Analysis

  • max time kernel
    132s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2024 15:48

General

  • Target

    c0facaa9561e361afe9d92d38e2793a0.exe

  • Size

    1.1MB

  • MD5

    c0facaa9561e361afe9d92d38e2793a0

  • SHA1

    135c63fbf3659951888c74dde12df75575664eca

  • SHA256

    d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445

  • SHA512

    50f1dcda7ad25017241ba8f46494653e4f64e35a6af57a64ec149802f4e25124ff5d3adbdf81a4137bedb122e688987fa6f36ebfa45a9e0638803f9388965abb

  • SSDEEP

    24576:nqqPzCBX6k4NCC0pOVXPbhH4DZ0XscH93EyLvWvfwi4Zm3:nqqGkRkCNFhH4DZ08cH93EyzwolZi

Malware Config

Signatures

  • Detect ZGRat V1 31 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

  • PureLog Stealer payload 7 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Downloads MZ/PE file
  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 26 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
    "C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
      "C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
        "C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
          "C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1148
          • C:\Users\Admin\AppData\Local\Temp\BBLb.exe
            "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Users\Admin\AppData\Local\Temp\BBLb.exe
              C:\Users\Admin\AppData\Local\Temp\BBLb.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1756
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:2832
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:1992
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:2172
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:2888
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:1744
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:2276
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:2464
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:2576
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:2816
          • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
            5⤵
            • Executes dropped EXE
            PID:2564
        • C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
          "C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          PID:2092
          • C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
            C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
            5⤵
            • Executes dropped EXE
            PID:3032
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 124
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:2128
    • C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
      "C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"
      2⤵
      • Loads dropped DLL
      PID:1988
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F9F9DEE9-A1F5-4B36-B2D0-38B672C559E7} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:S4U:
    1⤵
      PID:2708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {6A780D5A-0870-4CAE-9340-956D20C03FFB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
      1⤵
        PID:960
        • C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
          C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          PID:1204
          • C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
            C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:612
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1064

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\BBLb.exe

        Filesize

        510KB

        MD5

        2738e6311dfb65c10746a7e823f9c420

        SHA1

        dff9f71a4ec25e8bb172629618416bc404a4cd49

        SHA256

        0da7fc29b321a65e7244308f99d4370a67a81c2b9407aedbee4e5a97cfde44e3

        SHA512

        70dbcbdecfe67d2507b09b30906a8760abdf69588287543e8251022347d98697dd051bae0c82dc2918d20f11d508e7b7273ffc68e2661d72ccb47194246d5a60

      • C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        1.2MB

        MD5

        6a84fb8031a6073d6f4d9f3dac12f277

        SHA1

        19a5b6e4a107857da24779d92f446729f02825f0

        SHA256

        f2633b79deed5997488498e8d3ba0bc51a4eb3a3afcc05d431b15870b1d1cf0e

        SHA512

        b075312ad68787dfe670a7cee5323d8512f99fc3af6f3dd53f2ba9856a0f133681ed605c81da1a87bc58432c7d9db0a225342b091158c9cd0c1eeabbeb26e1e5

      • C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        1.2MB

        MD5

        eb204f6dab7cf388aaab7888ee65d05f

        SHA1

        db6939b8790fa8bd6389d0677372ac1ca9cf7ce2

        SHA256

        751bc8e153fb220c1f91fb9fbe128cc6e5818b06468f766c75a7154acbb0f37e

        SHA512

        57ae37eb1bfc9ef21fbce4568957ddc22988d90d610b9dcb1d0a53e4c35a838119f1ec750cac3a943bf5e58955c223d0a244362e8cf92e9a9fb039d78170077f

      • C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        1.1MB

        MD5

        d2a7797f65d6b62f3713eddcaf73750c

        SHA1

        20f0368240a9f8efd5f0445a2c7f325539b2b32f

        SHA256

        096d84ea8e861cbf3b62f9f6761a1d0cb166fda236c296449a9a4cd67da8eab2

        SHA512

        70aa5e1d1aff6f0354c90e03e45d16764c444d0a4b7b4ee3e559ba782be01811030c76b85c53121002fc6c8aacfc1f9bef44e2c7b12f0cffdaff545708766e04

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.2MB

        MD5

        16e2a532137be4ad240133f4aa246c32

        SHA1

        ed2342853ae2b4cd5303ee56037501a2d89b515e

        SHA256

        d30845a4bc7a48cfbdfe6d977c3deac99f5d5f59f6a7c688999676e10608f960

        SHA512

        6c0c4c6495da845496e7ed5783fe199a721ebedc75504d7afc08bb0bfc2797e77331eddd79e2a727a87457b6000f4776cf1c467c32d895908c0eae7c46a2224e

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.4MB

        MD5

        56bac36092872b5f22da31df51937a45

        SHA1

        fc3f340694ff92560bfd4dc1f71f7a405d29ad89

        SHA256

        8637f7717ca9131a408987ca277555edf2b6fdc890f769e892d77300a7f623e9

        SHA512

        c1910d8c806306cc36c735e97c495a3f0e8b591c4e0b48eac7ca7c273a7ddfa6d7439a9112a17c19727e95dda0d7cc2b5e7869b17e43d69c3c9572b985a697db

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.3MB

        MD5

        c57b4de6823f4782aaffe1739af664e5

        SHA1

        a5bdd27957394b06ed5739c7cfcc4e513a3f36c0

        SHA256

        c13dd20cddbff666755cd9fe5e8073c2d97889393d29c0a9b97a010f2828f068

        SHA512

        e6e9a70cef18f516e0a3cdd5f64d928c1e248811c6d1be515e073ddc27fc0c57df96f7575089b9d44c534a98cc30970fd8c1303e65c6b5561c711415163a57f3

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        128KB

        MD5

        3d9ff8a504031fbbd2d866828ee7a642

        SHA1

        bd70d5e1e4e983ab855c19cc5021a193e0f43922

        SHA256

        82774139d6d23804accfc50c556856d472a79811deae8ffd52f0feb65bfeec9e

        SHA512

        43404ddd65207b94b80d27b0de35d5a17f7dec268567036f850b106543ef0993c57160e719ef0d9da9682dfc5b05f5dcd4a51751c588136ebead1efd6609f29a

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.0MB

        MD5

        77a9af8a6f2aa1d2e088ddc9e4744898

        SHA1

        756bdbae22fe5efb2d5ce857f6b9e350875270ee

        SHA256

        d67b926f192cab5e8defb5ff22bbf79e3db1461b891c8644cd4e1442c577026d

        SHA512

        14dfd6adecf9b9d4f88a15f15cc52c62f9ee2f75d3d494f91061064c9cf543c164083528f211e8a2c273c94386cc5892c051eee64bb88e72700e7e5cb368d7ce

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        64KB

        MD5

        d2c8ab0106d33d9a0b1fd939198f4224

        SHA1

        53ef0dbc5735486a5b8288a16e77fb71a967ba8c

        SHA256

        1a0a89b5faf16dac66cf7f64767b41cb6d41bea97b37b8c56b17d79da99390c9

        SHA512

        e5707b62186cd62c45951005681065ac87a62fb1400693205e5639dc7f453a09b8b85422320dfa697c36447d8a7b74e812443800bf0c84f038ae42709fdd68c0

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        979KB

        MD5

        7cb9f2b9fc46e1d7c81aacf1918b635e

        SHA1

        63820b7c3e92e2c3622f95c7246f2405e5a1ec8f

        SHA256

        6aef22390f556ce1c6e57e3a482a07c925c85d2fd26969090b06a3ae647bd6a0

        SHA512

        aa5e3d485113b046306ad59815d51bc2046f655b02becd7254964c4bd7c3b558e33cdee01b1cd9405ac9db8663641a4c630a347268d7aecd3778d282ed08bcc4

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        804KB

        MD5

        901647add3d61eabca6f4ccd981cd457

        SHA1

        923f4be54c26ff574d5d737d118655e53821c0ba

        SHA256

        2b1d616e3c1944126c18bcdf81bca6a65f15bc8cd654b106408c5d34cdb719b7

        SHA512

        ae733fa86116c9781586266bc5513b1b32f85f5262c29d4b9fedc4af668e1a6afcff5fe32b7faf7a554fc8b58c71b0e2104fdac7fb0ae3568838cd81e630261b

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        942KB

        MD5

        bf5e6f7ad139d9b44c959fab6126ae48

        SHA1

        b511e899b4f47577b11286b6e134dbe0a5659147

        SHA256

        12bf6f4e44962ea92999c3fcc6751b2f0f8d163be9ae7b290cfba8d7dee432e3

        SHA512

        f0c4f5c6984d14ee60913c2784cf9ccd7904a254b46f7bca67aa3eb349dfd5956900e66c80dbae1e084b71ae7555d9a7ac56b2d42801c7a990f368daa78fba81

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        2.1MB

        MD5

        1a917a85dcbb1d3df5f4dd02e3a62873

        SHA1

        567f528fec8e7a4787f8c253446d8f1b620dc9d6

        SHA256

        217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

        SHA512

        341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

      • C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.8MB

        MD5

        a57729fb7bff6062d9aae738e04b264f

        SHA1

        152b25d01d4042f9a17ad76a0f4cdd90a90005e7

        SHA256

        541e3a75f3d258e30c211866fe1b75e573dfd00e8488d10d1e6fafa17d0bf145

        SHA512

        059fed22bb1094accd1ce156827aaede68269bc1c6ea8bcce1992117239df9923ddb02c7619d9f55723199dfda6278316b53c74af72e62233ef9dc96cd6c1bf9

      • C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe

        Filesize

        508KB

        MD5

        b0ff12175629c451084af8d40925bab0

        SHA1

        adbc6f27fe0094fd2f7788080e817f4cd2cebce8

        SHA256

        8c7089f8b1dc687eb609a76ac6bebf67b3d90168604ea624ddc8c206b19f91c0

        SHA512

        60efb4c9c1c0e4310252392de96dc8762d9e5529ba5e292b98aef7f207e2c4f58b67cb7819060828967a02ffdf352ee624b65e40d807ba5e4cdcfe6498430b62

      • C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe

        Filesize

        494KB

        MD5

        926982c446e011078d140355fb07f929

        SHA1

        21615be164d751111bcce74a1e3029e8a830979a

        SHA256

        66746a1531182809a7ae7c514b5858840548a715847aca6d5bef0de05dc606d0

        SHA512

        32ce88d80e2a5574f2317f894c2e64128b043be80c7a9580eaf0a0bf229d6390b7ebde3dc0c64fc9a11c9ac6834aea73a50fb87dae3d59f1a0d11e22cac0ec13

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        a7794532b8bc992e4524df357873026e

        SHA1

        ce0898e1e07ac2afbbdf0728935283d780a43723

        SHA256

        6191e7e154da4491e85dceca26db9d2b4c9cca88180dea4c71b568a8900ed36c

        SHA512

        27eed2b3ee31f2762915ce6772a3e9bdc3ac552cf5296b23f21ec8752b8727824465d01dad6c6f244348632ffedb01b4825aeddf6b9e64326078e2c913bda912

      • \Users\Admin\AppData\Local\Temp\BBLb.exe

        Filesize

        1.2MB

        MD5

        71eb1bc6e6da380c1cb552d78b391b2a

        SHA1

        df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d

        SHA256

        cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6

        SHA512

        d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

      • \Users\Admin\AppData\Local\Temp\BBLb.exe

        Filesize

        1.1MB

        MD5

        c43f9e71adc553cfd066fff8faa951fc

        SHA1

        b42ed3117d59c78a9aae1f3808239c8396478cd7

        SHA256

        067522f8c4d0832c9c7495fb46638aa41e0387994284fab89e0ac6885f6a76a8

        SHA512

        d1822bc87a5bbbd34e2c374cd4eb384f5b965671215e6e70a6f59b07b5fcacbcfcfcd678d8894ffe818861a6694a32b9414d57d45143a5a6908431b77f4b2748

      • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        1.8MB

        MD5

        ad7af059b52c2a4f24bffd563b27bcb3

        SHA1

        ce0d642c692f1c23c838c5d4232c9d2261bf5e1c

        SHA256

        0bc77bf0a4624a031179c2e502e650f3533e1c62cfdc3f555210317322c98d64

        SHA512

        75a9c7f3b87405d1d56e5c1a81dd8b20394bfb5a50af15c685f63a5651c6607f8152841453ef1403a8b26c3fd8f14de80ab20d3fb261e7655476d3d8cc56acd9

      • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        1.4MB

        MD5

        c017ac6363e7d39abbecf8347cd479fd

        SHA1

        30cd34b1a7d5e981b6f5653cf478999aa76b7792

        SHA256

        0a04e77d164bf3eb3c96910b0e5b6bc6709d79fa0065a1a7dd9bbbfb414a2fb5

        SHA512

        35253cb41f963b6d1d5f151677d5e62bc2f34f789e56b8730b9fb90fa6384f7c850bd5127113090a863084f8a90de6c824033323fbcd52fe6dcb8734d41dc602

      • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        81KB

        MD5

        b7a65e28d323e7ccc6727daafae7fede

        SHA1

        524e1b10ef8b50e16413a9feb90ca3aa2196c06c

        SHA256

        e9a73f79b31c109d68ccd29d78589676265f9c0b1fccb18f784f43b1efa36767

        SHA512

        7ec76f0e181841fdfa001179e4160ad713072a787557f8d194dde9b7f8066c50069e5400d2fce6c39bb9f383396b9fe755409bb8f3640a77d106d88cf5aecd71

      • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        115KB

        MD5

        8185a69623e729994f4919d4559d4f25

        SHA1

        89645e506f85348f56b9efe2b328a2cb79080846

        SHA256

        c9f8af665c4d958cd778d72013e667ae8c92312776e7a1795c80ca3822ed1ab0

        SHA512

        ccd921fbf5f689fb56c3ad257160a7910d2484629ae9c9241097156142bec3d0bec0bca25c770a5bc2fda02c55af099e3429d2e41f2b32480f8331f2c386acee

      • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        44KB

        MD5

        c6afb0c004d21f8fdc5466e5b9570246

        SHA1

        da3585ad7f8b9b48c1b4936257881f9dd307d52a

        SHA256

        ebdbf9249394834c3ea133f8cbfc144a59e427f60c99317cba9ac73d58eb941d

        SHA512

        99e7804b085a459c9570174f8af4fc0cb71749422c111380ca0a77f195ea19fd6dd6c6901bd1a9e68b2d74e3478e63c19bfec63c0a53674d82acd946c84dbc37

      • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        61KB

        MD5

        7aa0db0511abc4d54de27b5ee07934dd

        SHA1

        04ed31bae856de6b79b2e0fb9d4cb18a5ef30d74

        SHA256

        a39f715893992c0370a7196ab0f78e090c27785ea83ff4fa31288edba32e0c36

        SHA512

        78ca8b8f41c2495b13f837696ffd5c719177db7e19ef4c8b373c6c1ba206eac847c173420add7e31ab9e73114db087ef74b3fa0029438459e22d7405ba90ec58

      • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        90KB

        MD5

        bf61f338cc128a606e19a45341002853

        SHA1

        a34b4b29d7d486b846b862ff90ce8154e2cce612

        SHA256

        d5a856e0f918694ab607ae59f12a06bb2451a43747a38fad3cd8683b1f844a08

        SHA512

        76d37bdfff437211bfe9b3f85d24dab44bb8775aa50abaf40a24c279f8ade4e09e49abec4c0d0d789b2b5d576b29bd806bcf6a3c5db64b8a00f4f650c687db02

      • \Users\Admin\AppData\Local\Temp\DropaDkxa.exe

        Filesize

        52KB

        MD5

        e61fe70d671ca6e00aa25f8b815fad9d

        SHA1

        2b468f1cb1fb761fc97fadcf40fe20da4507f44e

        SHA256

        775d577ee31ec9dc960bae075095e86f4f27c843e8cf55ad7cdce1d67d554f88

        SHA512

        a42bf88b9ba7dcd096582d0e81d6edb724c56388074e6f4f02c72b78f5eac2e910a28f407c232d8fe84dbfd7fe6dbb99df21d7996f2fea8c7071296c8808d7f9

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.6MB

        MD5

        befdec4920dc463a48214a64e3a3fc57

        SHA1

        3f2f468d3199e61aeb9805179fee3bf3e69b40e0

        SHA256

        670bed58b303646141f7c6de74e2651293494182335d421a02b40fa33ea66780

        SHA512

        e989f5eee83e2e2818620451431aa21b598ef666b71be1f3b01fedf904c1fe5d700cdb003b4a89b348412ed2263f76387b884b63c1428eea04047b11e8e2b370

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        954KB

        MD5

        e3037f3e2b965b491948505ea85c3b65

        SHA1

        ad6272397cb611bae7141363d050f91d47b99b97

        SHA256

        e54c79f902772f59681cadbd5115fe5a6e753eadcaeaa3b69d6dc3bb84a4129b

        SHA512

        74fba3e9dd6bd73f54b1fa691713235188d4c69961122eedfae0bd1b12cb401978017bc68516924525267ead97b2794f2f6d2ced4a3ef46ef2b41665a1c6de5a

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.7MB

        MD5

        715b62e332a0b52b690bb724d56a43cc

        SHA1

        0855176779c6d75642d64edc682ca8b11756410f

        SHA256

        751be823130da932b588761b596984f8a896b0c88da34981945a2d0de8f1ec96

        SHA512

        6dc536b007d12790de713f5eb71d3d29ad395f9bbb8b3ae1452f699e030fac7476752cb0469d846cda0893e5beb615d423ff8e6f4aa0bb8e3b8691610dc77eb5

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.0MB

        MD5

        d470c5acd68b7528856836ae90a3b395

        SHA1

        a3aa63951f1e70cc1a3b2fa36b9373de194244da

        SHA256

        23d6df0dd3cab83fd927d6602c5ffdd3b87f3e0ed03d386b2d9eb255c54d131e

        SHA512

        46d0494169c56952caad58cd63c9e2064fea60e9ec4ae85a93acc73152690114eab51f65c5b7ad1bb203452e59fbd22e7a5ee2fd6c331ca24a88052f85fe648e

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        192KB

        MD5

        2a86f6ec50089c5e50a07dcd113ff65b

        SHA1

        6e419db1a719a214164ec46d58b5aac4ea9f4ada

        SHA256

        a502e3afa1a6207c43789ce9b866012041be2241c0c26feeded4ef82bb5eade4

        SHA512

        e088d2bd5a5fb6b3f681e37fe68c386f704001fe0b6c8f5dbe25b14cf833d1c27ce0c18a4ad4aed7313b4b8444436fd6a71b6510688920f081fb7f287a2fd1eb

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        941KB

        MD5

        c84b71ce414bcbcc310ac6ed6316cf19

        SHA1

        3272c21fd9948783694627f05ce65a8cdfa793b2

        SHA256

        e0c20b2b6bb4248c295c2c518a7e0efd502850cd5794b6d19f1f070342f378fe

        SHA512

        ba31cb0046617ef884337b4e57f322f2ad834725762e13f8ce0ba2f89182ca539dcb00d6ce94c301e510768787844142e5375198cd42f6e951179e86f35ee6ed

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        1.0MB

        MD5

        21d13f88cf023762c741bbb8e3d5e0f1

        SHA1

        2d679ab260b243e5a6d49422fe4406c5eac81f3c

        SHA256

        c7ee4abe275207aa56e8a519fc92af8c8cbb3b452b7adc2b8aacf20e5587fce2

        SHA512

        bfd53d113d5799248adde1beba931cf7bbea5e760f26eb9fd17c4b9d48a8283b9f969cc0b9bdcfd3126cd5da650515d3e117eaea666c1ee2f13dabcf5fd408f2

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        786KB

        MD5

        9f99821463ee96b48d882e7fe44f30c2

        SHA1

        02dcbe14da05fd90342149b2bef2f93cc1073b40

        SHA256

        b58c672da752eb3a20a1bbc2f8b3ba71884998c241cae72da7bb1872a679085c

        SHA512

        283ff20a7fe1a74a331c9c3acfbdbf4061858bed17d7d1279a3819b75d45965e4c1b52775ac98ebc6f45ae40ddaf3244235a8bb61c2be2618fd512aa86f25180

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        19KB

        MD5

        2b41b95af46b68453332f2a18119c087

        SHA1

        342b41f904d868f88bfb10cff44079ec67039b15

        SHA256

        1f0196686bc4c083e0aad18182707e6e77ac75f566037e586c8fe5aa974eafea

        SHA512

        24a16927e93b45b4af7aec10f9b0aaccbadbc152c0a9cc7000c05164691794bbba870669a96b95827c36f382ee0a5a652b492538bbd33a66eefa46227b0e0732

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        761KB

        MD5

        305145814473e0c4e5c7f29ccdca213a

        SHA1

        8579674138f71bbe2339801db6966263d7bac518

        SHA256

        e431cea88bd0ba9b80cb47e2705148e473b1076296e501a3d873db7b3a150da7

        SHA512

        0f759a1f8824143489f44c300999db31b576572e28f77b4c8f3589a88717df3e53908d330c932fcb8e3c4264f3912baa1302b29231447365c3f136f3d8761aee

      • \Users\Admin\AppData\Local\Temp\Dropakxa.exe

        Filesize

        2.0MB

        MD5

        6dad17a1d628886f2c1d5d73ebfbf744

        SHA1

        272c79fe0abaa326f156e47e8d0ee028b6b4b1bb

        SHA256

        23c70c027597b9c028871567652d1cc901f73f03c9600086ec9a9b99df0efda2

        SHA512

        7e108e46f005116a2be1fe86bd7c654c77b9e96b2ce0b5e2693642259c83099022790aa4e456c2c96aad6329eaacb734dccc1a971c15e31c705454d8b6245b98

      • \Users\Admin\AppData\Local\Temp\bassmod.dll

        Filesize

        35KB

        MD5

        e3a6587ba5a4ee4514ecaa4265dd9b2c

        SHA1

        b44bb9b5fc3478fa6ea5140603857ee0c2d4c4fd

        SHA256

        566934a049ae41fe36e2e122825875e5c02d4db083e744a7a3c94f456cec2f94

        SHA512

        90f4e5ceac00a0815452ef951feb3aa29e6ef408d8d4cda023c3fdd49ba0238e06589cee9cc0be842eddd1b02bd1d448d9ab8bdaed70651b38d6074c9f99d22f

      • \Users\Admin\AppData\Local\Temp\vctuacx.exe

        Filesize

        140KB

        MD5

        d6bfa5d4d5d67dd73013e5b400cac2e7

        SHA1

        725f7fec0fd1f245c44ab1c228cd349a5e12bd71

        SHA256

        fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4

        SHA512

        e5d58b64de4d398290d0cd79d44a516ca2528bd183566926ea1f3b9211b20fa5c2244bcc8bd3cc1f3b1d470dc257b72b8d3530d682fff00b7b52227c6c3c7808

      • memory/612-6148-0x0000000000400000-0x000000000049C000-memory.dmp

        Filesize

        624KB

      • memory/612-8359-0x0000000004DF0000-0x0000000004E44000-memory.dmp

        Filesize

        336KB

      • memory/612-7268-0x00000000004F0000-0x0000000000530000-memory.dmp

        Filesize

        256KB

      • memory/612-7097-0x0000000073A20000-0x000000007410E000-memory.dmp

        Filesize

        6.9MB

      • memory/612-6150-0x00000000004F0000-0x0000000000530000-memory.dmp

        Filesize

        256KB

      • memory/612-6149-0x0000000073A20000-0x000000007410E000-memory.dmp

        Filesize

        6.9MB

      • memory/1148-74-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-64-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-103-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-53-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-82-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-52-0x00000000049A0000-0x0000000004BA8000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-51-0x0000000074430000-0x0000000074B1E000-memory.dmp

        Filesize

        6.9MB

      • memory/1148-50-0x00000000003A0000-0x00000000005C8000-memory.dmp

        Filesize

        2.2MB

      • memory/1148-995-0x0000000001F70000-0x0000000001FB0000-memory.dmp

        Filesize

        256KB

      • memory/1148-996-0x0000000000300000-0x0000000000301000-memory.dmp

        Filesize

        4KB

      • memory/1148-997-0x0000000004EF0000-0x0000000005090000-memory.dmp

        Filesize

        1.6MB

      • memory/1148-998-0x00000000047D0000-0x000000000481C000-memory.dmp

        Filesize

        304KB

      • memory/1148-105-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-107-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-56-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-58-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-1008-0x0000000074430000-0x0000000074B1E000-memory.dmp

        Filesize

        6.9MB

      • memory/1148-60-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-101-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-99-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-95-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-97-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-89-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-93-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-91-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-87-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-1032-0x0000000074430000-0x0000000074B1E000-memory.dmp

        Filesize

        6.9MB

      • memory/1148-84-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-80-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-78-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-76-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-62-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-72-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-70-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-54-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-68-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1148-66-0x00000000049A0000-0x0000000004BA3000-memory.dmp

        Filesize

        2.0MB

      • memory/1152-2-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

      • memory/1152-12-0x00000000006C0000-0x00000000006C7000-memory.dmp

        Filesize

        28KB

      • memory/1204-5195-0x0000000073A20000-0x000000007410E000-memory.dmp

        Filesize

        6.9MB

      • memory/1204-6147-0x0000000073A20000-0x000000007410E000-memory.dmp

        Filesize

        6.9MB

      • memory/1204-6132-0x0000000000260000-0x0000000000261000-memory.dmp

        Filesize

        4KB

      • memory/1204-5196-0x0000000000C20000-0x0000000000C60000-memory.dmp

        Filesize

        256KB

      • memory/1204-5194-0x0000000000C90000-0x0000000000DD0000-memory.dmp

        Filesize

        1.2MB

      • memory/1612-1968-0x0000000000390000-0x0000000000391000-memory.dmp

        Filesize

        4KB

      • memory/1612-1007-0x0000000074430000-0x0000000074B1E000-memory.dmp

        Filesize

        6.9MB

      • memory/1612-1980-0x0000000074430000-0x0000000074B1E000-memory.dmp

        Filesize

        6.9MB

      • memory/1612-1006-0x0000000000130000-0x0000000000270000-memory.dmp

        Filesize

        1.2MB

      • memory/1612-1009-0x00000000022D0000-0x0000000002310000-memory.dmp

        Filesize

        256KB

      • memory/1612-1969-0x0000000005250000-0x0000000005310000-memory.dmp

        Filesize

        768KB

      • memory/1612-1016-0x0000000004DA0000-0x0000000004ECA000-memory.dmp

        Filesize

        1.2MB

      • memory/1612-1010-0x0000000004C70000-0x0000000004D98000-memory.dmp

        Filesize

        1.2MB

      • memory/1756-1985-0x00000000743B0000-0x0000000074A9E000-memory.dmp

        Filesize

        6.9MB

      • memory/1756-1986-0x0000000004870000-0x0000000004958000-memory.dmp

        Filesize

        928KB

      • memory/1756-1984-0x0000000000400000-0x000000000049C000-memory.dmp

        Filesize

        624KB

      • memory/1756-1987-0x00000000049A0000-0x00000000049E0000-memory.dmp

        Filesize

        256KB

      • memory/1756-4200-0x00000000743B0000-0x0000000074A9E000-memory.dmp

        Filesize

        6.9MB

      • memory/1756-3273-0x00000000743B0000-0x0000000074A9E000-memory.dmp

        Filesize

        6.9MB

      • memory/1756-3609-0x00000000049A0000-0x00000000049E0000-memory.dmp

        Filesize

        256KB

      • memory/1756-4196-0x0000000004320000-0x0000000004376000-memory.dmp

        Filesize

        344KB

      • memory/1756-4198-0x0000000004450000-0x00000000044A4000-memory.dmp

        Filesize

        336KB

      • memory/1988-812-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

      • memory/1988-650-0x0000000010000000-0x000000001002F000-memory.dmp

        Filesize

        188KB

      • memory/1988-18-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1988-85-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1988-16-0x0000000000400000-0x0000000000663000-memory.dmp

        Filesize

        2.4MB

      • memory/1988-15-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1988-25-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1988-31-0x0000000000030000-0x0000000000031000-memory.dmp

        Filesize

        4KB

      • memory/1988-24-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1988-13-0x0000000000400000-0x0000000000667000-memory.dmp

        Filesize

        2.4MB

      • memory/1988-37-0x0000000010000000-0x000000001002F000-memory.dmp

        Filesize

        188KB

      • memory/1988-49-0x0000000000400000-0x0000000000663000-memory.dmp

        Filesize

        2.4MB

      • memory/1988-38-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

      • memory/2092-4226-0x00000000743E0000-0x0000000074ACE000-memory.dmp

        Filesize

        6.9MB

      • memory/2092-5184-0x00000000743E0000-0x0000000074ACE000-memory.dmp

        Filesize

        6.9MB

      • memory/2092-4227-0x0000000001210000-0x0000000001438000-memory.dmp

        Filesize

        2.2MB

      • memory/2092-5167-0x0000000000200000-0x0000000000201000-memory.dmp

        Filesize

        4KB

      • memory/2092-5166-0x0000000000D50000-0x0000000000D90000-memory.dmp

        Filesize

        256KB

      • memory/2308-19-0x00000000001C0000-0x00000000001C1000-memory.dmp

        Filesize

        4KB

      • memory/2664-4206-0x0000000000E70000-0x0000000000E78000-memory.dmp

        Filesize

        32KB

      • memory/2664-4212-0x0000000000F50000-0x0000000000FD0000-memory.dmp

        Filesize

        512KB

      • memory/2664-4207-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

        Filesize

        9.6MB

      • memory/2664-4211-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

        Filesize

        9.6MB

      • memory/2664-4215-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

        Filesize

        9.6MB

      • memory/2664-4210-0x0000000000F50000-0x0000000000FD0000-memory.dmp

        Filesize

        512KB

      • memory/2664-4214-0x0000000000F50000-0x0000000000FD0000-memory.dmp

        Filesize

        512KB

      • memory/2664-4205-0x0000000019E50000-0x000000001A132000-memory.dmp

        Filesize

        2.9MB

      • memory/2880-32-0x0000000000270000-0x0000000000271000-memory.dmp

        Filesize

        4KB

      • memory/2880-23-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/2880-363-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/2880-29-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB