810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
Size

646KB
MD5

259515c81aebddb3d8d8f77c0fed1ec3
SHA1

51148b0a6fe6cef356d57397761e30c891d8908f
SHA256

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9
SHA512

684d46e97b8d02ea7d716227c81adde3f29944020548486f401bd17aa834384c96be52bb68030443f0adf39e5efd8602dc8ef021595ca506fb1b557eb50c7603
SSDEEP

12288:k/dr9yql7Xm+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNWyUdMONUzeosyu4M

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

g6NuH2.exezaidaa.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	g6NuH2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zaidaa.exe

Executes dropped EXE 5 IoCs

Processes:

g6NuH2.exezaidaa.exeadhost.exebdhost.exebdhost.exe

pid process

576 g6NuH2.exe
524 zaidaa.exe
1080 adhost.exe
2040 bdhost.exe
568 bdhost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1116-55-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1116-57-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1116-60-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1116-64-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1116-65-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1116-69-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1116-92-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2040-98-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/568-104-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Loads dropped DLL 8 IoCs

Processes:

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exeg6NuH2.exe

pid	process
1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
576	g6NuH2.exe
576	g6NuH2.exe
1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zaidaa.exeg6NuH2.exebdhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /z"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /s"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /V"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /q"	zaidaa.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	g6NuH2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /O"	g6NuH2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /D"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /c"	zaidaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D2B.exe = "C:\\Program Files (x86)\\LP\\D3FF\\D2B.exe"	bdhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /X"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /b"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /E"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /u"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /C"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /O"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /Z"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /n"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /S"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /a"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /J"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /j"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /Y"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /g"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /Q"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /f"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /T"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /K"	zaidaa.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /F"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /y"	zaidaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaidaa = "C:\\Users\\Admin\\zaidaa.exe /i"	zaidaa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe

description	pid	process	target process
PID 1492 set thread context of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe

Drops file in Program Files directory 1 IoCs

Processes:

bdhost.exe

description ioc process

File created C:\Program Files (x86)\LP\D3FF\D2B.exe bdhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

840 tasklist.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\D3FF\D2B.exe	bdhost.exe

pid	process
840	tasklist.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

g6NuH2.exezaidaa.exe

pid	process
576	g6NuH2.exe
576	g6NuH2.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe
524	zaidaa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 840 tasklist.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exeg6NuH2.exezaidaa.exe

pid process

1116 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
576 g6NuH2.exe
524 zaidaa.exe

description	pid	process
Token: SeDebugPrivilege	840	tasklist.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exeg6NuH2.execmd.exebdhost.exe

description	pid	process	target process
PID 1492 wrote to memory of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1492 wrote to memory of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1492 wrote to memory of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1492 wrote to memory of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1492 wrote to memory of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1492 wrote to memory of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1492 wrote to memory of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1492 wrote to memory of 1116	1492	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1116 wrote to memory of 576	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	g6NuH2.exe
PID 1116 wrote to memory of 576	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	g6NuH2.exe
PID 1116 wrote to memory of 576	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	g6NuH2.exe
PID 1116 wrote to memory of 576	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	g6NuH2.exe
PID 576 wrote to memory of 524	576	g6NuH2.exe	zaidaa.exe
PID 576 wrote to memory of 524	576	g6NuH2.exe	zaidaa.exe
PID 576 wrote to memory of 524	576	g6NuH2.exe	zaidaa.exe
PID 576 wrote to memory of 524	576	g6NuH2.exe	zaidaa.exe
PID 576 wrote to memory of 1356	576	g6NuH2.exe	cmd.exe
PID 576 wrote to memory of 1356	576	g6NuH2.exe	cmd.exe
PID 576 wrote to memory of 1356	576	g6NuH2.exe	cmd.exe
PID 576 wrote to memory of 1356	576	g6NuH2.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	cmd.exe	tasklist.exe
PID 1356 wrote to memory of 840	1356	cmd.exe	tasklist.exe
PID 1356 wrote to memory of 840	1356	cmd.exe	tasklist.exe
PID 1356 wrote to memory of 840	1356	cmd.exe	tasklist.exe
PID 1116 wrote to memory of 1080	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	adhost.exe
PID 1116 wrote to memory of 1080	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	adhost.exe
PID 1116 wrote to memory of 1080	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	adhost.exe
PID 1116 wrote to memory of 1080	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	adhost.exe
PID 1116 wrote to memory of 2040	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	bdhost.exe
PID 1116 wrote to memory of 2040	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	bdhost.exe
PID 1116 wrote to memory of 2040	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	bdhost.exe
PID 1116 wrote to memory of 2040	1116	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	bdhost.exe
PID 2040 wrote to memory of 568	2040	bdhost.exe	bdhost.exe
PID 2040 wrote to memory of 568	2040	bdhost.exe	bdhost.exe
PID 2040 wrote to memory of 568	2040	bdhost.exe	bdhost.exe
PID 2040 wrote to memory of 568	2040	bdhost.exe	bdhost.exe

C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
"C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\g6NuH2.exe
C:\Users\Admin\g6NuH2.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\zaidaa.exe
"C:\Users\Admin\zaidaa.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\adhost.exe
C:\Users\Admin\adhost.exe
3⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\bdhost.exe
C:\Users\Admin\bdhost.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\bdhost.exe
C:\Users\Admin\bdhost.exe startC:\Users\Admin\AppData\Roaming\F2474\B7ED3.exe%C:\Users\Admin\AppData\Roaming\F2474
4⤵
- Executes dropped EXE
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
C:\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
C:\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
C:\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
C:\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
C:\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
C:\Users\Admin\zaidaa.exe

Filesize
256KB

MD5
e4134d10e9e548cbff099a24078150f4

SHA1
fdaae2a28073548a64dfb8c55059eaddd84b6fcd

SHA256
692b292ada2070e4d9baa3d32a445487e8c1ee8c5f5953b493ed18f51bd421a3

SHA512
01b6d5e41bebd48ac76b0c76e75cb530e6a21ae54dae1121b7764c722b49ab64aeea2c6753591072adbe147c6ab894211650e74510599b4de80d00481ce9a945

Download Submit
C:\Users\Admin\zaidaa.exe

Filesize
256KB

MD5
e4134d10e9e548cbff099a24078150f4

SHA1
fdaae2a28073548a64dfb8c55059eaddd84b6fcd

SHA256
692b292ada2070e4d9baa3d32a445487e8c1ee8c5f5953b493ed18f51bd421a3

SHA512
01b6d5e41bebd48ac76b0c76e75cb530e6a21ae54dae1121b7764c722b49ab64aeea2c6753591072adbe147c6ab894211650e74510599b4de80d00481ce9a945

Download Submit
\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
\Users\Admin\zaidaa.exe

Filesize
256KB

MD5
e4134d10e9e548cbff099a24078150f4

SHA1
fdaae2a28073548a64dfb8c55059eaddd84b6fcd

SHA256
692b292ada2070e4d9baa3d32a445487e8c1ee8c5f5953b493ed18f51bd421a3

SHA512
01b6d5e41bebd48ac76b0c76e75cb530e6a21ae54dae1121b7764c722b49ab64aeea2c6753591072adbe147c6ab894211650e74510599b4de80d00481ce9a945

Download Submit
\Users\Admin\zaidaa.exe

Filesize
256KB

MD5
e4134d10e9e548cbff099a24078150f4

SHA1
fdaae2a28073548a64dfb8c55059eaddd84b6fcd

SHA256
692b292ada2070e4d9baa3d32a445487e8c1ee8c5f5953b493ed18f51bd421a3

SHA512
01b6d5e41bebd48ac76b0c76e75cb530e6a21ae54dae1121b7764c722b49ab64aeea2c6753591072adbe147c6ab894211650e74510599b4de80d00481ce9a945

Download Submit
memory/524-80-0x0000000000000000-mapping.dmp

Download
memory/568-101-0x0000000000000000-mapping.dmp

Download
memory/568-104-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/568-105-0x00000000002AF000-0x00000000002C9000-memory.dmp

Filesize
104KB

Download
memory/576-72-0x0000000000000000-mapping.dmp

Download
memory/840-86-0x0000000000000000-mapping.dmp

Download
memory/1080-90-0x0000000000000000-mapping.dmp

Download
memory/1116-68-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1116-65-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1116-92-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1116-64-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1116-69-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1116-62-0x00000000004C17F0-mapping.dmp

Download
memory/1116-60-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1116-54-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1116-55-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1116-57-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1356-85-0x0000000000000000-mapping.dmp

Download
memory/2040-99-0x000000000056F000-0x0000000000589000-memory.dmp

Filesize
104KB

Download
memory/2040-98-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2040-95-0x0000000000000000-mapping.dmp

Download

pid	process
576	g6NuH2.exe
524	zaidaa.exe
1080	adhost.exe
2040	bdhost.exe
568	bdhost.exe