5ac8eca2ae52ce97e83646f5b3e612dda8d3ba00cc3173f6e9740695ad0b21cc

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e3883c6913458524489f5d462646256_JaffaCakes118.exe
Size

194KB
MD5

2e3883c6913458524489f5d462646256
SHA1

ffbec2986e76fbb9ff7fac9f60f55f6da34e125f
SHA256

5ac8eca2ae52ce97e83646f5b3e612dda8d3ba00cc3173f6e9740695ad0b21cc
SHA512

b9b824eb107ceace5111d1a8c14dd4ea71f8853aab3ae2e6153b212785c3c72d480739110faabed865bcc5a79a092f650d646f23761a54d30f14961f923d492a
SSDEEP

6144:e9lA189qNR9701KY76ewvP6bQ7yMP+DE827SH6:il4kmRyp7I6b7MP+Dd2J

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 20 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

pid	Process
1460	Tilevbq.com
1296	Tilevbq.com
2740	Tilevbq.com
520	Tilevbq.com
2304	Tilevbq.com
2572	Tilevbq.com
1980	Tilevbq.com
2008	Tilevbq.com
2092	Tilevbq.com
1480	Tilevbq.com

Loads dropped DLL 20 IoCs

pid	Process
2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe
2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe
1460	Tilevbq.com
1460	Tilevbq.com
1296	Tilevbq.com
1296	Tilevbq.com
2740	Tilevbq.com
2740	Tilevbq.com
520	Tilevbq.com
520	Tilevbq.com
2304	Tilevbq.com
2304	Tilevbq.com
2572	Tilevbq.com
2572	Tilevbq.com
1980	Tilevbq.com
1980	Tilevbq.com
2008	Tilevbq.com
2008	Tilevbq.com
2092	Tilevbq.com
2092	Tilevbq.com

Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	2e3883c6913458524489f5d462646256_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	Tilevbq.com
File opened for modification	\??\PhysicalDrive0	Tilevbq.com

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	2e3883c6913458524489f5d462646256_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	2e3883c6913458524489f5d462646256_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File opened for modification	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com
File created	C:\Windows\SysWOW64\Tilevbq.com	Tilevbq.com

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	2e3883c6913458524489f5d462646256_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	2e3883c6913458524489f5d462646256_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	2e3883c6913458524489f5d462646256_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Tilevbq.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Tilevbq.com

Runs .reg file with regedit 10 IoCs

pid	Process
3044	regedit.exe
2584	regedit.exe
2924	regedit.exe
1084	regedit.exe
2812	regedit.exe
2584	regedit.exe
2928	regedit.exe
2240	regedit.exe
1856	regedit.exe
2592	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2520	2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe	31
PID 2020 wrote to memory of 2520	2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe	31
PID 2020 wrote to memory of 2520	2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe	31
PID 2020 wrote to memory of 2520	2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe	31
PID 2520 wrote to memory of 1084	2520	cmd.exe	32
PID 2520 wrote to memory of 1084	2520	cmd.exe	32
PID 2520 wrote to memory of 1084	2520	cmd.exe	32
PID 2520 wrote to memory of 1084	2520	cmd.exe	32
PID 2020 wrote to memory of 1460	2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe	33
PID 2020 wrote to memory of 1460	2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe	33
PID 2020 wrote to memory of 1460	2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe	33
PID 2020 wrote to memory of 1460	2020	2e3883c6913458524489f5d462646256_JaffaCakes118.exe	33
PID 1460 wrote to memory of 2108	1460	Tilevbq.com	34
PID 1460 wrote to memory of 2108	1460	Tilevbq.com	34
PID 1460 wrote to memory of 2108	1460	Tilevbq.com	34
PID 1460 wrote to memory of 2108	1460	Tilevbq.com	34
PID 1460 wrote to memory of 1296	1460	Tilevbq.com	35
PID 1460 wrote to memory of 1296	1460	Tilevbq.com	35
PID 1460 wrote to memory of 1296	1460	Tilevbq.com	35
PID 1460 wrote to memory of 1296	1460	Tilevbq.com	35
PID 1296 wrote to memory of 904	1296	Tilevbq.com	36
PID 1296 wrote to memory of 904	1296	Tilevbq.com	36
PID 1296 wrote to memory of 904	1296	Tilevbq.com	36
PID 1296 wrote to memory of 904	1296	Tilevbq.com	36
PID 904 wrote to memory of 2812	904	cmd.exe	37
PID 904 wrote to memory of 2812	904	cmd.exe	37
PID 904 wrote to memory of 2812	904	cmd.exe	37
PID 904 wrote to memory of 2812	904	cmd.exe	37
PID 1296 wrote to memory of 2740	1296	Tilevbq.com	38
PID 1296 wrote to memory of 2740	1296	Tilevbq.com	38
PID 1296 wrote to memory of 2740	1296	Tilevbq.com	38
PID 1296 wrote to memory of 2740	1296	Tilevbq.com	38
PID 2740 wrote to memory of 2624	2740	Tilevbq.com	39
PID 2740 wrote to memory of 2624	2740	Tilevbq.com	39
PID 2740 wrote to memory of 2624	2740	Tilevbq.com	39
PID 2740 wrote to memory of 2624	2740	Tilevbq.com	39
PID 2624 wrote to memory of 2584	2624	cmd.exe	40
PID 2624 wrote to memory of 2584	2624	cmd.exe	40
PID 2624 wrote to memory of 2584	2624	cmd.exe	40
PID 2624 wrote to memory of 2584	2624	cmd.exe	40
PID 2740 wrote to memory of 520	2740	Tilevbq.com	41
PID 2740 wrote to memory of 520	2740	Tilevbq.com	41
PID 2740 wrote to memory of 520	2740	Tilevbq.com	41
PID 2740 wrote to memory of 520	2740	Tilevbq.com	41
PID 520 wrote to memory of 2152	520	Tilevbq.com	42
PID 520 wrote to memory of 2152	520	Tilevbq.com	42
PID 520 wrote to memory of 2152	520	Tilevbq.com	42
PID 520 wrote to memory of 2152	520	Tilevbq.com	42
PID 2152 wrote to memory of 2240	2152	cmd.exe	43
PID 2152 wrote to memory of 2240	2152	cmd.exe	43
PID 2152 wrote to memory of 2240	2152	cmd.exe	43
PID 2152 wrote to memory of 2240	2152	cmd.exe	43
PID 520 wrote to memory of 2304	520	Tilevbq.com	44
PID 520 wrote to memory of 2304	520	Tilevbq.com	44
PID 520 wrote to memory of 2304	520	Tilevbq.com	44
PID 520 wrote to memory of 2304	520	Tilevbq.com	44
PID 2304 wrote to memory of 1800	2304	Tilevbq.com	45
PID 2304 wrote to memory of 1800	2304	Tilevbq.com	45
PID 2304 wrote to memory of 1800	2304	Tilevbq.com	45
PID 2304 wrote to memory of 1800	2304	Tilevbq.com	45
PID 1800 wrote to memory of 1856	1800	cmd.exe	46
PID 1800 wrote to memory of 1856	1800	cmd.exe	46
PID 1800 wrote to memory of 1856	1800	cmd.exe	46
PID 1800 wrote to memory of 1856	1800	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\2e3883c6913458524489f5d462646256_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e3883c6913458524489f5d462646256_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\ab3.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:1084
- C:\Windows\SysWOW64\Tilevbq.com
  C:\Windows\system32\Tilevbq.com 504 "C:\Users\Admin\AppData\Local\Temp\2e3883c6913458524489f5d462646256_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\ab3.bat
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\Tilevbq.com
    C:\Windows\system32\Tilevbq.com 560 "C:\Windows\SysWOW64\Tilevbq.com"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\ab3.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2812
  - - C:\Windows\SysWOW64\Tilevbq.com
      C:\Windows\system32\Tilevbq.com 556 "C:\Windows\SysWOW64\Tilevbq.com"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ab3.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2584
    - - C:\Windows\SysWOW64\Tilevbq.com
        
        C:\Windows\system32\Tilevbq.com 568 "C:\Windows\SysWOW64\Tilevbq.com"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:520
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ab3.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2240
      - C:\Windows\SysWOW64\Tilevbq.com
        
        C:\Windows\system32\Tilevbq.com 564 "C:\Windows\SysWOW64\Tilevbq.com"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ab3.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1856
        
        C:\Windows\SysWOW64\Tilevbq.com
        
        C:\Windows\system32\Tilevbq.com 572 "C:\Windows\SysWOW64\Tilevbq.com"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ab3.bat
        8⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2928
        
        C:\Windows\SysWOW64\Tilevbq.com
        
        C:\Windows\system32\Tilevbq.com 580 "C:\Windows\SysWOW64\Tilevbq.com"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ab3.bat
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3044
        
        C:\Windows\SysWOW64\Tilevbq.com
        
        C:\Windows\system32\Tilevbq.com 576 "C:\Windows\SysWOW64\Tilevbq.com"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ab3.bat
        10⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2584
        
        C:\Windows\SysWOW64\Tilevbq.com
        
        C:\Windows\system32\Tilevbq.com 584 "C:\Windows\SysWOW64\Tilevbq.com"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ab3.bat
        11⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2924
        
        C:\Windows\SysWOW64\Tilevbq.com
        
        C:\Windows\system32\Tilevbq.com 548 "C:\Windows\SysWOW64\Tilevbq.com"
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ab3.bat
        12⤵
        
        PID:916
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
476B

MD5
a5d4cddfecf34e5391a7a3df62312327

SHA1
04a3c708bab0c15b6746cf9dbf41a71c917a98b9

SHA256
8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a

SHA512
48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
701B

MD5
e427a32326a6a806e7b7b4fdbbe0ed4c

SHA1
b10626953332aeb7c524f2a29f47ca8b0bee38b1

SHA256
b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

SHA512
6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
c8441ec8a2edf9b2f4f631fe930ea4d9

SHA1
2855ee21116b427d280fcaa2471c9bd3d2957f6f

SHA256
dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184

SHA512
b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
fa83299c5a0d8714939977af6bdafa92

SHA1
46a4abab9b803a7361ab89d0ca000a367550e23c

SHA256
f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

SHA512
85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5aa228bc61037ddaf7a22dab4a04e9a1

SHA1
b50fcd8f643ea748f989a06e38c778884b3c19f2

SHA256
65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b

SHA512
2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ff6c57e8ec2b96b8da7fe900f1f3da1c

SHA1
a6f0dc2e2a0a46e1031017b81825173054bf76ae

SHA256
ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6

SHA512
c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
300B

MD5
9e1df6d58e6c905e4628df434384b3c9

SHA1
e67dd641da70aa9654ed24b19ed06a3eb8c0db43

SHA256
25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0

SHA512
93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
978B

MD5
2e2266221550edce9a27c9060d5c2361

SHA1
f39f2d8f02f8b3a877d5969a81c4cb12679609f3

SHA256
e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb

SHA512
e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5b77620cb52220f4a82e3551ee0a53a6

SHA1
07d122b8e70ec5887bad4ef8f4d6209df18912d0

SHA256
93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579

SHA512
9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
501effddf60a974e98b67dc8921aa7e8

SHA1
734dfe4b508dbc1527ec92e91821a1251aec5b2e

SHA256
672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

SHA512
28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5002319f56002f8d7ceacecf8672ce25

SHA1
3b26b6801be4768cc7582e29bc93facdf2a74be3

SHA256
f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

SHA512
8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c1e5f93e2bee9ca33872764d8889de23

SHA1
167f65adfc34a0e47cb7de92cc5958ee8905796a

SHA256
8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

SHA512
482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
54ca6e3ef1c12b994043e85a8c9895f0

SHA1
5eaccfb482cbe24cf5c3203ffdc926184097427e

SHA256
0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

SHA512
925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
208B

MD5
67a0c98a371995d5434cb9788ee1c42f

SHA1
7171d3dca52f038ca9d9e8b13f356462dbc8f3cc

SHA256
2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3

SHA512
f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
298B

MD5
4117e5a9c995bab9cd3bce3fc2b99a46

SHA1
80144ccbad81c2efb1df64e13d3d5f59ca4486da

SHA256
37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

SHA512
bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
574B

MD5
5020988c301a6bf0c54a293ddf64837c

SHA1
5b65e689a2988b9a739d53565b2a847f20d70f09

SHA256
a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d

SHA512
921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
849B

MD5
558ce6da965ba1758d112b22e15aa5a2

SHA1
a365542609e4d1dc46be62928b08612fcabe2ede

SHA256
c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

SHA512
37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3637baf389a0d79b412adb2a7f1b7d09

SHA1
f4b011a72f59cf98a325f12b7e40ddd0548ccc16

SHA256
835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba

SHA512
ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
752fd85212d47da8f0adc29004a573b2

SHA1
fa8fe3ff766601db46412879dc13dbec8d055965

SHA256
9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

SHA512
d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\ab3.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\Tilevbq.com

Filesize
194KB

MD5
2e3883c6913458524489f5d462646256

SHA1
ffbec2986e76fbb9ff7fac9f60f55f6da34e125f

SHA256
5ac8eca2ae52ce97e83646f5b3e612dda8d3ba00cc3173f6e9740695ad0b21cc

SHA512
b9b824eb107ceace5111d1a8c14dd4ea71f8853aab3ae2e6153b212785c3c72d480739110faabed865bcc5a79a092f650d646f23761a54d30f14961f923d492a

Download Submit
memory/520-459-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/520-577-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/520-696-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1296-452-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1296-332-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1296-213-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1460-222-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1460-198-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1460-208-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1460-207-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1460-206-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1460-223-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1460-187-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1460-204-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1460-203-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1460-202-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1460-189-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1460-190-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1460-191-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1460-192-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1460-193-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1460-194-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1460-195-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1460-196-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1460-197-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1460-212-0x0000000002C90000-0x0000000002D14000-memory.dmp

Filesize
528KB

Download
memory/1460-199-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1460-200-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1460-201-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1480-1308-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1980-945-0x0000000002A50000-0x0000000002AD4000-memory.dmp

Filesize
528KB

Download
memory/1980-941-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2008-1064-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2008-946-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2020-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2020-13-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2020-153-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2020-152-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2020-156-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2020-181-0x0000000002D50000-0x0000000002DD4000-memory.dmp

Filesize
528KB

Download
memory/2020-182-0x0000000002D50000-0x0000000002DD4000-memory.dmp

Filesize
528KB

Download
memory/2020-185-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/2020-158-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2020-186-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2020-159-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2020-160-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2020-161-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2020-162-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2020-163-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2020-164-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2020-165-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2020-166-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2020-168-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2020-169-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2020-170-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2020-171-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2020-172-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2020-173-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2020-174-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2020-167-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2020-151-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2020-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2020-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2020-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2020-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2020-9-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2020-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2020-12-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2020-155-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2020-14-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2020-15-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2020-16-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/2020-17-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2020-2-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2020-18-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2020-4-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2020-28-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2020-19-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2020-20-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2020-21-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2020-22-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2020-23-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2020-24-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2020-25-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2020-36-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2020-26-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2020-27-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2020-35-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2020-34-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2020-33-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2020-32-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2020-29-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2020-30-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2020-31-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2092-1186-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2304-808-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2304-698-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2572-832-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2572-822-0x0000000002C90000-0x0000000002D14000-memory.dmp

Filesize
528KB

Download
memory/2572-819-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2740-461-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2740-458-0x0000000002C90000-0x0000000002D14000-memory.dmp

Filesize
528KB

Download
memory/2740-454-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2740-336-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads