Malware Analysis Report

2025-01-03 04:59

Sample ID 241127-rt82dstmbj
Target 64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
SHA256 64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853
Tags
azorult oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853

Threat Level: Known bad

The file 64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan

Oski family

Raccoon family

Oski

Azorult family

Raccoon Stealer V1 payload

Raccoon

Azorult

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 14:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 14:30

Reported

2024-11-27 14:32

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Oski

infostealer oski

Oski family

oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4452 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Windows\SysWOW64\WScript.exe
PID 4452 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Windows\SysWOW64\WScript.exe
PID 4452 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Windows\SysWOW64\WScript.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 4452 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1408 wrote to memory of 3344 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1408 wrote to memory of 3344 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1408 wrote to memory of 3344 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 3344 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 3344 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 3344 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 4212 wrote to memory of 1392 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 4212 wrote to memory of 1392 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 4212 wrote to memory of 1392 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 1392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe

"C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"

C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe

C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

"C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

"C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1300

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 telegka.top udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 milsom.ac.ug udp
US 8.8.8.8:53 milsom.ac.ug udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 scarsa.ac.ug udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 104.155.138.21:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 107.178.223.183:80 telegka.top tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp

Files

memory/4452-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

memory/4452-1-0x0000000000A40000-0x0000000000B58000-memory.dmp

memory/4452-2-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

memory/4452-3-0x00000000055C0000-0x00000000056CA000-memory.dmp

memory/4452-6-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/4452-9-0x0000000005790000-0x00000000057EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs

MD5 affb5ef06d9491a7792bb095d79c76de
SHA1 fa1f67d95cd8c6e92175a013dd85e249e07f58cd
SHA256 ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900
SHA512 75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02

memory/4540-12-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4540-11-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4540-14-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4540-15-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4452-16-0x0000000074EA0000-0x0000000075650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

MD5 1597ffd4b1262d1d25f34f0de7aed129
SHA1 936fcc97ca39f39aaa05635b95da5a7698785546
SHA256 f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b
SHA512 29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad

memory/3344-19-0x0000000000150000-0x00000000001EC000-memory.dmp

memory/4540-20-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3344-21-0x0000000004A70000-0x0000000004B00000-memory.dmp

memory/3344-26-0x0000000004980000-0x00000000049A0000-memory.dmp

memory/3296-28-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs

MD5 6b0154ea182640615f31706030f68c68
SHA1 9ffdfde77609c938a2d34483a9d6066f22bc791b
SHA256 78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043
SHA512 a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28

memory/3296-31-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

MD5 960586bdf44ca1fcb8e80cd5846a77b6
SHA1 50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb
SHA256 92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305
SHA512 1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b

memory/1392-34-0x0000000000300000-0x0000000000354000-memory.dmp

memory/1392-35-0x0000000004BA0000-0x0000000004BE8000-memory.dmp

memory/1392-36-0x00000000025B0000-0x00000000025D8000-memory.dmp

memory/1820-37-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1820-40-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 14:30

Reported

2024-11-27 14:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Oski

infostealer oski

Oski family

oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Windows\SysWOW64\WScript.exe
PID 1328 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Windows\SysWOW64\WScript.exe
PID 1328 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Windows\SysWOW64\WScript.exe
PID 1328 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Windows\SysWOW64\WScript.exe
PID 1284 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1284 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1284 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1284 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 1328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe
PID 2264 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 2264 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 2264 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 2264 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Windows\SysWOW64\WScript.exe
PID 2264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2264 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
PID 2632 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2632 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2632 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2632 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 2704 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
PID 384 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Windows\SysWOW64\WerFault.exe
PID 384 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Windows\SysWOW64\WerFault.exe
PID 384 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Windows\SysWOW64\WerFault.exe
PID 384 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe

"C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

"C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"

C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe

C:\Users\Admin\AppData\Local\Temp\64031ca7bd657708a2fa8f313b6efe98e9f8a893db1d7fd025e09bdcb15a8853.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

"C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 768

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegka.top udp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 milsom.ac.ug udp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 milsom.ac.ug udp
US 8.8.8.8:53 scarsa.ac.ug udp
US 107.178.223.183:80 telegka.top tcp
US 104.155.138.21:80 telegka.top tcp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp

Files

memory/1328-1-0x0000000000B00000-0x0000000000C18000-memory.dmp

memory/1328-0-0x000000007410E000-0x000000007410F000-memory.dmp

memory/1328-2-0x000000007410E000-0x000000007410F000-memory.dmp

memory/1328-3-0x0000000004940000-0x0000000004A4A000-memory.dmp

memory/1328-6-0x0000000074100000-0x00000000747EE000-memory.dmp

memory/1328-10-0x0000000004790000-0x00000000047EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs

MD5 affb5ef06d9491a7792bb095d79c76de
SHA1 fa1f67d95cd8c6e92175a013dd85e249e07f58cd
SHA256 ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900
SHA512 75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02

C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

MD5 1597ffd4b1262d1d25f34f0de7aed129
SHA1 936fcc97ca39f39aaa05635b95da5a7698785546
SHA256 f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b
SHA512 29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad

memory/2720-22-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2720-27-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1328-28-0x0000000074100000-0x00000000747EE000-memory.dmp

memory/2264-26-0x00000000002D0000-0x000000000036C000-memory.dmp

memory/2720-25-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2720-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2720-20-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2720-18-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2720-16-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2720-14-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2264-29-0x00000000047E0000-0x0000000004870000-memory.dmp

memory/2264-34-0x0000000000B30000-0x0000000000B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs

MD5 6b0154ea182640615f31706030f68c68
SHA1 9ffdfde77609c938a2d34483a9d6066f22bc791b
SHA256 78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043
SHA512 a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28

C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

MD5 960586bdf44ca1fcb8e80cd5846a77b6
SHA1 50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb
SHA256 92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305
SHA512 1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b

memory/2704-58-0x0000000000C50000-0x0000000000CA4000-memory.dmp

memory/2252-54-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2252-52-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2252-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2252-49-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2252-47-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2252-45-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2252-43-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2252-41-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2704-59-0x00000000002D0000-0x0000000000318000-memory.dmp

memory/2704-60-0x0000000000420000-0x0000000000448000-memory.dmp

memory/384-62-0x0000000000400000-0x0000000000434000-memory.dmp

memory/384-73-0x0000000000400000-0x0000000000434000-memory.dmp

memory/384-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/384-70-0x0000000000400000-0x0000000000434000-memory.dmp

memory/384-68-0x0000000000400000-0x0000000000434000-memory.dmp

memory/384-64-0x0000000000400000-0x0000000000434000-memory.dmp

memory/384-66-0x0000000000400000-0x0000000000434000-memory.dmp

memory/384-75-0x0000000000400000-0x0000000000434000-memory.dmp