmp
memory/2396-44-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2396-42-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2396-40-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1580-59-0x00000000001E0000-0x0000000000228000-memory.dmp
memory/1580-60-0x0000000000490000-0x00000000004B8000-memory.dmp
memory/536-75-0x0000000000400000-0x0000000000434000-memory.dmp
memory/536-73-0x0000000000400000-0x0000000000434000-memory.dmp
memory/536-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/536-70-0x0000000000400000-0x0000000000434000-memory.dmp
memory/536-68-0x0000000000400000-0x0000000000434000-memory.dmp
memory/536-66-0x0000000000400000-0x0000000000434000-memory.dmp
memory/536-64-0x0000000000400000-0x0000000000434000-memory.dmp
memory/536-62-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 09:24
Reported
2024-11-27 09:26
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Azorult
Azorult family
Oski
Oski family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4004 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe |
| PID 4780 set thread context of 3676 | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe |
| PID 1780 set thread context of 4476 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
"C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"
C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
C:\Users\Admin\AppData\Local\Temp\819b1ae66729ce9fd537de21b5d85ef5710886f7fc9c475904b0dd0aaf14abe4N.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
"C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
"C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4476 -ip 4476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1324
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | milsom.ac.ug | udp |
| US | 8.8.8.8:53 | milsom.ac.ug | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scarsa.ac.ug | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4004-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp
memory/4004-1-0x0000000000510000-0x0000000000628000-memory.dmp
memory/4004-2-0x0000000074BDE000-0x0000000074BDF000-memory.dmp
memory/4004-3-0x0000000004EF0000-0x0000000004FFA000-memory.dmp
memory/4004-6-0x0000000074BD0000-0x0000000075380000-memory.dmp
memory/4004-9-0x0000000005000000-0x000000000505A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs
| MD5 | affb5ef06d9491a7792bb095d79c76de |
| SHA1 | fa1f67d95cd8c6e92175a013dd85e249e07f58cd |
| SHA256 | ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900 |
| SHA512 | 75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02 |
memory/1932-11-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1932-12-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1932-14-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4004-15-0x0000000074BD0000-0x0000000075380000-memory.dmp
memory/1932-16-0x0000000000400000-0x0000000000491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
| MD5 | 1597ffd4b1262d1d25f34f0de7aed129 |
| SHA1 | 936fcc97ca39f39aaa05635b95da5a7698785546 |
| SHA256 | f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b |
| SHA512 | 29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad |
memory/4780-19-0x0000000000050000-0x00000000000EC000-memory.dmp
memory/1932-20-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4780-21-0x0000000004870000-0x0000000004900000-memory.dmp
memory/4780-26-0x0000000004910000-0x0000000004930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs
| MD5 | 6b0154ea182640615f31706030f68c68 |
| SHA1 | 9ffdfde77609c938a2d34483a9d6066f22bc791b |
| SHA256 | 78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043 |
| SHA512 | a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28 |
memory/3676-30-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3676-28-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
| MD5 | 960586bdf44ca1fcb8e80cd5846a77b6 |
| SHA1 | 50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb |
| SHA256 | 92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305 |
| SHA512 | 1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b |
memory/1780-34-0x0000000000060000-0x00000000000B4000-memory.dmp
memory/3676-35-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1780-36-0x0000000004A60000-0x0000000004AA8000-memory.dmp
memory/1780-37-0x0000000004860000-0x0000000004888000-memory.dmp
memory/4476-38-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4476-41-0x0000000000400000-0x0000000000434000-memory.dmp