1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b

Analysis

max time kernel
153s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
Size

646KB
MD5

016cc5c921eb0d1101395025d7c0c505
SHA1

98b47c84aea06e1443c396eb1b7d33e331ca6749
SHA256

1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b
SHA512

31d4bdba2d2ca5c7ba12b8e4db1c9d8ba9bb4ce600aa1c84968f85186f0b44eea74f7c606e620f70137498c9f018102094a8f216eb9bb18b1040064a085aec5c
SSDEEP

12288:k/dr9yql7Xa+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNKyUdMONUzeosyu4M

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	g6NuH2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	buzaj.exe

Executes dropped EXE 4 IoCs

pid	Process
1292	g6NuH2.exe
1784	buzaj.exe
1324	adhost.exe
2000	bdhost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-55-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1696-57-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1696-60-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1696-64-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1696-65-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1696-69-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1696-93-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2000-99-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
1292	g6NuH2.exe
1292	g6NuH2.exe
1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /s"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /Q"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /x"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /r"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /P"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /K"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /S"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /b"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /o"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /O"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /g"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /k"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /U"	buzaj.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	g6NuH2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /X"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /L"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /c"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /D"	g6NuH2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /F"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /N"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /h"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /A"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /G"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /q"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /l"	buzaj.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /j"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /D"	buzaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\buzaj = "C:\\Users\\Admin\\buzaj.exe /e"	buzaj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 548 set thread context of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1604	tasklist.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1292	g6NuH2.exe
1292	g6NuH2.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe
1784	buzaj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	tasklist.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
1292	g6NuH2.exe
1784	buzaj.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27
PID 548 wrote to memory of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27
PID 548 wrote to memory of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27
PID 548 wrote to memory of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27
PID 548 wrote to memory of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27
PID 548 wrote to memory of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27
PID 548 wrote to memory of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27
PID 548 wrote to memory of 1696	548	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	27
PID 1696 wrote to memory of 1292	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	28
PID 1696 wrote to memory of 1292	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	28
PID 1696 wrote to memory of 1292	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	28
PID 1696 wrote to memory of 1292	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	28
PID 1292 wrote to memory of 1784	1292	g6NuH2.exe	29
PID 1292 wrote to memory of 1784	1292	g6NuH2.exe	29
PID 1292 wrote to memory of 1784	1292	g6NuH2.exe	29
PID 1292 wrote to memory of 1784	1292	g6NuH2.exe	29
PID 1696 wrote to memory of 1324	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	30
PID 1696 wrote to memory of 1324	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	30
PID 1696 wrote to memory of 1324	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	30
PID 1696 wrote to memory of 1324	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	30
PID 1292 wrote to memory of 1708	1292	g6NuH2.exe	31
PID 1292 wrote to memory of 1708	1292	g6NuH2.exe	31
PID 1292 wrote to memory of 1708	1292	g6NuH2.exe	31
PID 1292 wrote to memory of 1708	1292	g6NuH2.exe	31
PID 1708 wrote to memory of 1604	1708	cmd.exe	33
PID 1708 wrote to memory of 1604	1708	cmd.exe	33
PID 1708 wrote to memory of 1604	1708	cmd.exe	33
PID 1708 wrote to memory of 1604	1708	cmd.exe	33
PID 1784 wrote to memory of 1604	1784	buzaj.exe	33
PID 1784 wrote to memory of 1604	1784	buzaj.exe	33
PID 1784 wrote to memory of 1604	1784	buzaj.exe	33
PID 1784 wrote to memory of 1604	1784	buzaj.exe	33
PID 1696 wrote to memory of 2000	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	35
PID 1696 wrote to memory of 2000	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	35
PID 1696 wrote to memory of 2000	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	35
PID 1696 wrote to memory of 2000	1696	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	35

C:\Users\Admin\AppData\Local\Temp\1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
"C:\Users\Admin\AppData\Local\Temp\1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
  1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\g6NuH2.exe
    C:\Users\Admin\g6NuH2.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Users\Admin\buzaj.exe
      "C:\Users\Admin\buzaj.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
- - C:\Users\Admin\adhost.exe
    C:\Users\Admin\adhost.exe
    3⤵
    - Executes dropped EXE
    PID:1324
- - C:\Users\Admin\bdhost.exe
    C:\Users\Admin\bdhost.exe
    3⤵
    - Executes dropped EXE
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
C:\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
C:\Users\Admin\buzaj.exe

Filesize
256KB

MD5
8fc9b60b2684d19c5b615ca02dddd6cc

SHA1
af902328a9b13ecde2333bdad96f1bb6d00186cb

SHA256
d4d0233958d7a2903abf93ecf882e2b22d203fe69d07214c452f9ca0c04fecda

SHA512
5354b8ec6aacf41c26a0731b6475c40ed201e1c7f1965b24ad2f8b90f8700780ff0b7d33d02bc6cfd19d459ab07d9cc44d0bb244e77621df33dcb785e9eda419

Download Submit
C:\Users\Admin\buzaj.exe

Filesize
256KB

MD5
8fc9b60b2684d19c5b615ca02dddd6cc

SHA1
af902328a9b13ecde2333bdad96f1bb6d00186cb

SHA256
d4d0233958d7a2903abf93ecf882e2b22d203fe69d07214c452f9ca0c04fecda

SHA512
5354b8ec6aacf41c26a0731b6475c40ed201e1c7f1965b24ad2f8b90f8700780ff0b7d33d02bc6cfd19d459ab07d9cc44d0bb244e77621df33dcb785e9eda419

Download Submit
C:\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
C:\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
\Users\Admin\buzaj.exe

Filesize
256KB

MD5
8fc9b60b2684d19c5b615ca02dddd6cc

SHA1
af902328a9b13ecde2333bdad96f1bb6d00186cb

SHA256
d4d0233958d7a2903abf93ecf882e2b22d203fe69d07214c452f9ca0c04fecda

SHA512
5354b8ec6aacf41c26a0731b6475c40ed201e1c7f1965b24ad2f8b90f8700780ff0b7d33d02bc6cfd19d459ab07d9cc44d0bb244e77621df33dcb785e9eda419

Download Submit
\Users\Admin\buzaj.exe

Filesize
256KB

MD5
8fc9b60b2684d19c5b615ca02dddd6cc

SHA1
af902328a9b13ecde2333bdad96f1bb6d00186cb

SHA256
d4d0233958d7a2903abf93ecf882e2b22d203fe69d07214c452f9ca0c04fecda

SHA512
5354b8ec6aacf41c26a0731b6475c40ed201e1c7f1965b24ad2f8b90f8700780ff0b7d33d02bc6cfd19d459ab07d9cc44d0bb244e77621df33dcb785e9eda419

Download Submit
\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
memory/1696-60-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-54-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-68-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1696-65-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-64-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-69-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-55-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-57-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1696-93-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2000-99-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-100-0x000000000053F000-0x0000000000559000-memory.dmp

Filesize
104KB

Download