bazaloader | 5c8669154b702f846f2c1fc469cf51c663b2ca56bfabc82fedb9c8f753c65faa

Analysis

max time kernel
141s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
Size

886KB
MD5

7042a2161f83a12148f1fba3781f3160
SHA1

30cf7f293001a95d86b4a007de3811b16761e299
SHA256

5c8669154b702f846f2c1fc469cf51c663b2ca56bfabc82fedb9c8f753c65faa
SHA512

1bb48b51983164bc3c7ff4f1c5c8ab7e899619c528f9e49653024afb6421e599eb1bc285c1558e2848bffa7418ee82cd05b0440ca5980825127376909363acd1
SSDEEP

24576:Y8glSPau8eRkhwDRX1pO1ZAyTxZQt3hnf8Q:Y8eSPau8eOORX1pO12sZQ1l/

Score

10^/10

bazaloader discovery persistence trojan

Malware Config

Signatures

Bazaloader family
bazaloader

Detects BazaLoader malware 15 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

trojan

resource	yara_rule
behavioral2/memory/4388-213-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-224-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-226-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-228-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-230-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-237-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-255-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-257-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-268-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-280-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-301-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-313-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-315-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-317-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader
behavioral2/memory/4388-319-0x0000000000400000-0x0000000000588000-memory.dmp	BazaLoader

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b6d-2.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
4388	svchost.exe
1304	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4024	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
4024	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
4388	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinReg = "c:\\windows\\system\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\vir.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	\??\c:\windows\system\remote.ini	svchost.exe
File created	\??\c:\windows\system\TMP1.$$$	svchost.exe
File created	C:\Windows\System\win.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\System\rundll32.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\rundll.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\rundll32.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\svchost.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\System\win.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\System\id.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\reg.dll	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\remote.ini	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\System\remote.ini	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\System\svchost.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\vir.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\win.com	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\System\win.com	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	\??\c:\windows\system\win.exe	svchost.exe
File opened for modification	C:\Windows\System\rundll.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	\??\c:\windows\system\mirc.ini	svchost.exe
File created	C:\Windows\System\__tmp_rar_sfx_access_check_240625828	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\id.exe	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File created	C:\Windows\System\mirc.ini	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\System\mirc.ini	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
File opened for modification	C:\Windows\System\reg.dll	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\windows\\system\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4024	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
4388	svchost.exe
4388	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 4388	4024	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe	86
PID 4024 wrote to memory of 4388	4024	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe	86
PID 4024 wrote to memory of 4388	4024	JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe	86
PID 4388 wrote to memory of 1304	4388	svchost.exe	87
PID 4388 wrote to memory of 1304	4388	svchost.exe	87
PID 4388 wrote to memory of 1304	4388	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7042a2161f83a12148f1fba3781f3160.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024
- C:\windows\system\svchost.exe
  "C:\windows\system\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\System\rundll32.exe
    "C:\Windows\System\rundll32.exe" mIRC
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nqiA78A.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqiA7DA.tmp

Filesize
712KB

MD5
ceaf60ee4b35de4ef207bedd77cb2e9a

SHA1
dc9f49e327c57d157f6957abd5a4dcfe455dbb20

SHA256
2a8e1f622eb01fa5ca723e9f4b1d455fb285bc9c14f744db4c55c3b99fb47816

SHA512
c36e2d940905f9261decf36372af17fdca8718414ab08b5212e841a136c99c1df2e98722cb8fea39c9e42eb129a28a1e4f086f161ad36ab4da92ec472b84d790

Download Submit
C:\Windows\System\mirc.ini

Filesize
2KB

MD5
78ad2a532e84b2d7e32d97b3dbc15c28

SHA1
5e44c3a3a402edc040611ce033dd1113ed40af53

SHA256
06a42a197c7acd49127180389c2970e739616d80cf77e84e67b48a85db2bcfc4

SHA512
7b48f2708367b26a4cf4bb6363b386943203ca60480c4f661d7f3ff2510443fbd5c8541f71f404d723d8998e1c7d0ed36b0d6b0dddb4bfc8488d7bba91f88b6c

Download Submit
C:\Windows\System\mirc.ini

Filesize
2KB

MD5
7a6dde631f358e3029df364ae87e8d5a

SHA1
2ef0915b3bf635b8f231df4cbb41ed0c680ad461

SHA256
577298650ef72b578ceea28457b30bbb32f914e30dd08f92143bb938994e8d4a

SHA512
a63bd33984f6629201a068381942319772068cc9c5d1f812765125aafe33c65d0853ebcf08ee7c4f86325690ab943ed3e79b0e487d17d4ef6f481a311956160e

Download Submit
C:\Windows\System\mirc.ini

Filesize
2KB

MD5
3adc69880ba889e1ce996d7f439d0c6b

SHA1
8eaa91afc99d88205da9c908216a1e38fbf31cde

SHA256
a7f5d4979532456d7544dbbb18186e73057d2aa14a77a5fc4a999e9f4c3ce963

SHA512
70aec97f9dca760f5d371d26d45f5f80455ec33543ea1d2c2df14ea463c1601f981ad5741644026fb1b398d5208e45789ac1c23a97c456079b0554af1b3cc26c

Download Submit
C:\Windows\System\mirc.ini

Filesize
2KB

MD5
7fd419af9faa8e025095d69293efe63a

SHA1
36f7f4f25293fda2d0131e00bda526c31ac4033a

SHA256
114c4795e78f42ad0790afe1b4529443c686e5a9b26046e7413e14d326b9fbbe

SHA512
b71bd79d3e1bb1e43c73537f40102e9cb6c783629b9819cab8fd407759e0975e57dda336f9e1d29d86b3c50e8c2e34b79f0ebc303149edb6d8d89e1633193f56

Download Submit
C:\Windows\System\mirc.ini

Filesize
2KB

MD5
976e8dcaa8c1d37097514a7e24eb5ad4

SHA1
706992a9c80ecb82a0afe949d7d63e122d86e607

SHA256
bed7f5d29d113d45b20ebb935ed08b270f7582b6bee040d22ed39c068f4a1998

SHA512
7c1ed66a1e2416e61a79b5f88406c7ffbe1c7009771915fb54824beb9158d037a3b1af7f7d3be5d635037d8369195da9ce794240184253a899fef5296f893f8b

Download Submit
C:\Windows\System\rundll32.exe

Filesize
22KB

MD5
ad335b0089e0237487b54ccd56a0c889

SHA1
e73ea38359a3634b470808f5b71703d38c596337

SHA256
97fc1f5adb202b78bf10a6989209a99691b475e37d8e7cada20341cce7a2802b

SHA512
7615b8d70bac4f5af6b9034154ecbe71f4b103418e044e104278ed33fba47a64457938de332cacefda5b69060c569ad4315887a786f36592800551bffaefd75c

Download Submit
C:\Windows\System\svchost.exe

Filesize
496KB

MD5
dd6dab5797b43d121af479e22ca82f23

SHA1
c8a1272a3ab60958ce8635a7bdd9757ec729961f

SHA256
eb7ef5cce7f820fa1b7f64abe70f61f4367e462a9aaed28f166f89456e6ac75e

SHA512
058c69b8fb33e34700b9d72aff1898cc66c7062e76d37048a073b61f76e6019ef31895f34bf4cdd20d347f4e419b34e01f845df78f006fb9ea5105c2d790c3ca

Download Submit
\??\c:\windows\system\id.exe

Filesize
1KB

MD5
4b9a3a5c2cd007d4cbb624c1fc75c0d3

SHA1
144e882065ddb3fcf6baa2797a93922e9925236d

SHA256
dc7c04cb3f32b138b7dce376de40327578f13a638683a8ab7db461ae298accd0

SHA512
27cea94048617ae1bc2c92bd66788e9a20d1c27bb47d6e45929e0eaedab8bcef4144a4397d4bf9de27367c509232f3a3f837d4aef54a993c11853bad54af2afd

Download Submit
\??\c:\windows\system\mirc.ini

Filesize
2KB

MD5
49da0b02f73c5535bfb100b0906fd415

SHA1
b5c5125fd2674ef1fcb411b0f6f37c396845ab15

SHA256
a3bc19cdd7da4f5687f0a0a53c4731a866ace08e810470c4a7730cc3c31ec340

SHA512
7d52ddcb4733973764c66e0e16b42c23276e8353dfe1101290e3f4b556a26bdac644735e569d351c98a3f104ed9e57884b6884422cc9f4ac1199b23378d9a2d8

Download Submit
\??\c:\windows\system\reg.dll

Filesize
84KB

MD5
8650e5a54f7df9d47b7fa8c5236eccba

SHA1
7493e00f932b39edd35fccb25a75b4b41e2f5009

SHA256
4a4532f7b9cff5115fafa2489286b12a0e98850edf56d62daea85bb1d3f604e5

SHA512
2e5f7178cc1f1ef3f35ae5c05cd5bcce9b390fe7b72f001606398133ef5e10ddac32aa7050086f3eb117e03a30c637fb5064e4f8b7dc467f9dbe1eaa289a8046

Download Submit
\??\c:\windows\system\remote.ini

Filesize
214B

MD5
9cc447d15929d6f2f2e694e1bab573fe

SHA1
5ca08ebd1c81ab440576147396672d24017024c0

SHA256
057e8569ddad8eb0234f0c5a867acc9a296c4a07af2a0e809a5dac6d4a434e35

SHA512
3cfaeb3595683ea2f88afd5a1ba9f5faf7512db8ca1be4aee763ddd63e7b4966698db81def16e6423cb047cc049346dc072b39d899bb8cde7b3aac7a97006283

Download Submit
\??\c:\windows\system\rundll.exe

Filesize
178B

MD5
816412c05131e2c009ae7e0edfc0daaa

SHA1
5afe42f975ae10533402892bf36058e36e109ddc

SHA256
1fb02129a672a48e7ae538f2e878b8f1d69006150f56ad9f075b3b71aa349c42

SHA512
55d13a661aa6b3fa4978574d0ecb72720411e3f35a184e36d3065a54c0e12b8f4ae1ff793f4d4344b908f20cc88c623c2271915fb2764b09aaece10d49ea75b6

Download Submit
\??\c:\windows\system\vir.exe

Filesize
14KB

MD5
b1707b5489b2f9f4b75a74ab1f34c1f0

SHA1
bdec94f058facf6532afb71324ac560e9f79a26f

SHA256
6ed9bbe27339b249a87d686716d495305ac827aadf114c39608cbc7289753d93

SHA512
994e1a6caf6a668ff05f581bf967e83bb968b3bf227c5ac85b228764f94c912f8e8a6900f32270ffb2d743b42cc0e5b40ca5febd41929688213ed64ae43592c9

Download Submit
\??\c:\windows\system\win.com

Filesize
397B

MD5
cd10c48ebed150ebf7ea325fac964798

SHA1
714c92e927354108178cac870d5b3b68eef4e56f

SHA256
a8d2cba9085e042fd84309030422ad3f7a7055f7ca23291571acfd0bc74cbe0f

SHA512
72fbe7528d80d42708f3621e4f60667255f3b54503c0b0849419384259341580a8e74dd3b99f0a45bdae983df713b0262d3e8f353a8708013ed2af43f7fd1da0

Download Submit
\??\c:\windows\system\win.exe

Filesize
11KB

MD5
5c2d225dc50ae63e63599d37d5968402

SHA1
825745c35fcfff8fc6acc44835b4ec8d3ec1cb90

SHA256
f75e3fcfad17c40871aefc461e378bee5a2238a3f7b729af9b9177b8b3402fa9

SHA512
a2ad0adb1279324da0528afd8e9147b9c51de487157fe16e1144469c65ac8c412011ba18dc6619aea09c2e2fd9873583ae1d86d2c5dc46bac0ca8a5a832972de

Download Submit
memory/1304-171-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1304-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1304-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4024-50-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4024-6-0x0000000000600000-0x0000000000673000-memory.dmp

Filesize
460KB

Download
memory/4024-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4024-51-0x0000000000600000-0x0000000000673000-memory.dmp

Filesize
460KB

Download
memory/4388-228-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-45-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-202-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/4388-213-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-224-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-226-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-169-0x00000000048C0000-0x00000000048C2000-memory.dmp

Filesize
8KB

Download
memory/4388-230-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-237-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-47-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/4388-255-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-257-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-268-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-280-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-167-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/4388-301-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-313-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-315-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-317-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4388-319-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads