Analysis Overview
SHA256
64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853
Threat Level: Known bad
The file 64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe was found to be: Known bad.
Malicious Activity Summary
Oski family
Raccoon family
Oski
Azorult family
Raccoon Stealer V1 payload
Raccoon
Azorult
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 14:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 14:30
Reported
2024-11-27 14:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Azorult
Azorult family
Oski
Oski family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4452 set thread context of 4540 | N/A | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe |
| PID 3344 set thread context of 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe |
| PID 1392 set thread context of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
"C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"
C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
"C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
"C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 1820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1300
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | milsom.ac.ug | udp |
| US | 8.8.8.8:53 | milsom.ac.ug | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scarsa.ac.ug | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
Files
memory/4452-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
memory/4452-1-0x0000000000A40000-0x0000000000B58000-memory.dmp
memory/4452-2-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
memory/4452-3-0x00000000055C0000-0x00000000056CA000-memory.dmp
memory/4452-6-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/4452-9-0x0000000005790000-0x00000000057EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs
| MD5 | affb5ef06d9491a7792bb095d79c76de |
| SHA1 | fa1f67d95cd8c6e92175a013dd85e249e07f58cd |
| SHA256 | ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900 |
| SHA512 | 75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02 |
memory/4540-12-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4540-11-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4540-14-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4540-15-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4452-16-0x0000000074EA0000-0x0000000075650000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
| MD5 | 1597ffd4b1262d1d25f34f0de7aed129 |
| SHA1 | 936fcc97ca39f39aaa05635b95da5a7698785546 |
| SHA256 | f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b |
| SHA512 | 29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad |
memory/3344-19-0x0000000000150000-0x00000000001EC000-memory.dmp
memory/4540-20-0x0000000000400000-0x0000000000491000-memory.dmp
memory/3344-21-0x0000000004A70000-0x0000000004B00000-memory.dmp
memory/3344-26-0x0000000004980000-0x00000000049A0000-memory.dmp
memory/3296-28-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs
| MD5 | 6b0154ea182640615f31706030f68c68 |
| SHA1 | 9ffdfde77609c938a2d34483a9d6066f22bc791b |
| SHA256 | 78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043 |
| SHA512 | a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28 |
memory/3296-31-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
| MD5 | 960586bdf44ca1fcb8e80cd5846a77b6 |
| SHA1 | 50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb |
| SHA256 | 92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305 |
| SHA512 | 1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b |
memory/1392-34-0x0000000000300000-0x0000000000354000-memory.dmp
memory/1392-35-0x0000000004BA0000-0x0000000004BE8000-memory.dmp
memory/1392-36-0x00000000025B0000-0x00000000025D8000-memory.dmp
memory/1820-37-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1820-40-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 14:30
Reported
2024-11-27 14:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Azorult
Azorult family
Oski
Oski family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1328 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe |
| PID 2264 set thread context of 2252 | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe |
| PID 2704 set thread context of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
"C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
"C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"
C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
"C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 768
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telegka.top | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | milsom.ac.ug | udp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | milsom.ac.ug | udp |
| US | 8.8.8.8:53 | scarsa.ac.ug | udp |
| US | 107.178.223.183:80 | telegka.top | tcp |
| US | 104.155.138.21:80 | telegka.top | tcp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
memory/1328-1-0x0000000000B00000-0x0000000000C18000-memory.dmp
memory/1328-0-0x000000007410E000-0x000000007410F000-memory.dmp
memory/1328-2-0x000000007410E000-0x000000007410F000-memory.dmp
memory/1328-3-0x0000000004940000-0x0000000004A4A000-memory.dmp
memory/1328-6-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/1328-10-0x0000000004790000-0x00000000047EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs
| MD5 | affb5ef06d9491a7792bb095d79c76de |
| SHA1 | fa1f67d95cd8c6e92175a013dd85e249e07f58cd |
| SHA256 | ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900 |
| SHA512 | 75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02 |
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
| MD5 | 1597ffd4b1262d1d25f34f0de7aed129 |
| SHA1 | 936fcc97ca39f39aaa05635b95da5a7698785546 |
| SHA256 | f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b |
| SHA512 | 29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad |
memory/2720-22-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2720-27-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1328-28-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/2264-26-0x00000000002D0000-0x000000000036C000-memory.dmp
memory/2720-25-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2720-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2720-20-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2720-18-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2720-16-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2720-14-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2264-29-0x00000000047E0000-0x0000000004870000-memory.dmp
memory/2264-34-0x0000000000B30000-0x0000000000B50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs
| MD5 | 6b0154ea182640615f31706030f68c68 |
| SHA1 | 9ffdfde77609c938a2d34483a9d6066f22bc791b |
| SHA256 | 78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043 |
| SHA512 | a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28 |
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
| MD5 | 960586bdf44ca1fcb8e80cd5846a77b6 |
| SHA1 | 50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb |
| SHA256 | 92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305 |
| SHA512 | 1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b |
memory/2704-58-0x0000000000C50000-0x0000000000CA4000-memory.dmp
memory/2252-54-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2252-52-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2252-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2252-49-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2252-47-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2252-45-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2252-43-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2252-41-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2704-59-0x00000000002D0000-0x0000000000318000-memory.dmp
memory/2704-60-0x0000000000420000-0x0000000000448000-memory.dmp
memory/384-62-0x0000000000400000-0x0000000000434000-memory.dmp
memory/384-73-0x0000000000400000-0x0000000000434000-memory.dmp
memory/384-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/384-70-0x0000000000400000-0x0000000000434000-memory.dmp
memory/384-68-0x0000000000400000-0x0000000000434000-memory.dmp
memory/384-64-0x0000000000400000-0x0000000000434000-memory.dmp
memory/384-66-0x0000000000400000-0x0000000000434000-memory.dmp
memory/384-75-0x0000000000400000-0x0000000000434000-memory.dmp