Analysis Overview
SHA256
d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
Threat Level: Known bad
The file c0facaa9561e361afe9d92d38e2793a0 was found to be: Known bad.
Malicious Activity Summary
ZGRat
PureLog Stealer payload
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect ZGRat V1
PureLog Stealer
Downloads MZ/PE file
Checks computer location settings
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 15:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 15:48
Reported
2024-03-11 15:51
Platform
win7-20240221-en
Max time kernel
132s
Max time network
142s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureLog Stealer
PureLog Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1152 set thread context of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe | C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe |
| PID 2308 set thread context of 2880 | N/A | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe |
| PID 1612 set thread context of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | C:\Users\Admin\AppData\Local\Temp\BBLb.exe |
| PID 2092 set thread context of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe |
| PID 1204 set thread context of 612 | N/A | C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe | C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe |
| PID 612 set thread context of 1064 | N/A | C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"
C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {F9F9DEE9-A1F5-4B36-B2D0-38B672C559E7} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:S4U:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 124
C:\Windows\system32\taskeng.exe
taskeng.exe {6A780D5A-0870-4CAE-9340-956D20C03FFB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hubvera.ac.ug | udp |
| RU | 91.215.85.223:80 | hubvera.ac.ug | tcp |
| US | 8.8.8.8:53 | ddlakava.ac.ug | udp |
| US | 8.8.8.8:53 | bit.do | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | rebrand.ly | udp |
| US | 15.197.137.111:80 | rebrand.ly | tcp |
| US | 8.8.8.8:53 | fran.ac.ug | udp |
| US | 8.8.8.8:53 | fransceysse.ac.ug | udp |
| US | 8.8.8.8:53 | tinyurl.com | udp |
| US | 104.20.138.65:80 | tinyurl.com | tcp |
| US | 8.8.8.8:53 | kode.ac.ug | udp |
| US | 8.8.8.8:53 | kodekode.ac.ug | udp |
| US | 8.8.8.8:53 | tuekisa.ac.ug | udp |
| US | 8.8.8.8:53 | partadino.ac.ug | udp |
| RU | 91.215.85.223:80 | partadino.ac.ug | tcp |
| US | 8.8.8.8:53 | markinda.xyz | udp |
| US | 8.8.8.8:53 | markinda.top | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 15.197.137.111:80 | rebrand.ly | tcp |
| US | 8.8.8.8:53 | movescx.top | udp |
| US | 8.8.8.8:53 | cointra.ac.ug | udp |
| US | 8.8.8.8:53 | muylove.ac.ug | udp |
| US | 8.8.8.8:53 | partiad.top | udp |
| US | 8.8.8.8:53 | partiad.xyz | udp |
Files
memory/1152-2-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\vctuacx.exe
| MD5 | d6bfa5d4d5d67dd73013e5b400cac2e7 |
| SHA1 | 725f7fec0fd1f245c44ab1c228cd349a5e12bd71 |
| SHA256 | fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4 |
| SHA512 | e5d58b64de4d398290d0cd79d44a516ca2528bd183566926ea1f3b9211b20fa5c2244bcc8bd3cc1f3b1d470dc257b72b8d3530d682fff00b7b52227c6c3c7808 |
memory/1988-13-0x0000000000400000-0x0000000000667000-memory.dmp
memory/1152-12-0x00000000006C0000-0x00000000006C7000-memory.dmp
memory/1988-16-0x0000000000400000-0x0000000000663000-memory.dmp
memory/1988-15-0x0000000000400000-0x0000000000667000-memory.dmp
memory/2308-19-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2880-23-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1988-25-0x0000000000400000-0x0000000000667000-memory.dmp
memory/2880-29-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1988-24-0x0000000000400000-0x0000000000667000-memory.dmp
memory/1988-31-0x0000000000030000-0x0000000000031000-memory.dmp
memory/2880-32-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1988-18-0x0000000000400000-0x0000000000667000-memory.dmp
memory/1988-37-0x0000000010000000-0x000000001002F000-memory.dmp
\Users\Admin\AppData\Local\Temp\bassmod.dll
| MD5 | e3a6587ba5a4ee4514ecaa4265dd9b2c |
| SHA1 | b44bb9b5fc3478fa6ea5140603857ee0c2d4c4fd |
| SHA256 | 566934a049ae41fe36e2e122825875e5c02d4db083e744a7a3c94f456cec2f94 |
| SHA512 | 90f4e5ceac00a0815452ef951feb3aa29e6ef408d8d4cda023c3fdd49ba0238e06589cee9cc0be842eddd1b02bd1d448d9ab8bdaed70651b38d6074c9f99d22f |
memory/1988-38-0x0000000000320000-0x0000000000321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 1a917a85dcbb1d3df5f4dd02e3a62873 |
| SHA1 | 567f528fec8e7a4787f8c253446d8f1b620dc9d6 |
| SHA256 | 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e |
| SHA512 | 341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 6dad17a1d628886f2c1d5d73ebfbf744 |
| SHA1 | 272c79fe0abaa326f156e47e8d0ee028b6b4b1bb |
| SHA256 | 23c70c027597b9c028871567652d1cc901f73f03c9600086ec9a9b99df0efda2 |
| SHA512 | 7e108e46f005116a2be1fe86bd7c654c77b9e96b2ce0b5e2693642259c83099022790aa4e456c2c96aad6329eaacb734dccc1a971c15e31c705454d8b6245b98 |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | a57729fb7bff6062d9aae738e04b264f |
| SHA1 | 152b25d01d4042f9a17ad76a0f4cdd90a90005e7 |
| SHA256 | 541e3a75f3d258e30c211866fe1b75e573dfd00e8488d10d1e6fafa17d0bf145 |
| SHA512 | 059fed22bb1094accd1ce156827aaede68269bc1c6ea8bcce1992117239df9923ddb02c7619d9f55723199dfda6278316b53c74af72e62233ef9dc96cd6c1bf9 |
memory/1988-49-0x0000000000400000-0x0000000000663000-memory.dmp
memory/1148-50-0x00000000003A0000-0x00000000005C8000-memory.dmp
memory/1148-51-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/1148-52-0x00000000049A0000-0x0000000004BA8000-memory.dmp
memory/1148-53-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-54-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-56-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-58-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-60-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-62-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-64-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-66-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-68-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-70-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-72-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-74-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-76-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-78-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-80-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-84-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-87-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-91-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-93-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-89-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-97-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-95-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-99-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-101-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-105-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-107-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1148-103-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/1988-85-0x0000000000400000-0x0000000000667000-memory.dmp
memory/1148-82-0x00000000049A0000-0x0000000004BA3000-memory.dmp
memory/2880-363-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1988-650-0x0000000010000000-0x000000001002F000-memory.dmp
memory/1988-812-0x0000000000320000-0x0000000000321000-memory.dmp
memory/1148-995-0x0000000001F70000-0x0000000001FB0000-memory.dmp
memory/1148-996-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1148-997-0x0000000004EF0000-0x0000000005090000-memory.dmp
memory/1148-998-0x00000000047D0000-0x000000000481C000-memory.dmp
\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 71eb1bc6e6da380c1cb552d78b391b2a |
| SHA1 | df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d |
| SHA256 | cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6 |
| SHA512 | d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90 |
memory/1612-1007-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/1612-1006-0x0000000000130000-0x0000000000270000-memory.dmp
memory/1612-1009-0x00000000022D0000-0x0000000002310000-memory.dmp
memory/1148-1008-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/1612-1010-0x0000000004C70000-0x0000000004D98000-memory.dmp
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 2a86f6ec50089c5e50a07dcd113ff65b |
| SHA1 | 6e419db1a719a214164ec46d58b5aac4ea9f4ada |
| SHA256 | a502e3afa1a6207c43789ce9b866012041be2241c0c26feeded4ef82bb5eade4 |
| SHA512 | e088d2bd5a5fb6b3f681e37fe68c386f704001fe0b6c8f5dbe25b14cf833d1c27ce0c18a4ad4aed7313b4b8444436fd6a71b6510688920f081fb7f287a2fd1eb |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 3d9ff8a504031fbbd2d866828ee7a642 |
| SHA1 | bd70d5e1e4e983ab855c19cc5021a193e0f43922 |
| SHA256 | 82774139d6d23804accfc50c556856d472a79811deae8ffd52f0feb65bfeec9e |
| SHA512 | 43404ddd65207b94b80d27b0de35d5a17f7dec268567036f850b106543ef0993c57160e719ef0d9da9682dfc5b05f5dcd4a51751c588136ebead1efd6609f29a |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | d2c8ab0106d33d9a0b1fd939198f4224 |
| SHA1 | 53ef0dbc5735486a5b8288a16e77fb71a967ba8c |
| SHA256 | 1a0a89b5faf16dac66cf7f64767b41cb6d41bea97b37b8c56b17d79da99390c9 |
| SHA512 | e5707b62186cd62c45951005681065ac87a62fb1400693205e5639dc7f453a09b8b85422320dfa697c36447d8a7b74e812443800bf0c84f038ae42709fdd68c0 |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 2b41b95af46b68453332f2a18119c087 |
| SHA1 | 342b41f904d868f88bfb10cff44079ec67039b15 |
| SHA256 | 1f0196686bc4c083e0aad18182707e6e77ac75f566037e586c8fe5aa974eafea |
| SHA512 | 24a16927e93b45b4af7aec10f9b0aaccbadbc152c0a9cc7000c05164691794bbba870669a96b95827c36f382ee0a5a652b492538bbd33a66eefa46227b0e0732 |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 305145814473e0c4e5c7f29ccdca213a |
| SHA1 | 8579674138f71bbe2339801db6966263d7bac518 |
| SHA256 | e431cea88bd0ba9b80cb47e2705148e473b1076296e501a3d873db7b3a150da7 |
| SHA512 | 0f759a1f8824143489f44c300999db31b576572e28f77b4c8f3589a88717df3e53908d330c932fcb8e3c4264f3912baa1302b29231447365c3f136f3d8761aee |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 901647add3d61eabca6f4ccd981cd457 |
| SHA1 | 923f4be54c26ff574d5d737d118655e53821c0ba |
| SHA256 | 2b1d616e3c1944126c18bcdf81bca6a65f15bc8cd654b106408c5d34cdb719b7 |
| SHA512 | ae733fa86116c9781586266bc5513b1b32f85f5262c29d4b9fedc4af668e1a6afcff5fe32b7faf7a554fc8b58c71b0e2104fdac7fb0ae3568838cd81e630261b |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | bf5e6f7ad139d9b44c959fab6126ae48 |
| SHA1 | b511e899b4f47577b11286b6e134dbe0a5659147 |
| SHA256 | 12bf6f4e44962ea92999c3fcc6751b2f0f8d163be9ae7b290cfba8d7dee432e3 |
| SHA512 | f0c4f5c6984d14ee60913c2784cf9ccd7904a254b46f7bca67aa3eb349dfd5956900e66c80dbae1e084b71ae7555d9a7ac56b2d42801c7a990f368daa78fba81 |
memory/1148-1032-0x0000000074430000-0x0000000074B1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 7cb9f2b9fc46e1d7c81aacf1918b635e |
| SHA1 | 63820b7c3e92e2c3622f95c7246f2405e5a1ec8f |
| SHA256 | 6aef22390f556ce1c6e57e3a482a07c925c85d2fd26969090b06a3ae647bd6a0 |
| SHA512 | aa5e3d485113b046306ad59815d51bc2046f655b02becd7254964c4bd7c3b558e33cdee01b1cd9405ac9db8663641a4c630a347268d7aecd3778d282ed08bcc4 |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 9f99821463ee96b48d882e7fe44f30c2 |
| SHA1 | 02dcbe14da05fd90342149b2bef2f93cc1073b40 |
| SHA256 | b58c672da752eb3a20a1bbc2f8b3ba71884998c241cae72da7bb1872a679085c |
| SHA512 | 283ff20a7fe1a74a331c9c3acfbdbf4061858bed17d7d1279a3819b75d45965e4c1b52775ac98ebc6f45ae40ddaf3244235a8bb61c2be2618fd512aa86f25180 |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 21d13f88cf023762c741bbb8e3d5e0f1 |
| SHA1 | 2d679ab260b243e5a6d49422fe4406c5eac81f3c |
| SHA256 | c7ee4abe275207aa56e8a519fc92af8c8cbb3b452b7adc2b8aacf20e5587fce2 |
| SHA512 | bfd53d113d5799248adde1beba931cf7bbea5e760f26eb9fd17c4b9d48a8283b9f969cc0b9bdcfd3126cd5da650515d3e117eaea666c1ee2f13dabcf5fd408f2 |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 77a9af8a6f2aa1d2e088ddc9e4744898 |
| SHA1 | 756bdbae22fe5efb2d5ce857f6b9e350875270ee |
| SHA256 | d67b926f192cab5e8defb5ff22bbf79e3db1461b891c8644cd4e1442c577026d |
| SHA512 | 14dfd6adecf9b9d4f88a15f15cc52c62f9ee2f75d3d494f91061064c9cf543c164083528f211e8a2c273c94386cc5892c051eee64bb88e72700e7e5cb368d7ce |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | c84b71ce414bcbcc310ac6ed6316cf19 |
| SHA1 | 3272c21fd9948783694627f05ce65a8cdfa793b2 |
| SHA256 | e0c20b2b6bb4248c295c2c518a7e0efd502850cd5794b6d19f1f070342f378fe |
| SHA512 | ba31cb0046617ef884337b4e57f322f2ad834725762e13f8ce0ba2f89182ca539dcb00d6ce94c301e510768787844142e5375198cd42f6e951179e86f35ee6ed |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | d470c5acd68b7528856836ae90a3b395 |
| SHA1 | a3aa63951f1e70cc1a3b2fa36b9373de194244da |
| SHA256 | 23d6df0dd3cab83fd927d6602c5ffdd3b87f3e0ed03d386b2d9eb255c54d131e |
| SHA512 | 46d0494169c56952caad58cd63c9e2064fea60e9ec4ae85a93acc73152690114eab51f65c5b7ad1bb203452e59fbd22e7a5ee2fd6c331ca24a88052f85fe648e |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | c57b4de6823f4782aaffe1739af664e5 |
| SHA1 | a5bdd27957394b06ed5739c7cfcc4e513a3f36c0 |
| SHA256 | c13dd20cddbff666755cd9fe5e8073c2d97889393d29c0a9b97a010f2828f068 |
| SHA512 | e6e9a70cef18f516e0a3cdd5f64d928c1e248811c6d1be515e073ddc27fc0c57df96f7575089b9d44c534a98cc30970fd8c1303e65c6b5561c711415163a57f3 |
memory/1612-1016-0x0000000004DA0000-0x0000000004ECA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 56bac36092872b5f22da31df51937a45 |
| SHA1 | fc3f340694ff92560bfd4dc1f71f7a405d29ad89 |
| SHA256 | 8637f7717ca9131a408987ca277555edf2b6fdc890f769e892d77300a7f623e9 |
| SHA512 | c1910d8c806306cc36c735e97c495a3f0e8b591c4e0b48eac7ca7c273a7ddfa6d7439a9112a17c19727e95dda0d7cc2b5e7869b17e43d69c3c9572b985a697db |
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 16e2a532137be4ad240133f4aa246c32 |
| SHA1 | ed2342853ae2b4cd5303ee56037501a2d89b515e |
| SHA256 | d30845a4bc7a48cfbdfe6d977c3deac99f5d5f59f6a7c688999676e10608f960 |
| SHA512 | 6c0c4c6495da845496e7ed5783fe199a721ebedc75504d7afc08bb0bfc2797e77331eddd79e2a727a87457b6000f4776cf1c467c32d895908c0eae7c46a2224e |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 715b62e332a0b52b690bb724d56a43cc |
| SHA1 | 0855176779c6d75642d64edc682ca8b11756410f |
| SHA256 | 751be823130da932b588761b596984f8a896b0c88da34981945a2d0de8f1ec96 |
| SHA512 | 6dc536b007d12790de713f5eb71d3d29ad395f9bbb8b3ae1452f699e030fac7476752cb0469d846cda0893e5beb615d423ff8e6f4aa0bb8e3b8691610dc77eb5 |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | e3037f3e2b965b491948505ea85c3b65 |
| SHA1 | ad6272397cb611bae7141363d050f91d47b99b97 |
| SHA256 | e54c79f902772f59681cadbd5115fe5a6e753eadcaeaa3b69d6dc3bb84a4129b |
| SHA512 | 74fba3e9dd6bd73f54b1fa691713235188d4c69961122eedfae0bd1b12cb401978017bc68516924525267ead97b2794f2f6d2ced4a3ef46ef2b41665a1c6de5a |
\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | befdec4920dc463a48214a64e3a3fc57 |
| SHA1 | 3f2f468d3199e61aeb9805179fee3bf3e69b40e0 |
| SHA256 | 670bed58b303646141f7c6de74e2651293494182335d421a02b40fa33ea66780 |
| SHA512 | e989f5eee83e2e2818620451431aa21b598ef666b71be1f3b01fedf904c1fe5d700cdb003b4a89b348412ed2263f76387b884b63c1428eea04047b11e8e2b370 |
memory/1612-1968-0x0000000000390000-0x0000000000391000-memory.dmp
memory/1612-1969-0x0000000005250000-0x0000000005310000-memory.dmp
\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | c43f9e71adc553cfd066fff8faa951fc |
| SHA1 | b42ed3117d59c78a9aae1f3808239c8396478cd7 |
| SHA256 | 067522f8c4d0832c9c7495fb46638aa41e0387994284fab89e0ac6885f6a76a8 |
| SHA512 | d1822bc87a5bbbd34e2c374cd4eb384f5b965671215e6e70a6f59b07b5fcacbcfcfcd678d8894ffe818861a6694a32b9414d57d45143a5a6908431b77f4b2748 |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 2738e6311dfb65c10746a7e823f9c420 |
| SHA1 | dff9f71a4ec25e8bb172629618416bc404a4cd49 |
| SHA256 | 0da7fc29b321a65e7244308f99d4370a67a81c2b9407aedbee4e5a97cfde44e3 |
| SHA512 | 70dbcbdecfe67d2507b09b30906a8760abdf69588287543e8251022347d98697dd051bae0c82dc2918d20f11d508e7b7273ffc68e2661d72ccb47194246d5a60 |
memory/1612-1980-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/1756-1985-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/1756-1984-0x0000000000400000-0x000000000049C000-memory.dmp
memory/1756-1987-0x00000000049A0000-0x00000000049E0000-memory.dmp
memory/1756-1986-0x0000000004870000-0x0000000004958000-memory.dmp
memory/1756-3273-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/1756-3609-0x00000000049A0000-0x00000000049E0000-memory.dmp
memory/1756-4196-0x0000000004320000-0x0000000004376000-memory.dmp
memory/1756-4198-0x0000000004450000-0x00000000044A4000-memory.dmp
memory/1756-4200-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2664-4205-0x0000000019E50000-0x000000001A132000-memory.dmp
memory/2664-4206-0x0000000000E70000-0x0000000000E78000-memory.dmp
memory/2664-4207-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp
memory/2664-4210-0x0000000000F50000-0x0000000000FD0000-memory.dmp
memory/2664-4211-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp
memory/2664-4212-0x0000000000F50000-0x0000000000FD0000-memory.dmp
memory/2664-4214-0x0000000000F50000-0x0000000000FD0000-memory.dmp
memory/2664-4215-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | ad7af059b52c2a4f24bffd563b27bcb3 |
| SHA1 | ce0d642c692f1c23c838c5d4232c9d2261bf5e1c |
| SHA256 | 0bc77bf0a4624a031179c2e502e650f3533e1c62cfdc3f555210317322c98d64 |
| SHA512 | 75a9c7f3b87405d1d56e5c1a81dd8b20394bfb5a50af15c685f63a5651c6607f8152841453ef1403a8b26c3fd8f14de80ab20d3fb261e7655476d3d8cc56acd9 |
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 6a84fb8031a6073d6f4d9f3dac12f277 |
| SHA1 | 19a5b6e4a107857da24779d92f446729f02825f0 |
| SHA256 | f2633b79deed5997488498e8d3ba0bc51a4eb3a3afcc05d431b15870b1d1cf0e |
| SHA512 | b075312ad68787dfe670a7cee5323d8512f99fc3af6f3dd53f2ba9856a0f133681ed605c81da1a87bc58432c7d9db0a225342b091158c9cd0c1eeabbeb26e1e5 |
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | eb204f6dab7cf388aaab7888ee65d05f |
| SHA1 | db6939b8790fa8bd6389d0677372ac1ca9cf7ce2 |
| SHA256 | 751bc8e153fb220c1f91fb9fbe128cc6e5818b06468f766c75a7154acbb0f37e |
| SHA512 | 57ae37eb1bfc9ef21fbce4568957ddc22988d90d610b9dcb1d0a53e4c35a838119f1ec750cac3a943bf5e58955c223d0a244362e8cf92e9a9fb039d78170077f |
memory/2092-4227-0x0000000001210000-0x0000000001438000-memory.dmp
memory/2092-4226-0x00000000743E0000-0x0000000074ACE000-memory.dmp
memory/2092-5167-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2092-5166-0x0000000000D50000-0x0000000000D90000-memory.dmp
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | c017ac6363e7d39abbecf8347cd479fd |
| SHA1 | 30cd34b1a7d5e981b6f5653cf478999aa76b7792 |
| SHA256 | 0a04e77d164bf3eb3c96910b0e5b6bc6709d79fa0065a1a7dd9bbbfb414a2fb5 |
| SHA512 | 35253cb41f963b6d1d5f151677d5e62bc2f34f789e56b8730b9fb90fa6384f7c850bd5127113090a863084f8a90de6c824033323fbcd52fe6dcb8734d41dc602 |
memory/2092-5184-0x00000000743E0000-0x0000000074ACE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | d2a7797f65d6b62f3713eddcaf73750c |
| SHA1 | 20f0368240a9f8efd5f0445a2c7f325539b2b32f |
| SHA256 | 096d84ea8e861cbf3b62f9f6761a1d0cb166fda236c296449a9a4cd67da8eab2 |
| SHA512 | 70aa5e1d1aff6f0354c90e03e45d16764c444d0a4b7b4ee3e559ba782be01811030c76b85c53121002fc6c8aacfc1f9bef44e2c7b12f0cffdaff545708766e04 |
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | e61fe70d671ca6e00aa25f8b815fad9d |
| SHA1 | 2b468f1cb1fb761fc97fadcf40fe20da4507f44e |
| SHA256 | 775d577ee31ec9dc960bae075095e86f4f27c843e8cf55ad7cdce1d67d554f88 |
| SHA512 | a42bf88b9ba7dcd096582d0e81d6edb724c56388074e6f4f02c72b78f5eac2e910a28f407c232d8fe84dbfd7fe6dbb99df21d7996f2fea8c7071296c8808d7f9 |
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | bf61f338cc128a606e19a45341002853 |
| SHA1 | a34b4b29d7d486b846b862ff90ce8154e2cce612 |
| SHA256 | d5a856e0f918694ab607ae59f12a06bb2451a43747a38fad3cd8683b1f844a08 |
| SHA512 | 76d37bdfff437211bfe9b3f85d24dab44bb8775aa50abaf40a24c279f8ade4e09e49abec4c0d0d789b2b5d576b29bd806bcf6a3c5db64b8a00f4f650c687db02 |
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 7aa0db0511abc4d54de27b5ee07934dd |
| SHA1 | 04ed31bae856de6b79b2e0fb9d4cb18a5ef30d74 |
| SHA256 | a39f715893992c0370a7196ab0f78e090c27785ea83ff4fa31288edba32e0c36 |
| SHA512 | 78ca8b8f41c2495b13f837696ffd5c719177db7e19ef4c8b373c6c1ba206eac847c173420add7e31ab9e73114db087ef74b3fa0029438459e22d7405ba90ec58 |
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | c6afb0c004d21f8fdc5466e5b9570246 |
| SHA1 | da3585ad7f8b9b48c1b4936257881f9dd307d52a |
| SHA256 | ebdbf9249394834c3ea133f8cbfc144a59e427f60c99317cba9ac73d58eb941d |
| SHA512 | 99e7804b085a459c9570174f8af4fc0cb71749422c111380ca0a77f195ea19fd6dd6c6901bd1a9e68b2d74e3478e63c19bfec63c0a53674d82acd946c84dbc37 |
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 8185a69623e729994f4919d4559d4f25 |
| SHA1 | 89645e506f85348f56b9efe2b328a2cb79080846 |
| SHA256 | c9f8af665c4d958cd778d72013e667ae8c92312776e7a1795c80ca3822ed1ab0 |
| SHA512 | ccd921fbf5f689fb56c3ad257160a7910d2484629ae9c9241097156142bec3d0bec0bca25c770a5bc2fda02c55af099e3429d2e41f2b32480f8331f2c386acee |
\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | b7a65e28d323e7ccc6727daafae7fede |
| SHA1 | 524e1b10ef8b50e16413a9feb90ca3aa2196c06c |
| SHA256 | e9a73f79b31c109d68ccd29d78589676265f9c0b1fccb18f784f43b1efa36767 |
| SHA512 | 7ec76f0e181841fdfa001179e4160ad713072a787557f8d194dde9b7f8066c50069e5400d2fce6c39bb9f383396b9fe755409bb8f3640a77d106d88cf5aecd71 |
C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
| MD5 | b0ff12175629c451084af8d40925bab0 |
| SHA1 | adbc6f27fe0094fd2f7788080e817f4cd2cebce8 |
| SHA256 | 8c7089f8b1dc687eb609a76ac6bebf67b3d90168604ea624ddc8c206b19f91c0 |
| SHA512 | 60efb4c9c1c0e4310252392de96dc8762d9e5529ba5e292b98aef7f207e2c4f58b67cb7819060828967a02ffdf352ee624b65e40d807ba5e4cdcfe6498430b62 |
C:\Users\Admin\AppData\Local\TypeId\oubfbwcxu\AttributeString.exe
| MD5 | 926982c446e011078d140355fb07f929 |
| SHA1 | 21615be164d751111bcce74a1e3029e8a830979a |
| SHA256 | 66746a1531182809a7ae7c514b5858840548a715847aca6d5bef0de05dc606d0 |
| SHA512 | 32ce88d80e2a5574f2317f894c2e64128b043be80c7a9580eaf0a0bf229d6390b7ebde3dc0c64fc9a11c9ac6834aea73a50fb87dae3d59f1a0d11e22cac0ec13 |
memory/1204-5194-0x0000000000C90000-0x0000000000DD0000-memory.dmp
memory/1204-5195-0x0000000073A20000-0x000000007410E000-memory.dmp
memory/1204-5196-0x0000000000C20000-0x0000000000C60000-memory.dmp
memory/1204-6132-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1204-6147-0x0000000073A20000-0x000000007410E000-memory.dmp
memory/612-6148-0x0000000000400000-0x000000000049C000-memory.dmp
memory/612-6149-0x0000000073A20000-0x000000007410E000-memory.dmp
memory/612-6150-0x00000000004F0000-0x0000000000530000-memory.dmp
memory/612-7097-0x0000000073A20000-0x000000007410E000-memory.dmp
memory/612-7268-0x00000000004F0000-0x0000000000530000-memory.dmp
memory/612-8359-0x0000000004DF0000-0x0000000004E44000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a7794532b8bc992e4524df357873026e |
| SHA1 | ce0898e1e07ac2afbbdf0728935283d780a43723 |
| SHA256 | 6191e7e154da4491e85dceca26db9d2b4c9cca88180dea4c71b568a8900ed36c |
| SHA512 | 27eed2b3ee31f2762915ce6772a3e9bdc3ac552cf5296b23f21ec8752b8727824465d01dad6c6f244348632ffedb01b4825aeddf6b9e64326078e2c913bda912 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 15:48
Reported
2024-03-11 15:51
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureLog Stealer
PureLog Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1784 created 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | C:\Windows\system32\sihost.exe |
| PID 1452 created 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe | C:\Windows\system32\sihost.exe |
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vctuacx.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"
C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe
"C:\Users\Admin\AppData\Local\Temp\c0facaa9561e361afe9d92d38e2793a0.exe"
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
"C:\Users\Admin\AppData\Local\Temp\vctuacx.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x518
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
"C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe" 0
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1784 -ip 1784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1784 -ip 1784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 480
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\dylawcqb\AttributeString.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
"C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe" 0
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1452 -ip 1452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1452 -ip 1452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 452
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hubvera.ac.ug | udp |
| RU | 91.215.85.223:80 | hubvera.ac.ug | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 223.85.215.91.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddlakava.ac.ug | udp |
| US | 8.8.8.8:53 | bit.do | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | rebrand.ly | udp |
| US | 3.33.143.57:80 | rebrand.ly | tcp |
| US | 8.8.8.8:53 | fran.ac.ug | udp |
| US | 8.8.8.8:53 | fransceysse.ac.ug | udp |
| US | 8.8.8.8:53 | 57.143.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tinyurl.com | udp |
| US | 104.20.139.65:80 | tinyurl.com | tcp |
| US | 8.8.8.8:53 | kode.ac.ug | udp |
| US | 8.8.8.8:53 | kodekode.ac.ug | udp |
| US | 8.8.8.8:53 | tuekisa.ac.ug | udp |
| US | 8.8.8.8:53 | partadino.ac.ug | udp |
| US | 8.8.8.8:53 | 65.139.20.104.in-addr.arpa | udp |
| RU | 91.215.85.223:80 | partadino.ac.ug | tcp |
| US | 8.8.8.8:53 | markinda.xyz | udp |
| US | 8.8.8.8:53 | markinda.top | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 23.21.31.78:80 | bit.do | tcp |
| US | 8.8.8.8:53 | nickshort.ug | udp |
| US | 8.8.8.8:53 | kodedea.ug | udp |
| US | 8.8.8.8:53 | junks.ac.ug | udp |
| NL | 94.156.69.145:58001 | junks.ac.ug | tcp |
| US | 8.8.8.8:53 | movescx.top | udp |
| NL | 94.156.69.145:58002 | junks.ac.ug | tcp |
| US | 8.8.8.8:53 | cointra.ac.ug | udp |
| US | 8.8.8.8:53 | muylove.ac.ug | udp |
| US | 8.8.8.8:53 | partiad.top | udp |
| US | 8.8.8.8:53 | partiad.xyz | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 94.156.69.145:58003 | junks.ac.ug | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/4800-2-0x00000000770E2000-0x00000000770E3000-memory.dmp
memory/4800-3-0x00000000006D0000-0x00000000006D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vctuacx.exe
| MD5 | d6bfa5d4d5d67dd73013e5b400cac2e7 |
| SHA1 | 725f7fec0fd1f245c44ab1c228cd349a5e12bd71 |
| SHA256 | fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4 |
| SHA512 | e5d58b64de4d398290d0cd79d44a516ca2528bd183566926ea1f3b9211b20fa5c2244bcc8bd3cc1f3b1d470dc257b72b8d3530d682fff00b7b52227c6c3c7808 |
memory/896-17-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/4800-18-0x0000000003300000-0x0000000003307000-memory.dmp
memory/4424-19-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4424-21-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4424-22-0x0000000000400000-0x0000000000667000-memory.dmp
memory/3964-20-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4424-23-0x0000000000400000-0x0000000000663000-memory.dmp
memory/3964-27-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4424-29-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4424-28-0x00000000770E2000-0x00000000770E3000-memory.dmp
memory/3964-31-0x00000000770E2000-0x00000000770E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bassmod.dll
| MD5 | e3a6587ba5a4ee4514ecaa4265dd9b2c |
| SHA1 | b44bb9b5fc3478fa6ea5140603857ee0c2d4c4fd |
| SHA256 | 566934a049ae41fe36e2e122825875e5c02d4db083e744a7a3c94f456cec2f94 |
| SHA512 | 90f4e5ceac00a0815452ef951feb3aa29e6ef408d8d4cda023c3fdd49ba0238e06589cee9cc0be842eddd1b02bd1d448d9ab8bdaed70651b38d6074c9f99d22f |
memory/3964-33-0x0000000000580000-0x0000000000581000-memory.dmp
memory/4424-36-0x0000000000030000-0x0000000000031000-memory.dmp
memory/4424-37-0x0000000010000000-0x000000001002F000-memory.dmp
memory/4424-39-0x0000000000F30000-0x0000000000F31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dropakxa.exe
| MD5 | 1a917a85dcbb1d3df5f4dd02e3a62873 |
| SHA1 | 567f528fec8e7a4787f8c253446d8f1b620dc9d6 |
| SHA256 | 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e |
| SHA512 | 341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec |
memory/1172-55-0x0000000000FB0000-0x00000000011D8000-memory.dmp
memory/1172-56-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/1172-57-0x0000000005B70000-0x0000000005D78000-memory.dmp
memory/1172-58-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-59-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-61-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-65-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-69-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-67-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-71-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-73-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-75-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-79-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-81-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-83-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-85-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-87-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-89-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-91-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-95-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-97-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-93-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-99-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-77-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-101-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-103-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-63-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-105-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-107-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-111-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/1172-109-0x0000000005B70000-0x0000000005D73000-memory.dmp
memory/4424-933-0x0000000000400000-0x0000000000663000-memory.dmp
memory/4424-994-0x0000000000400000-0x0000000000667000-memory.dmp
memory/1172-995-0x0000000005B60000-0x0000000005B70000-memory.dmp
memory/1172-996-0x0000000005A00000-0x0000000005A01000-memory.dmp
memory/1172-998-0x0000000005AB0000-0x0000000005AFC000-memory.dmp
memory/1172-997-0x0000000005E80000-0x0000000006020000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 71eb1bc6e6da380c1cb552d78b391b2a |
| SHA1 | df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d |
| SHA256 | cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6 |
| SHA512 | d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90 |
memory/3964-1012-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2024-1020-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/4424-1022-0x0000000010000000-0x000000001002F000-memory.dmp
memory/2024-1025-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/1784-1027-0x0000000000400000-0x0000000000488000-memory.dmp
memory/1172-1021-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/2024-1019-0x0000000005520000-0x000000000564A000-memory.dmp
memory/2024-1013-0x0000000005350000-0x0000000005478000-memory.dmp
memory/1172-1011-0x0000000008280000-0x0000000008824000-memory.dmp
memory/2024-1010-0x0000000000A50000-0x0000000000B90000-memory.dmp
memory/1784-1289-0x0000000003E80000-0x0000000004280000-memory.dmp
memory/1784-1295-0x0000000003E80000-0x0000000004280000-memory.dmp
memory/3224-1313-0x0000000002B90000-0x0000000002F90000-memory.dmp
memory/3224-1317-0x0000000002B90000-0x0000000002F90000-memory.dmp
memory/3224-1341-0x0000000002B90000-0x0000000002F90000-memory.dmp
memory/1784-1338-0x0000000003E80000-0x0000000004280000-memory.dmp
memory/2024-1975-0x0000000005490000-0x0000000005491000-memory.dmp
memory/2024-1976-0x00000000058B0000-0x0000000005970000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BBLb.exe.log
| MD5 | 4a911455784f74e368a4c2c7876d76f4 |
| SHA1 | a1700a0849ffb4f26671eb76da2489946b821c34 |
| SHA256 | 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c |
| SHA512 | 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d |
memory/2024-1984-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/4008-1983-0x0000000000400000-0x000000000049C000-memory.dmp
memory/4008-1988-0x0000000005480000-0x0000000005568000-memory.dmp
memory/4008-1989-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/4008-1990-0x0000000005640000-0x0000000005650000-memory.dmp
memory/4008-4191-0x00000000056C0000-0x0000000005716000-memory.dmp
memory/4008-4192-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/4008-4193-0x0000000005D60000-0x0000000005DB4000-memory.dmp
memory/4008-4195-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/3624-4199-0x00007FFF6BFE0000-0x00007FFF6CAA1000-memory.dmp
memory/3624-4200-0x0000021D1AB10000-0x0000021D1AB20000-memory.dmp
memory/3624-4201-0x0000021D1AB10000-0x0000021D1AB20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvgevfn0.ps1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3624-4207-0x0000021D02510000-0x0000021D02532000-memory.dmp
memory/3624-4214-0x00007FFF6BFE0000-0x00007FFF6CAA1000-memory.dmp
memory/3244-4224-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/3244-4223-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/3244-5161-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
memory/3244-5167-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/1368-5168-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/1368-5169-0x00000000059F0000-0x0000000005A00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 20d8bc77b286c2c0de4347d356f8bc0f |
| SHA1 | 10f4664c0361b0dc1f37c6b393f451b9ff836f11 |
| SHA256 | a10a6603774bfd2623aa256882b47fa5480ea216ba3f99a23d8c96bb77e96247 |
| SHA512 | 96d64b2c24e36c1245d4986aa129a78bb13417efa95e712b590f4332853f2f04d1d731dec82d062b39f7b5043da81ccc91de91141dc0ffe0dbd0c4f68a698819 |
C:\Users\Admin\AppData\Local\Temp\DropaDkxa.exe
| MD5 | 7d4777ed6d9818a912c0cefc9f12dcfc |
| SHA1 | 48001b580d7a36f39823fd391411b3a32e39faba |
| SHA256 | 6862447b716d9ebac197fad0eda503fc81576fd86de9871dbfb82586b60751f6 |
| SHA512 | b898461eb44a0dd1958581a0e0cbb18b7d5ba88dcfc652bea73d84361936c1a90c40aacb4c3bf4dbfe424ddf441460c5342a5b5acb5f6605d355cefc62890414 |
memory/1288-6326-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/1288-7304-0x0000000005090000-0x00000000050A0000-memory.dmp
memory/1288-7305-0x0000000002B30000-0x0000000002B31000-memory.dmp
memory/1288-7352-0x0000000071F10000-0x00000000726C0000-memory.dmp
memory/1452-7767-0x0000000003F90000-0x0000000004390000-memory.dmp
memory/1368-7780-0x0000000071F10000-0x00000000726C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |