Analysis Overview
SHA256
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
Threat Level: Known bad
The file 96af9bc7db122e2486c0c1f1b90faacc was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
Suspicious use of SetThreadContext
Drops file in System32 directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-12 08:08
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-12 08:08
Reported
2024-02-12 08:11
Platform
win7-20231215-en
Max time kernel
128s
Max time network
123s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2476 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe |
| PID 2808 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe |
| PID 816 set thread context of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | C:\Users\Admin\AppData\Local\Temp\BBLb.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"
C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 124
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {28965341-BA25-4A85-9653-A38C99C1CD7A} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:S4U:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hubvera.ac.ug | udp |
| RU | 91.215.85.223:80 | hubvera.ac.ug | tcp |
| US | 8.8.8.8:53 | ddlakava.ac.ug | udp |
| US | 8.8.8.8:53 | bit.do | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | rebrand.ly | udp |
| US | 15.197.137.111:80 | rebrand.ly | tcp |
| US | 8.8.8.8:53 | fran.ac.ug | udp |
| US | 8.8.8.8:53 | fransceysse.ac.ug | udp |
| US | 8.8.8.8:53 | tinyurl.com | udp |
| US | 104.20.138.65:80 | tinyurl.com | tcp |
| US | 8.8.8.8:53 | kode.ac.ug | udp |
| US | 8.8.8.8:53 | kodekode.ac.ug | udp |
| US | 8.8.8.8:53 | tuekisa.ac.ug | udp |
| US | 8.8.8.8:53 | partadino.ac.ug | udp |
| RU | 91.215.85.223:80 | partadino.ac.ug | tcp |
| US | 8.8.8.8:53 | markinda.top | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | movescx.top | udp |
| US | 8.8.8.8:53 | cointra.ac.ug | udp |
| US | 8.8.8.8:53 | muylove.ac.ug | udp |
| US | 8.8.8.8:53 | partiad.top | udp |
| US | 8.8.8.8:53 | partiad.xyz | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2476-0-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2476-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2220-4-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2476-5-0x0000000000240000-0x0000000000248000-memory.dmp
memory/2220-8-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2476-9-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2220-13-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2476-7-0x0000000000270000-0x0000000000297000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 9d8f024c162815eca1f4cfad352ab507 |
| SHA1 | 14c45c70f00bd02e0680d6183142608c14941124 |
| SHA256 | bc70994ab3a1b3308eeb8af57f6f62f6c8556d79ea0517336558f2da188ea14c |
| SHA512 | 0383394d8b832d0a28126c6689f93e08f2b2897e63dec9688fb857a2aedbc10b42c46506aac78925a257706a4bd10126c075912779e86cc4a165f871f4b251ea |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | d398906e371437d8cb36e820f9ee9fdc |
| SHA1 | 1ee21e725345d9e70d38ea0b2c96a7558c36d161 |
| SHA256 | 4ed07c2a39e19e53b2e85db609bd23e24bcb21a033ccf03d06315e00e4ad433b |
| SHA512 | 986a90cea2ea868daf97dccd0a36841aa501a4cd02d46e556795b1faabb0aa825bf059bee1ddf5aeadfe9c1a605567604ff5f20e7fadd01a4c2ce8ca376e0e5d |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | a5233ad11d01b0684a4a742aea931a6b |
| SHA1 | a738c48b5cdd62ab0f80780e52d93718bfadf52c |
| SHA256 | 7ac299c93a19a90c352a9112bc5f30e71d9a77929caf0eff903a1ded3d2cd027 |
| SHA512 | 6dbe1583b355cbc17dbb942cec5fa65b1e353961aa6f5e2c19fcc0aa746d1730da9ea9b4c9253e25a5e2ed37a9ead31e7096ce32a35cd83f27b142533f8fd025 |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 2fed29c76f2a11ec7ae738d030db1d79 |
| SHA1 | 52fde76e90d950f4739f968dd406b2fb257cc97f |
| SHA256 | 6187097a8ad07528c885ee4df96a80848d4b59f2d0024b2527ebe7f9541e318f |
| SHA512 | 34d6ffc0f6db7906b2cad082f8afdefaf350c6686543b4bc21d4f57ec2b4e54b86746d4fdf70d52f7f6230cc4055e4e2b11c4fb208f27a4edba62b8319b4f231 |
memory/2808-25-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/2808-24-0x00000000008D0000-0x0000000000AF8000-memory.dmp
memory/2808-26-0x00000000048A0000-0x0000000004AA8000-memory.dmp
memory/2808-27-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-28-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-32-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-34-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-30-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-36-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-38-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-40-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-42-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-48-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-50-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-46-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-44-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-52-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-56-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-60-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-58-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-54-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2220-62-0x0000000000400000-0x0000000000405000-memory.dmp
memory/2220-64-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2808-65-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/2220-66-0x0000000000400000-0x0000000000405000-memory.dmp
memory/2220-69-0x0000000000400000-0x0000000000405000-memory.dmp
memory/2808-70-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-74-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-78-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-82-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-88-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-86-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-84-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-80-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-76-0x00000000048A0000-0x0000000004AA3000-memory.dmp
memory/2808-72-0x00000000048A0000-0x0000000004AA3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 84b7642e84d945060d870593b255ffe7 |
| SHA1 | 598e57f7628c4bdd4d55af95c9e17e82e1161edf |
| SHA256 | 2d3b8471b5d04701fe00d925c0c0b52d1d2b0d77a7b8886a133aab849b9f30b2 |
| SHA512 | 58c8dccdf4e75ba5aa1cacde224ebd688a86b33761e03eb0886f15c97d49e92516717e691ef7754709e170d474eb6c7903ca99522b0ba83ee31e9b8116bc991e |
memory/2288-465-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/2288-463-0x0000000000DD0000-0x0000000000FF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 50ef7597e47f97e2e6dc1463536fb047 |
| SHA1 | 1b4e4e086e71d98b80080f34d2cc97e7f029c74c |
| SHA256 | c8225e680b373b27fd79aad0dfc907f08b1eea6fa4f6b12f1ed8164d534e84dc |
| SHA512 | d7acf69c40753d466ceccd4afdb141d69a1b5a6f5c21596990220c756f4f23402c80a4f824706c025a249575b0ccbdea69a127c05e38e9510521c4f090ea3983 |
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 55a46b19cb826582900c42e24e39d737 |
| SHA1 | 209794e5247c876d56aab1157d7061bee43b4e62 |
| SHA256 | ac0867d88f3b648a4121814e12cc711600e7da77bbff3df266f067e968fb81f1 |
| SHA512 | bf5401e62fa143a0f0bad1c63bda3061aade4cd57f8d2d4c2ddd36fce7d441cab3c8245c07501ffc687a5435013f58572b3fd83ede01a3b00961edeab82c0e15 |
memory/2808-1555-0x0000000002100000-0x0000000002140000-memory.dmp
memory/2808-1567-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2808-1870-0x0000000005660000-0x0000000005800000-memory.dmp
memory/2808-1872-0x0000000004E50000-0x0000000004E9C000-memory.dmp
memory/2288-1919-0x0000000004BD0000-0x0000000004C10000-memory.dmp
memory/2288-1920-0x0000000000370000-0x0000000000371000-memory.dmp
memory/2288-1922-0x0000000073A80000-0x000000007416E000-memory.dmp
\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 443da3a41ece40b2043787032eeccfcf |
| SHA1 | 8a414bd758e3e50de70ee9fad39ab124a43e279b |
| SHA256 | 6c2be637d7af76d6d0380c2661aab3796e972d52d5b44726d2db7f57181deda0 |
| SHA512 | fdf8a2e8ca6ca43c01bc36d96bb565a3a4d0bbeb875f962d091e5ffeb23bed04e26442b1873967e19eb023d7140e3ffd19d1716ab2bf1a0f4f5ddbb0c056c06e |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | d6d5eae5855383e77c67f6f9b7df8dd7 |
| SHA1 | 0947f88221d255f76517f360d2459c29d700ecb6 |
| SHA256 | 4be4fcd651fb28a4c1b7fd4161221ce2a7e74f5e8ad437d2692e578f90c2be35 |
| SHA512 | c80eb22ec344cee40d916fd3f05e03c26c912ba362b52c2f28875a83cf07fbef30b64d91a9d594e18ecb6a858e46f2d17b1792f86b5d2cc0f905705f81edfb5f |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | de9bca236cb10c833c24c6591c54d07c |
| SHA1 | 8201dbcbd020df3c26991fc55e9c3013df0b44e8 |
| SHA256 | 26f41925dadd66eb00bb3ffede516f82c5b863508e0cac8e2cc2c2b3bd7fbd56 |
| SHA512 | eca9663434e44c49b3ee292c53f2ff781b41e6b9a2d044fa2dae8955d9374376bc7542c98c6f6ddbc2f4232300c66855a7d2e31c7b0c69c31255823e507c09ab |
memory/816-1930-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/816-1929-0x0000000001030000-0x0000000001170000-memory.dmp
memory/816-1931-0x0000000004920000-0x0000000004960000-memory.dmp
memory/816-1932-0x0000000004C40000-0x0000000004D68000-memory.dmp
memory/816-1933-0x0000000004D70000-0x0000000004E9A000-memory.dmp
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 51919b0ef17774e9c777ee725da6c4d3 |
| SHA1 | f9b8449253b99a4990772c0d4eb73f7a661918f5 |
| SHA256 | 89e5c64c44b2d2bb3a78e8a012ca218051a786178c5872cc94b0b2b49ca140f0 |
| SHA512 | f9b9614a6809163ff5f399ca8f8cc3be034778f45a1cdbf87ef6b72f9f9dde5861d809a544d27e5cefe94777e9e96890eee4c703e1e3de32e6c6a0c365a058be |
memory/2808-1958-0x0000000073A80000-0x000000007416E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | bd6c337c701f84ad10090c91c5898e90 |
| SHA1 | 0b34cffbb4e4989bd212bfb6893618c7615663da |
| SHA256 | 1928e319e10faefcda78ac6fbf7e718c3c763deb0a8c4698e30a16408a0e3a35 |
| SHA512 | 334fd09c8a00d88b1a4ea8297425a22ed9dc11647b6f2dad391a53736fa866a17280f7085b92b0d612fbaad24508eb2e0da2591c4dd9791e3c01f105f6c67e3a |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 9f74bec46233e8ffc6b03ca635f3a2a8 |
| SHA1 | fd8d4598b2e31cb989301d2f67a7689c45b8dd9b |
| SHA256 | 290f4f88a43b4e9e23df7dab7eaca150273a0527a85d1a61281c74eb8aa67ca8 |
| SHA512 | 5e5b2ac7422600f3da361cf8a94d134603c82a689b066879a3cce6c5c94bc56b8bc28cac00009be08d929a7ec5aa6cb0f590fe6a4745da13995cc0c860238aae |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | b60184f40ddf5ec7fc61c65b62fc9141 |
| SHA1 | 682bf3d0b76218ff2cdc19e098047cb1c42fd621 |
| SHA256 | 0b7f3500478e07064030f7e1a6f07f0693a9de02bf087dc16e88406ae68e874a |
| SHA512 | 536a6570b0388750d77276603d666e271bf89e92d8cc469f6d82b0c4e6c182cca1efbb1ea32fccbc9009c5810858c333663ca6d11d04fe4d3ebd820def8a6f4e |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 9aa45e5cc7338a6ee96a9499f29bc203 |
| SHA1 | 17e924683892829ad9892dd41c49361910ce76b6 |
| SHA256 | 4a958b0ea4334ade568948d58c6af091c4b669fc0012680abc823dd7050f4ea9 |
| SHA512 | bce3105732d37cdda999a96442e6a398011de3317a931b55a5f55e4f9eb5b306ab217e26378934a10d8ddbab61880bb1d3d948cc29c20c154274b3507485e1a9 |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 264aec5e8f163adefa07e0b41ec0c2d5 |
| SHA1 | ac4ae6815056b5acd081722899e64920256b2ad0 |
| SHA256 | 681280e76f70d866d12a9ff187527f18ec1b2d4d85e12ff83c432726b9c4742c |
| SHA512 | 5f4688c9305c6a4cbd4cb8693a8b489f4f6ea0364cee83e3f2070929f6b437cc0ba752c6eb60643d8692253439e11d02acd14760505496d4d973b87c7d66fcdc |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 84df7195deebf80a244bcef74605b0da |
| SHA1 | 90873f5500dc9cf95f9c6f053dc7ca6295ee4b08 |
| SHA256 | 48880f0748870a2dc80fe97359d0151f85f19c15bc6a4560bd4bc9ea282099cb |
| SHA512 | 3913e970d25601be815fde2505d28dd6a28d3ad21d18852460a2a3bfd57e1c7f143a2b7a352db72f035df1db8ea666ed5cfbb78f899dcba125f79b9b4381c17e |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 92bfda8e08553d58db843e802d9fc7d1 |
| SHA1 | 42249be3674af7880596fa8b3df3d5f7f49bf899 |
| SHA256 | 1532f0669c6ad020abf12e0931c96a22a81a97fe16458f74662a26ca6afebc54 |
| SHA512 | ae46050f0d653a8181908ea736db3276049c9d4e665d197cff10fb58867568bdf8638e06d93075b1bb76548dbf631f7262243e2d564036f2dcec4cfa0bb1c16d |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 325e180dece8f34a28e7429d3caa0c56 |
| SHA1 | 2925a8d2e51c6423ae9b564bbeccce48708a5452 |
| SHA256 | 509f32082c57fb92bc153d63fe6003c9e7219368c71fba6c66ecea1bc7d7570c |
| SHA512 | 391d00c9149d1f1c6d9f625833e52b21222834d3b982197f28d9019911042dbb52ddf17b440c9c73bd7868e57c894f339f7d5dacf3ee9458d2ef49079a9de5e2 |
memory/816-2890-0x0000000000430000-0x0000000000431000-memory.dmp
memory/816-2891-0x0000000004840000-0x0000000004900000-memory.dmp
\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 4071afad62bc8c7141c15894b435ba1e |
| SHA1 | 19ee80188d6a57a1ebb8107c4d54e3e3896b5f95 |
| SHA256 | 92b1cd92991780c9716e8aa50a2189853ab3a7518125d93a04268a5820adaba1 |
| SHA512 | beed7807f244a355a46e590f6e964f643192b3b4950cef84fa9c53d51b01d243505ea7e17db5d993fff99899c3dcefafc02ce8dc1ba1a8bd4590524b21d5f7a5 |
memory/816-2906-0x0000000073A80000-0x000000007416E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | b16246fcde6fde7f4ba6ceb8e6a3f146 |
| SHA1 | fe006657d27ddc87cf9b19985693b9949f0f6503 |
| SHA256 | 891b9a420c7a69716c80150fde1dbb4a737cb32843074ba024ca72b18e538c7d |
| SHA512 | 1871c78d027d93b3cefd572fae1acc0a41ce818f5038b4270cc6deed4ffceebf2c246f12c643f0f87287e100e60d3dea0d12c32c3fd98fe12fdc4a2e79cd23bd |
memory/1976-2910-0x0000000000400000-0x000000000049C000-memory.dmp
memory/1976-2912-0x0000000004920000-0x0000000004A08000-memory.dmp
memory/1976-2913-0x00000000048E0000-0x0000000004920000-memory.dmp
memory/1976-2911-0x0000000073A00000-0x00000000740EE000-memory.dmp
memory/1976-5115-0x00000000005D0000-0x0000000000626000-memory.dmp
memory/2220-5119-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1976-5120-0x0000000000D70000-0x0000000000DC4000-memory.dmp
C:\Users\Admin\AppData\Local\TypeId\xutqjisn\AttributeString.exe
| MD5 | 71eb1bc6e6da380c1cb552d78b391b2a |
| SHA1 | df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d |
| SHA256 | cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6 |
| SHA512 | d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90 |
memory/1976-5122-0x0000000073A00000-0x00000000740EE000-memory.dmp
memory/3016-5127-0x0000000019DE0000-0x000000001A0C2000-memory.dmp
memory/3016-5128-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp
memory/3016-5129-0x0000000001020000-0x00000000010A0000-memory.dmp
memory/3016-5131-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp
memory/3016-5132-0x0000000001020000-0x00000000010A0000-memory.dmp
memory/3016-5130-0x0000000001000000-0x0000000001008000-memory.dmp
memory/3016-5133-0x0000000001020000-0x00000000010A0000-memory.dmp
memory/3016-5134-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-12 08:08
Reported
2024-02-12 08:11
Platform
win10v2004-20231222-en
Max time kernel
89s
Max time network
149s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3204 created 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | C:\Windows\system32\sihost.exe |
| PID 3808 created 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | C:\Windows\system32\sihost.exe |
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"
C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3204 -ip 3204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3204 -ip 3204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 444
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3808 -ip 3808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3808 -ip 3808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 444
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hubvera.ac.ug | udp |
| RU | 91.215.85.223:80 | hubvera.ac.ug | tcp |
| US | 8.8.8.8:53 | ddlakava.ac.ug | udp |
| US | 8.8.8.8:53 | bit.do | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | 223.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | rebrand.ly | udp |
| US | 15.197.137.111:80 | rebrand.ly | tcp |
| US | 8.8.8.8:53 | fran.ac.ug | udp |
| US | 8.8.8.8:53 | fransceysse.ac.ug | udp |
| US | 8.8.8.8:53 | tinyurl.com | udp |
| US | 104.20.139.65:80 | tinyurl.com | tcp |
| US | 8.8.8.8:53 | kode.ac.ug | udp |
| US | 8.8.8.8:53 | kodekode.ac.ug | udp |
| US | 8.8.8.8:53 | tuekisa.ac.ug | udp |
| US | 8.8.8.8:53 | partadino.ac.ug | udp |
| RU | 91.215.85.223:80 | partadino.ac.ug | tcp |
| US | 8.8.8.8:53 | 111.137.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | markinda.xyz | udp |
| US | 8.8.8.8:53 | markinda.top | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | nickshort.ug | udp |
| US | 8.8.8.8:53 | kodedea.ug | udp |
| US | 8.8.8.8:53 | junks.ac.ug | udp |
| US | 8.8.8.8:53 | ugas.ug | udp |
| US | 8.8.8.8:53 | fillah.ac.ug | udp |
| US | 8.8.8.8:53 | nickshort.ug | udp |
| US | 8.8.8.8:53 | kodedea.ug | udp |
| US | 8.8.8.8:53 | junks.ac.ug | udp |
| US | 8.8.8.8:53 | ugas.ug | udp |
| US | 8.8.8.8:53 | fillah.ac.ug | udp |
| US | 8.8.8.8:53 | nickshort.ug | udp |
| US | 8.8.8.8:53 | kodedea.ug | udp |
| US | 8.8.8.8:53 | junks.ac.ug | udp |
| US | 8.8.8.8:53 | movescx.top | udp |
| US | 8.8.8.8:53 | ugas.ug | udp |
| US | 8.8.8.8:53 | cointra.ac.ug | udp |
| US | 8.8.8.8:53 | muylove.ac.ug | udp |
| US | 8.8.8.8:53 | fillah.ac.ug | udp |
| US | 8.8.8.8:53 | partiad.top | udp |
| US | 8.8.8.8:53 | partiad.xyz | udp |
Files
memory/4416-0-0x0000000000400000-0x0000000000427000-memory.dmp
memory/4416-4-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4416-3-0x0000000077942000-0x0000000077943000-memory.dmp
memory/4416-5-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3784-6-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3784-8-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4416-9-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3784-12-0x0000000077942000-0x0000000077943000-memory.dmp
memory/4416-10-0x00000000021E0000-0x00000000021E8000-memory.dmp
memory/3784-13-0x0000000000590000-0x0000000000591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | bb6f1485ca9bb99bf53960b9d1b327c3 |
| SHA1 | d8dbfb7c389d34d5dbc717e123e7ffa33db047fa |
| SHA256 | 53b4a8f6537f5efb5ce99b96a72577e214dfef4e7a6804be88fc38ceaa91e5de |
| SHA512 | c46b65d9c307f39d76743a6d5e392663152823d43cf6f59ac04fad69af30636268a8be0b1e11f684d1c33813ed92a29efb1a97480436330747eded4f2ee566e6 |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 3fe26e4272ee9079eca25927f8fede41 |
| SHA1 | 08accd9b1eb94f62679adf32dccf9a48f3d65d62 |
| SHA256 | f4354f6ba4d415bbe0a2911b9706000da0ec9619c5a97a0f31b3055f05499c1a |
| SHA512 | 6ea25e86de9fa219dc835d06e7421c33231177df6340af60feafbcf56c032130287f67bb322ff8e3065872cec1a15fc8dad0d8fcea83ccd2fda5326f8d4f7b57 |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | aecb18a3caeeac76925892c67314fedb |
| SHA1 | 9a883cdaff6a5d33add9bb4ffea78f5faef9b9a8 |
| SHA256 | 2725c0ccb3490383cfde1baac41dec628d2008be21a66066d2d372bcc4280d25 |
| SHA512 | dad6af9f6417f92b896592a083c1e8c41458deba52b8d3a96c717cb73fe0e211b2b7d6ef64a50b13a342a0a7bee4e89b65401ae1fe1b05e8bce323de405bb9fa |
memory/4888-31-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/4888-30-0x0000000000E70000-0x0000000001098000-memory.dmp
memory/4888-32-0x0000000005AA0000-0x0000000005CA8000-memory.dmp
memory/4888-34-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-33-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-36-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-38-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-44-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-46-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-42-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-48-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-52-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-54-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-50-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-40-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-56-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-60-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-66-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-64-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-62-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-58-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-68-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-72-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-70-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-76-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-80-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-82-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-86-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-88-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-90-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-84-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-78-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-74-0x0000000005AA0000-0x0000000005CA3000-memory.dmp
memory/4888-966-0x0000000001A60000-0x0000000001A61000-memory.dmp
memory/4888-965-0x0000000005A90000-0x0000000005AA0000-memory.dmp
memory/4888-968-0x0000000005E50000-0x0000000005E9C000-memory.dmp
memory/4888-967-0x0000000005CB0000-0x0000000005E50000-memory.dmp
memory/4888-981-0x0000000008230000-0x00000000087D4000-memory.dmp
memory/2336-980-0x0000000000B90000-0x0000000000CD0000-memory.dmp
memory/2336-985-0x0000000005530000-0x0000000005540000-memory.dmp
memory/4888-991-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/3204-995-0x0000000000400000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 4268e4dff85cfe28241b316059d4e62d |
| SHA1 | d4485914e31cb7a744219daa4d20da84b5041496 |
| SHA256 | 6875f91d0de394779e082729fd267e458a83d1616ccf8c8f875aaf919d53fa3c |
| SHA512 | 0d6671b7b40b45f7ee770f0e7f5123b3a9e900ad07c2cfe6a88d4651f0c3ec82cd870a345a87b121a67290cb3fcd626cc262115c127ca2aee724dcf2f0e00d8e |
memory/2336-986-0x0000000005670000-0x000000000579A000-memory.dmp
memory/2336-983-0x0000000005540000-0x0000000005668000-memory.dmp
memory/2336-982-0x0000000073280000-0x0000000073A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | d66266bdd66df1367606c4c1e3af4491 |
| SHA1 | 5ce8e64b2f43ea108282d145dae51f8f0368474d |
| SHA256 | ec42eb54b3f3b0d1f86bde3a25b5f7a50caf6219fd2752dc64a6d0cd5043fcd8 |
| SHA512 | 4542f75de2b86fd00736bef4f072484f325f448e1c2b86c8e128dff188b232f30feb44d8c1d610bbec72a9ff6faef43c722dd9f7be56feb77331e4348b62406e |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 9c0962bbea048e2a9de1271b1191745e |
| SHA1 | e3993833b14f3c984078966849460b85aa2593b0 |
| SHA256 | a5e7c49bc2a14562a593bb087ed09f8d9837e889ad2968189cb781a81143cc6f |
| SHA512 | e15775ebc62cc0a347cf1799db35cfa9736c6d5ad29b05847b4d5d5dbbf0fdc5799f9a756347114b437d4ddf0c29f05433ac5197b8b2e6803816d7a6d33feeed |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | f79239265890f8607aef219a912a8215 |
| SHA1 | 0f38eaee2654f9b666c434081cb2809f4995f4bb |
| SHA256 | 32dc338385f8108aa1c2bc20af93d576f66734f989654d480cc161bb100c7bb3 |
| SHA512 | 7f7a5d11b86bd8b79237bb3bbc0261c06ff0a4a70c60276fc3f05153cd299d61976a6f90694d26521ad8d10f01fcf11c4e3780ea914195774a01ebcf4f5e89a0 |
memory/3204-1291-0x0000000003B00000-0x0000000003F00000-memory.dmp
memory/3204-1295-0x0000000003B00000-0x0000000003F00000-memory.dmp
memory/4588-1310-0x0000000002640000-0x0000000002A40000-memory.dmp
memory/3784-1307-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4588-1338-0x0000000002640000-0x0000000002A40000-memory.dmp
memory/3204-1349-0x0000000003B00000-0x0000000003F00000-memory.dmp
memory/2336-1943-0x0000000005520000-0x0000000005521000-memory.dmp
memory/2336-1944-0x0000000005A00000-0x0000000005AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 2b22cd365b89d60afc8d982af0445b0b |
| SHA1 | 460ed7bbffc79263ae170c0c8dde04ea0baf351e |
| SHA256 | 2eec3d71d5b8c8d8631c2c344c7d1707b5a56774a2789cb3b2da02e2b586bed7 |
| SHA512 | 868818de4847bf4fa3f25179341cdfbcb8db5690d95218f9c3d1c92aedb9d40658512ec183be099982f7f4059ada6282298f637cadf7ea1ef8e71d239b0dda52 |
memory/644-1955-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/644-1957-0x00000000059C0000-0x0000000005AA8000-memory.dmp
memory/644-1956-0x00000000059B0000-0x00000000059C0000-memory.dmp
memory/2336-1954-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/644-1953-0x0000000000400000-0x000000000049C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BBLb.exe.log
| MD5 | 4a911455784f74e368a4c2c7876d76f4 |
| SHA1 | a1700a0849ffb4f26671eb76da2489946b821c34 |
| SHA256 | 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c |
| SHA512 | 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 0c691ee35d3adb7684153fb87c5cafaa |
| SHA1 | 3afb667e74115883949ff75ebc1e04f7160181da |
| SHA256 | 9ec9dc363b99c762a3097d880d5c017a8eaacfe4d82de757f4c73302d00d4b27 |
| SHA512 | f8c469e372fbe90415cfd5f0d5531c1d986d2209d480dcda11a40d6fb68edf851ee281c8a1d7d91697a3b443f450cf0ebaab00f36d1dd933232016bb40834eb5 |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 8235de2bd44b82d8c453c0dc6fc1e9ac |
| SHA1 | 99879f32250c63e410f7c0cae1745c6548bacb6d |
| SHA256 | faec7fc8a3850e655ff9d124a8dbd3988b68b366ab3868cd5f754cd872d6e4f8 |
| SHA512 | 46dda443890d43c5af81f098d743a758e1c8e46e02cea5f8c767e03e26a0d0fac9e7eacf1b90614a83488f9fbac6cfac750001ff170f9fecff4a351da0a6fd3e |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 4ff4d072e58faa4beb48e1b68f9caaa4 |
| SHA1 | 17ecd265ce7fe2fe700f4e3ea9dcb0523e6544fa |
| SHA256 | 46952fa52b2c831d4e979cc6e768fbf7854de3e54f8242b3ff9e4a61bb28a20f |
| SHA512 | ba18c19af1fd0e91f109da33e2ee16f3b95dfed1a5a8e1f72162b1f31b79b36acaac25d7e44971dbd55186c0509dbc71c038a6999b5880b0d40672370e4944ef |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 96ba4df46757c6a1bd023a04b52f0ef3 |
| SHA1 | 8ba9cd04ede4d58b17f2a95ba08d46a38ad260ba |
| SHA256 | 24093264da626aee681a5a77940b0e245f97922e15e894cff35a896fd59b2d9d |
| SHA512 | 135a4c156ca38f20b238a5e1c826b2c9c3a74fc0196b503d6f2f8bce4e8bad03d3b816c7e7e6b04815f0438a223f8f640345a4a02515a482329984ddfa389518 |
memory/644-4159-0x0000000005AB0000-0x0000000005B06000-memory.dmp
memory/644-4160-0x0000000005D00000-0x0000000005D66000-memory.dmp
memory/644-4161-0x0000000006120000-0x0000000006174000-memory.dmp
memory/644-4163-0x0000000073280000-0x0000000073A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hkwltzdz.jfi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3196-4176-0x000001CBB1140000-0x000001CBB1150000-memory.dmp
memory/3196-4175-0x000001CBB1140000-0x000001CBB1150000-memory.dmp
memory/3196-4174-0x00007FFCA02A0000-0x00007FFCA0D61000-memory.dmp
memory/3196-4179-0x00007FFCA02A0000-0x00007FFCA0D61000-memory.dmp
memory/3196-4173-0x000001CBCB800000-0x000001CBCB822000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 1a917a85dcbb1d3df5f4dd02e3a62873 |
| SHA1 | 567f528fec8e7a4787f8c253446d8f1b620dc9d6 |
| SHA256 | 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e |
| SHA512 | 341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec |
memory/2888-4196-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/2888-5130-0x0000000005240000-0x0000000005250000-memory.dmp
memory/2888-5131-0x00000000051F0000-0x00000000051F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | cb5cd0d9238b1f2bc72238039d35896c |
| SHA1 | b700917a6ff05a5209e72363c0e3379a698d5b79 |
| SHA256 | 7f2bf75ee96eb6274bccb57730e7aaa8f3fee6cabb82c177a2bdf632402b7de6 |
| SHA512 | 727d16781c51adc33ef05f628b702e3c4e0eee2b2f3b622d0a7c62f92a9d5080db9c40f98766d3aacd53012af04015e513c9c9573b73bb1487ad173a65c3d813 |
memory/2888-5139-0x0000000073280000-0x0000000073A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 4333389969ba377ea0f16257d84a0e73 |
| SHA1 | 18177d88d34be43bb924bdedde7d64d720f4c807 |
| SHA256 | 5170f83f07cc1bc8a3a70742c0094506662ab5885dde11ad443a9d536667d567 |
| SHA512 | 8b97aeb453b12eb944ccf0f2940bde20b50913cf48ca152a65c646f55a5a9d5368ff0fd0bd4bb74bf6e2d2edeae4e348cb75049b85a871f81b16758095cb032d |
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 3cb95105c6a166aefa82f2903580088a |
| SHA1 | d2fe8a56874248a903a7a11e20ba30ab299e573c |
| SHA256 | 06c4b161fcceb223fa477f2e8c38b3905d347ce10d6b7d8aa674fc8c15df5475 |
| SHA512 | 23e4bd4f260538f84a0b5c8893ed2920edaf7d91a55444ac210f9673e5217f377d8cca1ddd9c9691ade75a05befaaa6956ff2deaa392a03db0d1d5970fa6b5e2 |
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe
| MD5 | 71eb1bc6e6da380c1cb552d78b391b2a |
| SHA1 | df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d |
| SHA256 | cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6 |
| SHA512 | d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90 |
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe
| MD5 | 9b7cb2211782921b151970f3a8fa65b4 |
| SHA1 | c467cde438253f34bf43f1d3f5eff8905dd0a4fe |
| SHA256 | 628e02a4973fb578ea9535680b0aed328a6e83b0ec4f9cbf73400249266bb974 |
| SHA512 | 56bde9c7e2aa7a1642c61a723d00114b11ec9a710c709d7f25aee03ebb8396f12316db2f88174fc6c70e391d2559f718b59c8173634859604b93f7ca6f15864d |
memory/3612-5143-0x00000000053E0000-0x00000000053F0000-memory.dmp
memory/3612-5142-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/3808-5371-0x0000000003850000-0x0000000003C50000-memory.dmp
memory/3808-5381-0x0000000003850000-0x0000000003C50000-memory.dmp
memory/4900-5388-0x0000000002230000-0x0000000002630000-memory.dmp
memory/4900-5391-0x0000000002230000-0x0000000002630000-memory.dmp
memory/4900-5397-0x0000000002230000-0x0000000002630000-memory.dmp
memory/3808-5396-0x0000000003850000-0x0000000003C50000-memory.dmp
memory/3612-6093-0x0000000005590000-0x0000000005591000-memory.dmp
memory/3612-6100-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/624-6099-0x00000000055D0000-0x00000000055E0000-memory.dmp
memory/624-6098-0x0000000073280000-0x0000000073A30000-memory.dmp
C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe
| MD5 | ae84ef27afc1add4de241467dd7c8fa9 |
| SHA1 | 91187a90f0c9fdc59c325fedcf829bf72414ef37 |
| SHA256 | cd3dea6a694a94800d902f7daf2bac75d7a004f497716943fd0d262bdad28497 |
| SHA512 | 09d5f1a9b417fa6ce9237a04d954e735ed0a319af01a56589de45a71be3548e17e3884c0d7bd0ce4372be62a4d34e4abbd4c2b2a45eb6c216995033ab207edd8 |
memory/2944-8303-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/624-8305-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/2944-8304-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/2944-9238-0x0000000002D70000-0x0000000002D71000-memory.dmp
memory/1256-9242-0x0000000073280000-0x0000000073A30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |