bazaloader | f73e7197dfe5928ba7c7d153c5daf947e559dec9f54d40d278d5ac728d46f360

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
Size

657KB
MD5

7927418bcafbad559d3f8c797ed92f3d
SHA1

da32eb5e9388db9c14bf1e4dcc4fb3dd01b4465b
SHA256

f73e7197dfe5928ba7c7d153c5daf947e559dec9f54d40d278d5ac728d46f360
SHA512

3476344e363bc7aadd5676e4778ac2b433348dcebee500825eb2ac8dd558fd0448ce1c7e4b43ec3421564317da6def527e38087a286117b1a9a26d4cfc297dd6
SSDEEP

12288:Hch76VXueiN6FcTElGm4ttxI+9Zumsvlpu0UvaGAlOBzZ1zssdwmeTvYy9Ue87vv:8t1f3o9G6+WTzZwAlOBzZ5dwmeTvYgUH

Score

10^/10

bazaloader discovery persistence trojan upx

Malware Config

Signatures

Bazaloader family
bazaloader

Detects BazaLoader malware 15 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

trojan

resource	yara_rule
behavioral1/memory/3016-209-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-211-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-213-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-215-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-217-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-264-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-266-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-268-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-270-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-272-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-274-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-276-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-318-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-320-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/3016-322-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader

Executes dropped EXE 2 IoCs

pid	Process
3016	svchost.exe
2496	rundll32.exe

Loads dropped DLL 12 IoCs

pid	Process
3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
2496	rundll32.exe
2496	rundll32.exe
2496	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinReg = "c:\\windows\\system\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/3000-127-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\system\remote.ini	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\svchost.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\vir.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File created	C:\Windows\system\win.com	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File created	C:\Windows\system\win.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File created	\??\c:\windows\system\TMP1.$$$	svchost.exe
File opened for modification	C:\Windows\system\id.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\reg.dll	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\rundll.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File created	C:\Windows\system\vir.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\mirc.ini	svchost.exe
File created	C:\Windows\system\mirc.ini	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File created	C:\Windows\system\reg.dll	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\remote.ini	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File created	C:\Windows\system\svchost.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\remote.ini	svchost.exe
File opened for modification	\??\c:\windows\system\win.exe	svchost.exe
File created	C:\Windows\system\id.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File created	C:\Windows\system\rundll32.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\rundll32.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File created	C:\Windows\system\rundll.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\win.com	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\win.exe	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\system\mirc.ini	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3016	svchost.exe
3016	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3016	3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3016	3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3016	3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3016	3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3016	3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3016	3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3016	3000	7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2496	3016	svchost.exe	30
PID 3016 wrote to memory of 2496	3016	svchost.exe	30
PID 3016 wrote to memory of 2496	3016	svchost.exe	30
PID 3016 wrote to memory of 2496	3016	svchost.exe	30
PID 3016 wrote to memory of 2496	3016	svchost.exe	30
PID 3016 wrote to memory of 2496	3016	svchost.exe	30
PID 3016 wrote to memory of 2496	3016	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7927418bcafbad559d3f8c797ed92f3d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\windows\system\svchost.exe
  "C:\windows\system\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system\rundll32.exe
    "C:\Windows\system\rundll32.exe" mIRC
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\mirc.ini

Filesize
2KB

MD5
ea05a7451eddfa5845ed6b3f5ebee382

SHA1
abf4f83d74bc2217769a3022cef7a43f550cb680

SHA256
4f7ce1599d537f59809af0b258b4bed5ce093a1be7852c8481af0bc03df65bf6

SHA512
0ee96ca6d5159fa8d2895bf2a113bae3d26b85aa2e7afeecff2f1ecc9d72250efde6b2c05280efa6a8b0635c9669dd36cf764f000c11656a4faf486ff84ff682

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
ec3720cf5fc99c6860d364748cbe9c6e

SHA1
a0b9d242ef8e49686191aae6a8ef1861e29d6c3e

SHA256
b63d04c5a67dec30f0fb54b876efad15603274fb40ab1693a79f9ef430c43208

SHA512
b9153c97d2f3cbe528e46bf79b8c9f413123060acb00d998af9fffdc753a42ee51017bd8a5f14e55293a55d9c7ec283f981198792fa143e02b80c81462f4d30e

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
dc64c09c5bbf3877323ddbe165dc556c

SHA1
d0f128620807274e787a49dc073bc536d8cd4638

SHA256
39fdc72c3944a10e48b6123955a22294980154e92421205f8b9a9f4322234712

SHA512
acbc7a35385b10837c221533a3e3a1bf0b6a35db4ec58cbdf185b7e3479138a1fa95d98c452909855d8d7a679322daea6bca81158c9b77abfc1c605589e095e7

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
77057816da2d9afe4193e0da2d643923

SHA1
5e9c125d8e1067b3a6eccda79cb155809f1befa4

SHA256
00382e13db04c7838c91a2d5ee71dbc63376278b76c2b146fb0111de965b17a6

SHA512
088f791843b83f98cff20c269d062e13f86cf77ed555a4d26c7712a2df3b4635fc0fdfb3768aa22a6d119d5e3f96956d01200798e28a7f42f6bb2fb044d8f19f

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
5c6fb02db069696970eabac1c4fbce95

SHA1
48966e94b2458243278d412c3d103fdb8e0c1286

SHA256
1dd55810a6f1fcad632cab7920d8a1b64ab26714cdd18782462f14d63133d2fa

SHA512
77eafe10770cf4585e99a8102481f1127c3d75cfbd48d146c6f0bb7ca64362018c199b8a77bf9fe9194172871625e66cedd21c3101b5b501951d326eb65053c9

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
e4d67d434f69a4b599a18675c7be2552

SHA1
985476f5d8eeb6ef43f21979f2c42b916b3243d8

SHA256
af7101e0df6cb01f495f93f2a4a7fabd4c3c93f0ffc20111e774ac2376cfbebe

SHA512
cfc2d3802d051fab1dd1c54e87a8cd6dc50cb476d801b7d5ef98fa82512ce87bc0faac200b646059c1c684e50f633b321ad354e9b471dcfbc3defee65e8f8755

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
3ac45f01ef72a88b86a3fe7ea05bfca9

SHA1
b5d2c744612ae4e92e9cef2b620358b2bfd9ea92

SHA256
0712faf155f65ab6387eef23269baea7a07e6ce037914255576b9df28da50549

SHA512
d239308e5f79e2206a6ac8134ef89214326477f45abe4ae955dbe252f95fe2ca8942c16a50977ac920b8773938629fb0ea88f414b564683a836bd0beadc3b329

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
f391e9278075b2d78f42eca0dc63b9a6

SHA1
9c349833f0a566a3def161b05a68e6ae1989781a

SHA256
c027bd9c7feeca139bf2aa1bce0d2987c1273c1dbcc7f31172ed40aff8e3f08f

SHA512
f5ab4311cfefa602744219a42e5e4165e29a5a7ffb026b1cc17eb011644de654113f7a1264f6e74a3995aafced7e4e92e7bbab24e56bbd1ef8c9de4c89a4a2ae

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
b2f8f61daa46688ca7e2803beebe3fad

SHA1
d4f58b2e21d537aeb1679667f602f28545097c24

SHA256
d789da92a37d01f36fbb06a61c9be8a4fdbc5a3efcf5c9ba35d3345ab95f7dda

SHA512
a7bc5c849aebc53e993d8f24f69fe60f676428887b75c1b550c512c6a4f1ddb6ee8c1710db162379a31d3ad2542e665a26e3f6d073006869f4866045e88b9dc1

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
871e39ab626016d18014e8edc4c475dd

SHA1
d98a0551a719720a64f2ca17a897f072fe8c27d0

SHA256
3b5cf294038dcc3ec528e395c17f95d73e4ebec9b96503861dfdc9e2788ddcb3

SHA512
38c474423f81eceb60c442bf774c0ef4af5e9b11aca5d693b8b506f4c203537e3fa3713e2728a4b3062200a98bfec9abaa24e7667c9c651d4b01feb82659d781

Download Submit
C:\Windows\system\rundll32.exe

Filesize
22KB

MD5
ad335b0089e0237487b54ccd56a0c889

SHA1
e73ea38359a3634b470808f5b71703d38c596337

SHA256
97fc1f5adb202b78bf10a6989209a99691b475e37d8e7cada20341cce7a2802b

SHA512
7615b8d70bac4f5af6b9034154ecbe71f4b103418e044e104278ed33fba47a64457938de332cacefda5b69060c569ad4315887a786f36592800551bffaefd75c

Download Submit
\??\c:\windows\system\id.exe

Filesize
1KB

MD5
4b9a3a5c2cd007d4cbb624c1fc75c0d3

SHA1
144e882065ddb3fcf6baa2797a93922e9925236d

SHA256
dc7c04cb3f32b138b7dce376de40327578f13a638683a8ab7db461ae298accd0

SHA512
27cea94048617ae1bc2c92bd66788e9a20d1c27bb47d6e45929e0eaedab8bcef4144a4397d4bf9de27367c509232f3a3f837d4aef54a993c11853bad54af2afd

Download Submit
\??\c:\windows\system\mirc.ini

Filesize
2KB

MD5
08f3072bc15db831e83dc11fbe7fd10b

SHA1
f3d7047d59cfbc4b335ef49b96fe37e9ba02fe9c

SHA256
f7b4088b2c29f53c1b05b4559abf3f6919fcae0daec990e3746f90b0f4ce2be2

SHA512
b920676f6f09d28116e6b7732c5293b02b0e9c61d02186a124b9b2ae80516dee23d304802756d36ce88d700a86cd15337aa766251bebeb8070d1aeac82dad20b

Download Submit
\??\c:\windows\system\reg.dll

Filesize
84KB

MD5
8650e5a54f7df9d47b7fa8c5236eccba

SHA1
7493e00f932b39edd35fccb25a75b4b41e2f5009

SHA256
4a4532f7b9cff5115fafa2489286b12a0e98850edf56d62daea85bb1d3f604e5

SHA512
2e5f7178cc1f1ef3f35ae5c05cd5bcce9b390fe7b72f001606398133ef5e10ddac32aa7050086f3eb117e03a30c637fb5064e4f8b7dc467f9dbe1eaa289a8046

Download Submit
\??\c:\windows\system\remote.ini

Filesize
190B

MD5
06535661fe48aa27f6619e8ba78fa364

SHA1
a9e6ba26d19601f3b1d0a47df9f0ce00ec9936aa

SHA256
fd89ad1e5345504bc9fcd08389f070a61c9fdeae04540b7f5c36718451992765

SHA512
2be20cf4ae2bd71d477678a99461c56df0bbe7f6d82a9656afedf3d3c1e13383f28e4bd982cf1af3f6c2bcfdde78006aaa71e9842fc4c4803ad00b9b749b900e

Download Submit
\??\c:\windows\system\rundll.exe

Filesize
64B

MD5
06369cdd770a6599496b8b2b2c29d3e3

SHA1
ada913d8fd4c1a23375d566c2eb13b77bb24265a

SHA256
7f49f1cee8d86ff033e9755abfa73929005845210acc4ef538eab115806c348f

SHA512
20aa41b881edc7fde532b93a1b246dacc73a50710cab4e340cea97b74abd83e2af4c0da948ab15d23dddc1c1ace54f468e081fd8dc66c845955ab36523919faf

Download Submit
\??\c:\windows\system\vir.exe

Filesize
14KB

MD5
b1707b5489b2f9f4b75a74ab1f34c1f0

SHA1
bdec94f058facf6532afb71324ac560e9f79a26f

SHA256
6ed9bbe27339b249a87d686716d495305ac827aadf114c39608cbc7289753d93

SHA512
994e1a6caf6a668ff05f581bf967e83bb968b3bf227c5ac85b228764f94c912f8e8a6900f32270ffb2d743b42cc0e5b40ca5febd41929688213ed64ae43592c9

Download Submit
\??\c:\windows\system\win.com

Filesize
602B

MD5
b87aaa83fb7ed7fa6ed3435cd1e6caaf

SHA1
5f57e3490072dc6b832195ad4be78e1e8e5f6f00

SHA256
a3acda35804662e8bf45cd444be3a77e9067d33deb65c8cdbd9742b7e782de70

SHA512
2d425ddf896d978291d5fe55bc63213305eddfff9e9d5bf6060285dbb8c8adc830b24ac34b5a0bec69309f8ff95da8b99dbe0789b3a7c939e1cc573899845ac9

Download Submit
\??\c:\windows\system\win.exe

Filesize
10KB

MD5
bf7b0d04c032ae098d5eb00c688702ed

SHA1
004df1d8fbcb1f13fe5eb74985faa9c5a4847a5b

SHA256
5ae44a7110343dc6c059efd30585003dc32a2882bdd9f3993319e1049956bce6

SHA512
999f392928130f628bc4cdcf800164f2c5823bda983cd11a9fafd8baace7f486e16f93082707b74a74ce5ece6ed5ae1dd46bf2f6041238267e5e09f5cc349166

Download Submit
\Windows\system\svchost.exe

Filesize
496KB

MD5
dd6dab5797b43d121af479e22ca82f23

SHA1
c8a1272a3ab60958ce8635a7bdd9757ec729961f

SHA256
eb7ef5cce7f820fa1b7f64abe70f61f4367e462a9aaed28f166f89456e6ac75e

SHA512
058c69b8fb33e34700b9d72aff1898cc66c7062e76d37048a073b61f76e6019ef31895f34bf4cdd20d347f4e419b34e01f845df78f006fb9ea5105c2d790c3ca

Download Submit
memory/2496-167-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/2496-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3000-30-0x0000000003180000-0x0000000003308000-memory.dmp

Filesize
1.5MB

Download
memory/3000-2-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/3000-127-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3000-1-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/3000-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3000-31-0x0000000003180000-0x0000000003308000-memory.dmp

Filesize
1.5MB

Download
memory/3016-215-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-264-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-38-0x0000000000590000-0x0000000000718000-memory.dmp

Filesize
1.5MB

Download
memory/3016-204-0x0000000000390000-0x0000000000392000-memory.dmp

Filesize
8KB

Download
memory/3016-209-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-211-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-213-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-133-0x0000000003210000-0x0000000003290000-memory.dmp

Filesize
512KB

Download
memory/3016-217-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-40-0x0000000000390000-0x0000000000392000-memory.dmp

Filesize
8KB

Download
memory/3016-33-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-166-0x0000000003210000-0x0000000003290000-memory.dmp

Filesize
512KB

Download
memory/3016-168-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3016-39-0x0000000000590000-0x0000000000718000-memory.dmp

Filesize
1.5MB

Download
memory/3016-266-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-268-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-269-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/3016-270-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-272-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-274-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-276-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-131-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/3016-318-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-320-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3016-322-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads