bazarbackdoor | hxxp://194[.]62[.]42[.]235/bmdff/qNM1ENwTaWf9b4TnsxWFa/D2mDljTIpH84VoWGt9/8/0x9A/l1sosKkxIzLLPRec1sHp0HDv0qZ5JZgepepwL/50CHuQXhQwlBJJ88gIaR0bMf4lOf2VCl193vBJqbSTCn/34690/lilu6?page=hBivV6h9LXV&cid=kbQb5vhYh8g1vP8MSMLdX&q=RQ6xbT0R051JW8vD3ghxXbHUK&time=0MnqPpO0PHfV4SzaaE6acg&=qEUZlR5qKFTaQTlPmSSvwusL&AJ=rdYw&user=qtjdzjfS9lydUTGj3NE&pSDT=myvEyBosrngmt&page=DYkgous&time=r82Uv

Analysis

max time kernel
929s
max time network
958s
platform
windows10_x64
resource
win10v20210408
submitted
29-09-2021 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://194.62.42.235/bmdff/qNM1ENwTaWf9b4TnsxWFa/D2mDljTIpH84VoWGt9/8/0x9A/l1sosKkxIzLLPRec1sHp0HDv0qZ5JZgepepwL/50CHuQXhQwlBJJ88gIaR0bMf4lOf2VCl193vBJqbSTCn/34690/lilu6?page=hBivV6h9LXV&cid=kbQb5vhYh8g1vP8MSMLdX&q=RQ6xbT0R051JW8vD3ghxXbHUK&time=0MnqPpO0PHfV4SzaaE6acg&=qEUZlR5qKFTaQTlPmSSvwusL&AJ=rdYw&user=qtjdzjfS9lydUTGj3NE&pSDT=myvEyBosrngmt&page=DYkgous&time=r82Uv
Sample

210929-ww622afee9

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 4568 created 1840 4568 regsvr32.exe firefox.exe

description	pid	process	target process
PID 4568 created 1840	4568	regsvr32.exe	firefox.exe

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2776-277-0x00007FF662A20000-0x00007FF662A6D000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/2776-278-0x00007FF662A466F0-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/2776-279-0x00007FF662A20000-0x00007FF662A6D000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4756-214-0x00000187384B0000-0x00000187384C7000-memory.dmp	BazarLoaderVar6
behavioral1/memory/4568-272-0x0000000000FE0000-0x0000000000FF7000-memory.dmp	BazarLoaderVar6
behavioral1/memory/5108-276-0x0000028147090000-0x00000281470A7000-memory.dmp	BazarLoaderVar6

Downloads MZ/PE file
Tries to connect to .bazar domain 5 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow ioc

200 blackrain15.bazar
201 reddew28c.bazar
202 bluehail.bazar
203 whitestorm9p.bazar
204 emxiuhyw.bazar
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeregsvr32.exerundll32.exe

pid process

4756 rundll32.exe
4568 regsvr32.exe
5108 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 199 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 4568 set thread context of 2776 4568 regsvr32.exe firefox.exe

flow	ioc
200	blackrain15.bazar
201	reddew28c.bazar
202	bluehail.bazar
203	whitestorm9p.bazar
204	emxiuhyw.bazar

pid	process
4756	rundll32.exe
4568	regsvr32.exe
5108	rundll32.exe

description	flow	ioc
HTTP URL	199	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

description	pid	process	target process
PID 4568 set thread context of 2776	4568	regsvr32.exe	firefox.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 3 IoCs

Processes:

firefox.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 2 IoCs

Processes:

firefox.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\lilu12:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\lilu12.dll\:Zone.Identifier:$DATA	powershell.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exeregsvr32.exe

pid	process
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
4568	regsvr32.exe
4568	regsvr32.exe
4568	regsvr32.exe
4568	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

firefox.exe7zG.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeRestorePrivilege	4316	7zG.exe
Token: 35	4316	7zG.exe
Token: SeSecurityPrivilege	4316	7zG.exe
Token: SeSecurityPrivilege	4316	7zG.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeDebugPrivilege	1840	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe7zG.exe

pid process

1840 firefox.exe
1840 firefox.exe
1840 firefox.exe
1840 firefox.exe
4316 7zG.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1840 firefox.exe
1840 firefox.exe
1840 firefox.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

firefox.exeOpenWith.exeOpenWith.exe

pid	process
1840	firefox.exe
1840	firefox.exe
1840	firefox.exe
1840	firefox.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1832 wrote to memory of 1840	1832	firefox.exe	firefox.exe
PID 1840 wrote to memory of 668	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 668	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1304	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2608	1840	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://194.62.42.235/bmdff/qNM1ENwTaWf9b4TnsxWFa/D2mDljTIpH84VoWGt9/8/0x9A/l1sosKkxIzLLPRec1sHp0HDv0qZ5JZgepepwL/50CHuQXhQwlBJJ88gIaR0bMf4lOf2VCl193vBJqbSTCn/34690/lilu6?page=hBivV6h9LXV&cid=kbQb5vhYh8g1vP8MSMLdX&q=RQ6xbT0R051JW8vD3ghxXbHUK&time=0MnqPpO0PHfV4SzaaE6acg&=qEUZlR5qKFTaQTlPmSSvwusL&AJ=rdYw&user=qtjdzjfS9lydUTGj3NE&pSDT=myvEyBosrngmt&page=DYkgous&time=r82Uv
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" http://194.62.42.235/bmdff/qNM1ENwTaWf9b4TnsxWFa/D2mDljTIpH84VoWGt9/8/0x9A/l1sosKkxIzLLPRec1sHp0HDv0qZ5JZgepepwL/50CHuQXhQwlBJJ88gIaR0bMf4lOf2VCl193vBJqbSTCn/34690/lilu6?page=hBivV6h9LXV&cid=kbQb5vhYh8g1vP8MSMLdX&q=RQ6xbT0R051JW8vD3ghxXbHUK&time=0MnqPpO0PHfV4SzaaE6acg&=qEUZlR5qKFTaQTlPmSSvwusL&AJ=rdYw&user=qtjdzjfS9lydUTGj3NE&pSDT=myvEyBosrngmt&page=DYkgous&time=r82Uv
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.0.391794283\2120144916" -parentBuildID 20200403170909 -prefsHandle 1508 -prefMapHandle 1296 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 1604 gpu
    3⤵
    PID:668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.3.84777957\464711417" -childID 1 -isForBrowser -prefsHandle 1412 -prefMapHandle 2108 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 2240 tab
    3⤵
    PID:1304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.13.560346891\674972022" -childID 2 -isForBrowser -prefsHandle 3200 -prefMapHandle 3152 -prefsLen 1022 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 3212 tab
    3⤵
    PID:2608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.14.1150455367\167927244" -childID 3 -isForBrowser -prefsHandle 3320 -prefMapHandle 3316 -prefsLen 7718 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 3276 tab
    3⤵
    PID:2716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.27.387570153\1715785600" -childID 4 -isForBrowser -prefsHandle 4344 -prefMapHandle 4180 -prefsLen 7718 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 4368 tab
    3⤵
    PID:3928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.27.387570153\1715785600" -childID 4 -isForBrowser -prefsHandle 4344 -prefMapHandle 4180 -prefsLen 7718 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 4368 tab
    3⤵
    PID:2776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16765:66:7zEvent209
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\lilu12
  2⤵
  PID:4896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" .\lilu12,1
  2⤵
  PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c get-filehash -al sha256 .\lilu12
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" .\lilu12,DllRegisterServer
  2⤵
  PID:4492
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:4672
- - C:\Windows\system32\rundll32.exe
    rundll32 lilu12.dll,RegisterDllServer
    3⤵
    - Loads dropped DLL
    PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:4704
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s lilu12.dll
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\Downloads\lilu12.dll,DllRegisterServer {C8ABF50D-D36D-4556-8387-C3CB208A2852}
1⤵
- Loads dropped DLL
PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\74AX7LAV\7NV3AzOIeb[1]

MD5
c8cbd4248c3648a222367f8987218453

SHA1
f993d4ccafe7a33949f3ee6844817e86f52fa52f

SHA256
d99f24edd0d68a9b0e02454e1a3b5bd5d97b353e4e47654ce8cd15fe2f1ca984

SHA512
e6b1c1261331c07a57616a8e4c71bbdacc882461dce89161af32ec8c100fd5b71ad95a7351339179e4970d9540e833185160888e7c516b0e469229c548fba64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5
38668e3dafc761e724d002c95000de79

SHA1
d0e9a59c9a1f2a067e3963fb3905b36ce90f1ee2

SHA256
33db76b93a9d040920617ab6925ab01cecaf136ccd6af7a5624b8e48b8faf613

SHA512
dd6bdd01a9b1f88bb149e284a83d116233ba37cfab34f75a79f5e7cacb8da8a7568971672d467122681024925a60215068391612fab8dca0952ce98271580938

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

MD5
5730158be6523fb9ea225338c05a9434

SHA1
e41c2b24c73b53e51c9f5e01aff12c05c6f5b873

SHA256
845d81f1bae96af3760e71562df8de6ea4b2ce23b2d3b2773f5e9a9e0a104f89

SHA512
05dd5ea1572ac747935d0722755aef153e5228e579da01d70fb9c93caeec51566a905480278dbaf1c0a434a30d5367024d5a40220dfdb0462e014641b6245508

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
d419b407ab38ff2f64d6f870bf64d64a

SHA1
b2996e50daafa61e4845d6a179aa5cb8b62d421b

SHA256
9a8cf35d34d9fc9427eea4d1753b3f1448e6e9b0bef33798bbaa2c25d293668c

SHA512
04f46ec4e33171cbb3529e4145281e09984de5d9a442b3a6052b1f12480a6fa78d93490978347e7e89b2882a3d562f99f30ecf06d00312b880fe5f1a242d5052

Download Submit
C:\Users\Admin\Downloads\lilu12

MD5
db0f763e91231e6ca6afaa7cbcdfd183

SHA1
29351bfa604f79508c7315dd19bafa14dbfc0605

SHA256
e377184ee37869c942e0115f221ec7fd72f9ac7f4a2694432832d6257817fd40

SHA512
4d157559c2db04fda3e37de837d5b95323444f0cfa869798cd9bd533d9a3144ac925806bda5c67161e52ffa2b553b884590e2a45b2e2f2cb99cd3e5c5e4da818

Download Submit
C:\Users\Admin\downloads\lilu12.dll

MD5
db0f763e91231e6ca6afaa7cbcdfd183

SHA1
29351bfa604f79508c7315dd19bafa14dbfc0605

SHA256
e377184ee37869c942e0115f221ec7fd72f9ac7f4a2694432832d6257817fd40

SHA512
4d157559c2db04fda3e37de837d5b95323444f0cfa869798cd9bd533d9a3144ac925806bda5c67161e52ffa2b553b884590e2a45b2e2f2cb99cd3e5c5e4da818

Download Submit
\Users\Admin\Downloads\lilu12.dll

MD5
db0f763e91231e6ca6afaa7cbcdfd183

SHA1
29351bfa604f79508c7315dd19bafa14dbfc0605

SHA256
e377184ee37869c942e0115f221ec7fd72f9ac7f4a2694432832d6257817fd40

SHA512
4d157559c2db04fda3e37de837d5b95323444f0cfa869798cd9bd533d9a3144ac925806bda5c67161e52ffa2b553b884590e2a45b2e2f2cb99cd3e5c5e4da818

Download Submit
\Users\Admin\Downloads\lilu12.dll

MD5
db0f763e91231e6ca6afaa7cbcdfd183

SHA1
29351bfa604f79508c7315dd19bafa14dbfc0605

SHA256
e377184ee37869c942e0115f221ec7fd72f9ac7f4a2694432832d6257817fd40

SHA512
4d157559c2db04fda3e37de837d5b95323444f0cfa869798cd9bd533d9a3144ac925806bda5c67161e52ffa2b553b884590e2a45b2e2f2cb99cd3e5c5e4da818

Download Submit
\Users\Admin\Downloads\lilu12.dll

MD5
db0f763e91231e6ca6afaa7cbcdfd183

SHA1
29351bfa604f79508c7315dd19bafa14dbfc0605

SHA256
e377184ee37869c942e0115f221ec7fd72f9ac7f4a2694432832d6257817fd40

SHA512
4d157559c2db04fda3e37de837d5b95323444f0cfa869798cd9bd533d9a3144ac925806bda5c67161e52ffa2b553b884590e2a45b2e2f2cb99cd3e5c5e4da818

Download Submit
memory/8-251-0x000002989C603000-0x000002989C605000-memory.dmp

Filesize
8KB

Download
memory/8-250-0x000002989C600000-0x000002989C602000-memory.dmp

Filesize
8KB

Download
memory/668-116-0x0000000000000000-mapping.dmp

Download
memory/1304-121-0x0000000000000000-mapping.dmp

Download
memory/1840-114-0x0000000000000000-mapping.dmp

Download
memory/2608-124-0x0000000000000000-mapping.dmp

Download
memory/2716-126-0x0000000000000000-mapping.dmp

Download
memory/2776-277-0x00007FF662A20000-0x00007FF662A6D000-memory.dmp

Filesize
308KB

Download
memory/2776-278-0x00007FF662A466F0-mapping.dmp

Download
memory/2776-279-0x00007FF662A20000-0x00007FF662A6D000-memory.dmp

Filesize
308KB

Download
memory/3928-128-0x0000000000000000-mapping.dmp

Download
memory/4320-178-0x0000000000000000-mapping.dmp

Download
memory/4492-201-0x0000000000000000-mapping.dmp

Download
memory/4568-200-0x000001D0E3646000-0x000001D0E3648000-memory.dmp

Filesize
8KB

Download
memory/4568-268-0x0000000000000000-mapping.dmp

Download
memory/4568-272-0x0000000000FE0000-0x0000000000FF7000-memory.dmp

Filesize
92KB

Download
memory/4568-189-0x000001D0E3643000-0x000001D0E3645000-memory.dmp

Filesize
8KB

Download
memory/4568-188-0x000001D0E3640000-0x000001D0E3642000-memory.dmp

Filesize
8KB

Download
memory/4568-179-0x0000000000000000-mapping.dmp

Download
memory/4672-206-0x0000000000000000-mapping.dmp

Download
memory/4704-265-0x0000000000000000-mapping.dmp

Download
memory/4756-209-0x0000000000000000-mapping.dmp

Download
memory/4756-214-0x00000187384B0000-0x00000187384C7000-memory.dmp

Filesize
92KB

Download
memory/4896-130-0x0000000000000000-mapping.dmp

Download
memory/5056-176-0x00000143DB740000-0x00000143DB741000-memory.dmp

Filesize
4KB

Download
memory/5056-177-0x00000143C2F36000-0x00000143C2F38000-memory.dmp

Filesize
8KB

Download
memory/5056-164-0x00000143C2F30000-0x00000143C2F32000-memory.dmp

Filesize
8KB

Download
memory/5056-165-0x00000143C2F33000-0x00000143C2F35000-memory.dmp

Filesize
8KB

Download
memory/5056-163-0x00000143DBD10000-0x00000143DBD11000-memory.dmp

Filesize
4KB

Download
memory/5056-152-0x00000143DB760000-0x00000143DB761000-memory.dmp

Filesize
4KB

Download
memory/5056-135-0x00000143C2FF0000-0x00000143C2FF1000-memory.dmp

Filesize
4KB

Download
memory/5108-276-0x0000028147090000-0x00000281470A7000-memory.dmp

Filesize
92KB

Download