bazaloader | 5c8669154b702f846f2c1fc469cf51c663b2ca56bfabc82fedb9c8f753c65faa

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
Size

886KB
MD5

7042a2161f83a12148f1fba3781f3160
SHA1

30cf7f293001a95d86b4a007de3811b16761e299
SHA256

5c8669154b702f846f2c1fc469cf51c663b2ca56bfabc82fedb9c8f753c65faa
SHA512

1bb48b51983164bc3c7ff4f1c5c8ab7e899619c528f9e49653024afb6421e599eb1bc285c1558e2848bffa7418ee82cd05b0440ca5980825127376909363acd1
SSDEEP

24576:Y8glSPau8eRkhwDRX1pO1ZAyTxZQt3hnf8Q:Y8eSPau8eOORX1pO12sZQ1l/

Score

10^/10

bazaloader discovery persistence trojan

Malware Config

Signatures

Bazaloader family
bazaloader

Detects BazaLoader malware 15 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

trojan

resource	yara_rule
behavioral1/memory/2544-235-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-237-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-239-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-241-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-243-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-260-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-262-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-265-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-266-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-268-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-270-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-302-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-304-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-306-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral1/memory/2544-308-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012101-2.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2544	svchost.exe
680	rundll32.exe

Loads dropped DLL 7 IoCs

pid	Process
2704	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
2704	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
2704	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinReg = "c:\\windows\\system\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\win.exe	svchost.exe
File created	C:\Windows\system\id.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\system\mirc.ini	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\system\remote.ini	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\system\rundll.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\svchost.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	\??\c:\windows\system\mirc.ini	svchost.exe
File created	\??\c:\windows\system\TMP1.$$$	svchost.exe
File created	C:\Windows\system\__tmp_rar_sfx_access_check_259453468	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\win.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\mirc.ini	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\reg.dll	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\system\rundll32.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\system\win.com	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\system\vir.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	\??\c:\windows\system\remote.ini	svchost.exe
File created	C:\Windows\system\win.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\id.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\remote.ini	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\rundll.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\rundll32.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\system\svchost.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\system\reg.dll	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\vir.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\system\win.com	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2704	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
2544	svchost.exe
2544	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2544	2704	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe	30
PID 2704 wrote to memory of 2544	2704	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe	30
PID 2704 wrote to memory of 2544	2704	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe	30
PID 2704 wrote to memory of 2544	2704	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe	30
PID 2544 wrote to memory of 680	2544	svchost.exe	31
PID 2544 wrote to memory of 680	2544	svchost.exe	31
PID 2544 wrote to memory of 680	2544	svchost.exe	31
PID 2544 wrote to memory of 680	2544	svchost.exe	31
PID 2544 wrote to memory of 680	2544	svchost.exe	31
PID 2544 wrote to memory of 680	2544	svchost.exe	31
PID 2544 wrote to memory of 680	2544	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\windows\system\svchost.exe
  "C:\windows\system\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system\rundll32.exe
    "C:\Windows\system\rundll32.exe" mIRC
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wylF1DF.tmp

Filesize
712KB

MD5
ceaf60ee4b35de4ef207bedd77cb2e9a

SHA1
dc9f49e327c57d157f6957abd5a4dcfe455dbb20

SHA256
2a8e1f622eb01fa5ca723e9f4b1d455fb285bc9c14f744db4c55c3b99fb47816

SHA512
c36e2d940905f9261decf36372af17fdca8718414ab08b5212e841a136c99c1df2e98722cb8fea39c9e42eb129a28a1e4f086f161ad36ab4da92ec472b84d790

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
0b56d6052e2aadfa8c77c4221f030e5b

SHA1
b7e4f3e638a7a47c7d786076f42c9522eb75d886

SHA256
29c8ccc397e931f1c5946b1e18587fd29cee01f0be258bfc1e3bc982721b8b0d

SHA512
aebdf7453c88a593b9a89683f5dd4b825813afe07c1cf87ea6c124e229795e7bf92bb68a62b815db4f4a786eb6c5b617f365c690e947795ae29f43b132a4dc7f

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
78db6af3e532d8e99728756556e548eb

SHA1
fbf6d86ea546c7e7b4413fbb759af33095f87d20

SHA256
b50f4d5d804fe1c373ce60f76c9c44c798cee11f22839526ad0aca12f1f1404d

SHA512
09f9e90e18680f8026c2ce6234908c2cf400be6ada4a7702b58f98ae18f98c50b7dd4853b1868822bbc620fb078ef6f5c00882f962c4373f37461e1b9b07aebc

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
8d27623f1ab0f0326e2294dba76a81fb

SHA1
55b5ece2f203737c95287b2c239de7c8465b9e4e

SHA256
9b0cc67690fa4a575a8ac4393652c5c329c9b79b97f491b0be72f2e8b652a6d4

SHA512
1fd1d728ffad6b5c6c5a7e888a90ca58a7e849c414fe6d960b1faa99777975bf0069ee001c39aa49d21375033252c0ae43fbe2acb0ad4c2b23be31deebdec0d5

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
a6855e3b2e8ddcc4e9355d6f846892d0

SHA1
afb341f1acc140526a5a0234635ee53863acffa5

SHA256
d1c346822ab000a922dba091187ad77550200b80ba56f5fe9a5275b8d8621e96

SHA512
cabe6e6b9d613ed044c9aed038487d7077798d90569199261dfb1331fd82d5b89ff9042c21de4f32542fc2cdef6bc412e155afcaed365202e3a089b7404137da

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
4e3dc281e7959393e6c641b6bd8b4a41

SHA1
f572e9b1a635756098c3989c6c604b9e01291d39

SHA256
c7e9e6bc577e974d9369251fd429d094d7e14b31826ca27ab57605a7aa25d20b

SHA512
47ef4f6891e93de18db069b2bd245258ba29245dfb9c79cf5e644185c0e7f1e23fe7496075f04c0c2e3bb5d31132230373553c0081d2e8158c238e8bc3572bb2

Download Submit
C:\Windows\system\mirc.ini

Filesize
2KB

MD5
e1727105a7a4bc83f20e9b329c206bbd

SHA1
945b63764965783d6eae90847c8463d4e3d84764

SHA256
360acf9841d4f926d615cf02facf39b5e0c39b36aec3c29248bffe18d2d8f86a

SHA512
e78f918aa1659d620065fe07cde64083ccbb4c6039c0200a01da8edc71180ec87f4ac6ab5fa060679db979013ff7bd92dce60b99a683ffb3cb3b7a4064ea53e3

Download Submit
C:\Windows\system\rundll32.exe

Filesize
22KB

MD5
ad335b0089e0237487b54ccd56a0c889

SHA1
e73ea38359a3634b470808f5b71703d38c596337

SHA256
97fc1f5adb202b78bf10a6989209a99691b475e37d8e7cada20341cce7a2802b

SHA512
7615b8d70bac4f5af6b9034154ecbe71f4b103418e044e104278ed33fba47a64457938de332cacefda5b69060c569ad4315887a786f36592800551bffaefd75c

Download Submit
\??\c:\windows\system\id.exe

Filesize
1KB

MD5
4b9a3a5c2cd007d4cbb624c1fc75c0d3

SHA1
144e882065ddb3fcf6baa2797a93922e9925236d

SHA256
dc7c04cb3f32b138b7dce376de40327578f13a638683a8ab7db461ae298accd0

SHA512
27cea94048617ae1bc2c92bd66788e9a20d1c27bb47d6e45929e0eaedab8bcef4144a4397d4bf9de27367c509232f3a3f837d4aef54a993c11853bad54af2afd

Download Submit
\??\c:\windows\system\mirc.ini

Filesize
2KB

MD5
976e8dcaa8c1d37097514a7e24eb5ad4

SHA1
706992a9c80ecb82a0afe949d7d63e122d86e607

SHA256
bed7f5d29d113d45b20ebb935ed08b270f7582b6bee040d22ed39c068f4a1998

SHA512
7c1ed66a1e2416e61a79b5f88406c7ffbe1c7009771915fb54824beb9158d037a3b1af7f7d3be5d635037d8369195da9ce794240184253a899fef5296f893f8b

Download Submit
\??\c:\windows\system\remote.ini

Filesize
214B

MD5
9cc447d15929d6f2f2e694e1bab573fe

SHA1
5ca08ebd1c81ab440576147396672d24017024c0

SHA256
057e8569ddad8eb0234f0c5a867acc9a296c4a07af2a0e809a5dac6d4a434e35

SHA512
3cfaeb3595683ea2f88afd5a1ba9f5faf7512db8ca1be4aee763ddd63e7b4966698db81def16e6423cb047cc049346dc072b39d899bb8cde7b3aac7a97006283

Download Submit
\??\c:\windows\system\rundll.exe

Filesize
178B

MD5
816412c05131e2c009ae7e0edfc0daaa

SHA1
5afe42f975ae10533402892bf36058e36e109ddc

SHA256
1fb02129a672a48e7ae538f2e878b8f1d69006150f56ad9f075b3b71aa349c42

SHA512
55d13a661aa6b3fa4978574d0ecb72720411e3f35a184e36d3065a54c0e12b8f4ae1ff793f4d4344b908f20cc88c623c2271915fb2764b09aaece10d49ea75b6

Download Submit
\??\c:\windows\system\vir.exe

Filesize
14KB

MD5
b1707b5489b2f9f4b75a74ab1f34c1f0

SHA1
bdec94f058facf6532afb71324ac560e9f79a26f

SHA256
6ed9bbe27339b249a87d686716d495305ac827aadf114c39608cbc7289753d93

SHA512
994e1a6caf6a668ff05f581bf967e83bb968b3bf227c5ac85b228764f94c912f8e8a6900f32270ffb2d743b42cc0e5b40ca5febd41929688213ed64ae43592c9

Download Submit
\??\c:\windows\system\win.com

Filesize
397B

MD5
cd10c48ebed150ebf7ea325fac964798

SHA1
714c92e927354108178cac870d5b3b68eef4e56f

SHA256
a8d2cba9085e042fd84309030422ad3f7a7055f7ca23291571acfd0bc74cbe0f

SHA512
72fbe7528d80d42708f3621e4f60667255f3b54503c0b0849419384259341580a8e74dd3b99f0a45bdae983df713b0262d3e8f353a8708013ed2af43f7fd1da0

Download Submit
\??\c:\windows\system\win.exe

Filesize
11KB

MD5
5c2d225dc50ae63e63599d37d5968402

SHA1
825745c35fcfff8fc6acc44835b4ec8d3ec1cb90

SHA256
f75e3fcfad17c40871aefc461e378bee5a2238a3f7b729af9b9177b8b3402fa9

SHA512
a2ad0adb1279324da0528afd8e9147b9c51de487157fe16e1144469c65ac8c412011ba18dc6619aea09c2e2fd9873583ae1d86d2c5dc46bac0ca8a5a832972de

Download Submit
\Users\Admin\AppData\Local\Temp\rylF1AF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Windows\system\reg.dll

Filesize
84KB

MD5
8650e5a54f7df9d47b7fa8c5236eccba

SHA1
7493e00f932b39edd35fccb25a75b4b41e2f5009

SHA256
4a4532f7b9cff5115fafa2489286b12a0e98850edf56d62daea85bb1d3f604e5

SHA512
2e5f7178cc1f1ef3f35ae5c05cd5bcce9b390fe7b72f001606398133ef5e10ddac32aa7050086f3eb117e03a30c637fb5064e4f8b7dc467f9dbe1eaa289a8046

Download Submit
\Windows\system\svchost.exe

Filesize
496KB

MD5
dd6dab5797b43d121af479e22ca82f23

SHA1
c8a1272a3ab60958ce8635a7bdd9757ec729961f

SHA256
eb7ef5cce7f820fa1b7f64abe70f61f4367e462a9aaed28f166f89456e6ac75e

SHA512
058c69b8fb33e34700b9d72aff1898cc66c7062e76d37048a073b61f76e6019ef31895f34bf4cdd20d347f4e419b34e01f845df78f006fb9ea5105c2d790c3ca

Download Submit
memory/680-154-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/680-174-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/680-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2544-138-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/2544-268-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-140-0x0000000003380000-0x0000000003400000-memory.dmp

Filesize
512KB

Download
memory/2544-155-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2544-156-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/2544-48-0x0000000000330000-0x0000000000332000-memory.dmp

Filesize
8KB

Download
memory/2544-308-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-306-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-304-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-302-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-213-0x0000000003380000-0x0000000003400000-memory.dmp

Filesize
512KB

Download
memory/2544-47-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-235-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-237-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-239-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-241-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-243-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-260-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-262-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-270-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-265-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-266-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2544-149-0x0000000003380000-0x0000000003400000-memory.dmp

Filesize
512KB

Download
memory/2704-264-0x0000000003630000-0x00000000037B8000-memory.dmp

Filesize
1.5MB

Download
memory/2704-45-0x0000000003630000-0x00000000037B8000-memory.dmp

Filesize
1.5MB

Download
memory/2704-4-0x0000000000350000-0x00000000003C3000-memory.dmp

Filesize
460KB

Download
memory/2704-44-0x0000000000350000-0x00000000003C3000-memory.dmp

Filesize
460KB

Download
memory/2704-43-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-40-0x0000000003630000-0x00000000037B8000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads