Malware Analysis Report

2025-08-05 14:32

Sample ID 240203-sk398accd9
Target 8ca5f1fa2d996a25c0d7d46e8a0725a2
SHA256 547b319609a15ad9aa358122f6730843ae541d6dc6b6c3ecc0135767664bf865
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

547b319609a15ad9aa358122f6730843ae541d6dc6b6c3ecc0135767664bf865

Threat Level: Known bad

The file 8ca5f1fa2d996a25c0d7d46e8a0725a2 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 15:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 15:11

Reported

2024-02-03 15:14

Platform

win7-20231215-en

Max time kernel

118s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2816 set thread context of 2740 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File created C:\Program Files\_RECYCLER.EXE C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE N/A
File opened for modification C:\Program Files\_RECYCLER.EXE C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413135011" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A0F904D1-C2A6-11EE-96B2-5E688C03EF37} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 1312 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 1312 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 1312 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 1312 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 1312 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 1312 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 2816 wrote to memory of 2740 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 2816 wrote to memory of 2740 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 2816 wrote to memory of 2740 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 2816 wrote to memory of 2740 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 2816 wrote to memory of 2740 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 1312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2936 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 2936 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 2936 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 2936 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 2936 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 2936 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 2936 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe

"C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1312-0-0x0000000000400000-0x0000000001688000-memory.dmp

memory/1312-1-0x0000000001DD0000-0x0000000003058000-memory.dmp

memory/1312-2-0x0000000001DD0000-0x0000000003058000-memory.dmp

memory/1312-3-0x0000000000400000-0x0000000001688000-memory.dmp

memory/1312-4-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1312-5-0x0000000001DD0000-0x0000000003058000-memory.dmp

memory/1312-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1312-7-0x0000000000400000-0x0000000001688000-memory.dmp

memory/1312-8-0x0000000000400000-0x0000000001688000-memory.dmp

memory/1312-9-0x0000000001DD0000-0x0000000003058000-memory.dmp

memory/1312-11-0x0000000001690000-0x00000000016E4000-memory.dmp

memory/1312-10-0x0000000000240000-0x0000000000241000-memory.dmp

F:\RECYCLER.EXE

MD5 92dd99ba9865149f9eeeda444b605969
SHA1 3ab05983b18255a7c7f2738bd4e9dcc71441c122
SHA256 a6bf2bff32232f9a6aafceb8917e5ebe52a0af508b56b92c83c190f884b3dbc2
SHA512 987e520a14407ad14d022d411894990d5b9a6bf9a11b825afacacac0dd4a83247831c2eb7974e936665a60e4b1b43f77d7fc9330e625536d8cffd8e13bf228de

C:\AutoRun.inf

MD5 927852231949a3349759bf1b81099a00
SHA1 859edef102d3daef447a34a2c2db8b3e54a18bf0
SHA256 4fe401c28161efc84b7a28d236c79680fd6bc5631d23533ccaa3afe8a13e1297
SHA512 cbdcb8194be39dfea6015182a57d043c9e2de807e96283fcc967a243a9f8d6223cca4190082408dfb5b213f08aae0a2a4444787425f22f8c033b2ea8533fe3fb

\Program Files\Common Files\Microsoft Shared\MSInfo\RECYCLER.EXE

MD5 6ed4ac4d18529b950bb7b0ba3814f805
SHA1 3b6b64c7ec50882ae8ef8583f5c112cd145ce431
SHA256 649ff6ff6bc26d411810be4b6f6ba98a9a86a31da4bc885e7c0f8eb16b9ac801
SHA512 5d8405fcf87570caaa0f31859ea6437a276f84243b1bc2b160adc03a707bdd0555a6319de1086f324d3dc25febefe979ba0b447f003539481ce70e0514455aa5

\Program Files\Common Files\Microsoft Shared\MSInfo\RECYCLER.EXE

MD5 8ca5f1fa2d996a25c0d7d46e8a0725a2
SHA1 bef0493452f8830663321cc19d6f98f01f27c152
SHA256 547b319609a15ad9aa358122f6730843ae541d6dc6b6c3ecc0135767664bf865
SHA512 7a03715caa48029ec35dd283652c12a94a5a97d1aa14a949c8ea40334feea569aaf1fb8b9ac4e5e7a8d62b08a53025967354ebc365308597ef8bfa8f7287eb5f

memory/1312-40-0x00000000050F0000-0x0000000006378000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\RECYCLER.EXE

MD5 9136f909b2ff5b5f0872f58480ceef0c
SHA1 cc919390bdc7882b9177a49210484d36277d6171
SHA256 ace04d4cbef587c4a3553faab2edc20f92aa25c40946ee75003504ab19b44376
SHA512 58ab7e8b6ccafa6758fcf0eaf61918aef1d88449ea95b98891533d4fbf0e30d555482626490f519282b0735027e20f0a6ba49b6492fba7bcdbe04efbb3892462

memory/2816-41-0x0000000001FC0000-0x0000000003248000-memory.dmp

memory/2816-42-0x0000000001FC0000-0x0000000003248000-memory.dmp

memory/2816-43-0x0000000001FC0000-0x0000000003248000-memory.dmp

memory/2816-44-0x0000000000400000-0x0000000001688000-memory.dmp

memory/2816-45-0x0000000000400000-0x0000000001688000-memory.dmp

memory/2816-46-0x0000000000400000-0x0000000001688000-memory.dmp

memory/1312-47-0x00000000050F0000-0x0000000006378000-memory.dmp

memory/2816-48-0x0000000001FC0000-0x0000000003248000-memory.dmp

memory/2740-52-0x0000000000170000-0x00000000013F8000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat

MD5 095b5a7603826bc82c0715bb4e020857
SHA1 ad0058751abc54e94f3f006a550da5ad9b77a19b
SHA256 957d0e448031ac5ee780eac63970e355a67d083cecf02999ca655e81e29ffa87
SHA512 9edcf303d8562589708eb04fdb85c1a0770fe11de8e244051dcc664e13305c637e9063b10a50f90b25775e76ebbe09a6bea255887bea02d4f51dd20acd17de25

memory/2816-62-0x0000000000400000-0x0000000001688000-memory.dmp

memory/1312-63-0x0000000000400000-0x0000000001688000-memory.dmp

memory/2816-53-0x0000000000400000-0x0000000001688000-memory.dmp

memory/2816-54-0x0000000003030000-0x0000000003084000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA2E5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA376.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac2ca5ccccc33d0cd26687b9b901b043
SHA1 49e0b0d499d06dda5672c8fb7f7d97f055d3b946
SHA256 0ba92fb538e72460c8556875e37596d21a69091343356920b76cec93c5011875
SHA512 f2058d028fb0de6f57f073ec46e98ba4be98771b48d843549b99d030881e5561bf4834e3cfba9e9aeff7836951ecb1dedbe5d12500898c5e7ab5de473f7191d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be1462419672654680b81df1acfc1777
SHA1 b22ba5109700c1f085f1865c2e7b7605ce479149
SHA256 09d708626a6cb47c9fb878aff143ed1094766f5a37a1b5cfd46b8cdbf69e2637
SHA512 bbd88cbe2f05b8cbff32fa1e3c43166b752c2e1eb84bf5970e54f573c1cb9937b491442392c0ce20ada214b62175383508cb8a7eec884aa014dc0c003be0b02e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e893e413be845e6ebbc9d4f2a30471a9
SHA1 4e4d51aa8eb12356e5d26fe6cd9701b40c854e96
SHA256 c57913e888d008602658c19c3986f754a1a1e28c9e9261b9ce557185c42b270d
SHA512 38b40e1c3109cce338f82eb6d59f32f8ca11307c72e756244bf4d7e1190f1ee95ae4106a55bcaacca8c91f8b4f046ab57b14d002e1ef89e64d7f4311cece0270

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 362ddd8d567010146cb047d6b6b65210
SHA1 7a6811a07b29138198d9127f6b743872374a5293
SHA256 17f2866ea69b01e17d4366ab2ee1e059d70769c9caed9ef29deadb5509588be1
SHA512 fa019d41856aa6f4a1ad795de71b52a1b6b78a30fe1b386837c9d9fffc7cf28a708e2ee18bafa5ca67c37845b8bfd4c8cf9185977b1d00f47e0515c7e0995808

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ad0aef77459c86f14e0958117307ef8
SHA1 c33e19501e85998b80566b2012e630c37c5f2658
SHA256 e5ec96dae0da8501028a2a86c68bd17ba445a5ef8dbf77b0e4abf63061d603ca
SHA512 6764f4a8bcde05dc19618de52a52e84cd84750df433b03487e8b77c176b012719516a901c181c2d5886f13268f7afa1b85ec31b7d54bd7a6b70aefdf2f36f688

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ca1ad636d07ece42fb0476e474ee374
SHA1 afb5316b1cc33621718ce9445e71c401c2397f56
SHA256 5fb313034b42bcff56ba311ea5ebc8ee7a0ce204144186d29b626606087fb78b
SHA512 5dcdc1ccf28418f62f7fcddaf6b1a510465cc1558a91a0dfad096390961a03a894cce83ff8b7792d2b6916bf84b2cc1ceec5e087d176a938b2c33575ae6a316d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5d361df816b5ea4e91e84946c6d99e1
SHA1 3fc80ed4fa744a8efe075c04e5ccf75ff53be0a7
SHA256 68f3f7da483d43e3da0b6ff015ca176cab2f402f68da59953294a3d84a68a5e6
SHA512 5e6e3e9ff3f1dbac088e5562be3f9a5f641e127b565a2756670980f35cb99db42fbd158dc0596a81be29ab52de2027f0fa5c87f93c8ccaea2c8a9043607dccbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7ef96cfe8ef16d42deec2df7ee94b72
SHA1 334cd32cb390944b377e5bc79ed9c44e4413cd97
SHA256 08f47fd7a2562919e5e56c408ec87a9a8282666782dd346a179f53aa86253a19
SHA512 2efd6363967d671599217f8c9ba8ca97813ccfb0d2f58cc94c45867a805976dc32344cd6c8a1741a7a19ed398ddc2ab41c738c8c6a0e6cd24c5d0ba64f5ece41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b7ac6c085a5cf77280ed3caa0fe0d2c
SHA1 55cc719121a6dbb3735c87415d74ddf558b97542
SHA256 908135e99792dcbe4867cda6f37af6d9d80af879c5df6b9d2d6af0a984d53443
SHA512 c9b68e734d6f66a89009be571f7a7aeba26c9fe7939b47420bde9eb17826d5dc918a6c4743dc16a592b903702ee74aab84e323782a0adf413cff7cf52f07c439

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bf3923e040b4d3b5b35d83f6e7a4880
SHA1 7f7f5616ebe9df33fe41b4d69d7c1ce39e072909
SHA256 db767d81ab400f7a4d6bbae162a70284068c7d720e64d5d31ecc1b1755488ed5
SHA512 e73a0ea8e23ec28e9438b6d27281e1d110cee608e756e03ad3858a9413140748e3026116d46e651cfc005962281d3024317c0a6c4f90fa6f9c264de629b8ebbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f4218939a41b4d428a456cd127f1e0f
SHA1 86c4f75e8cafd0d23be13f6620476c8c90dfbcf8
SHA256 a3a59a8adc7ac2144b0033c3ec8aa913c78e858ab36f9c097f450dacf543117e
SHA512 8e7d1afe7b5e9d9470142736b1546911b7e433eede0543962ce8bac856120c3ad2f55ff441226fd4c22b4c88e08e7c9254a17d1c6a7853a6942a381d019c1265

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ed04381bf3db1110ec0bfb510bef6d8
SHA1 ae8ffc50ee6a88ee48bfa3e3b8a8e4bf7c3cd749
SHA256 e8d42d0fbf0c356c0ec703790de9d4c4bc8c672b41bd750a993d2c073cfd0b1e
SHA512 08026d980002e0a882ab3d440612bf3ef2fce63a15734d096a95ecaf0f231645243014bee587cf4a9256353c3c12ee8d3f50d4a2ccf225ffa2f31f004708176c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20be33d6f12c176addcd8c1baa387b53
SHA1 9da7b93ecac4921a1a5d4b8d3002fab7e3a0d6f4
SHA256 8a53c7e225df47e1c27ca55e5090df0b838b2c7460c8722bd0e45f960c115742
SHA512 251f853fca4d023ef8adab6eaf76cba96f87a076c89bc34afc5bfbc81146b26c44182ecd5d5d55b022d0b55ba55895b74e4eaf70b24bfe5efa713f1a02a81b20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32c6e37df8bcdc2bc8a654aa93fea9f3
SHA1 26e62cfeb2133ae67c5220b3dd16acd3d2a0a79f
SHA256 7f88b4c2ab6fab9781c8c3801f84325ebf58950e10733f71d93bf0da5532769b
SHA512 593b4c4c99d9e5aac932f3077f10310e0de15d34e9106a2a6cc31c192b56121fe34cae29cdeac3e65bca3fca14a1be1bed535fa4f6e5b5493c5781ed18b98ab6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38bc7103efb938b0645456e20e49b0ed
SHA1 b379f8e0ca40277ce0808d3c0762cc549f791503
SHA256 fd2644162ea19cf6820f846023b17ee50e74403b0b3c8d2abb9c03cda32cf06e
SHA512 8543d20c168000693af00cf713765683640d01741342609626224dd15f31ead765da0757874c8491935ef4f1952376735f6b2559b3888e0349896f9e50454291

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb102aff719046e4e1ad23907c4fd7e6
SHA1 593a6f4e400484c00d7c23d844cab973a6f30d69
SHA256 bfa880d4bc7ea39f0d6316df7662378a75e584ffbd96b6d1d0a1d79a807033a7
SHA512 ee1941f008f6470f4c150178b49b26b9593806c5ebd14e3540f5631c524f10ed61652613b64b282955eee9dc30fb42922d976287ced4b18281ec31badccd651b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 497355b84dc7061cfc689be0df7085e6
SHA1 50b8dc487db1cd7782146dfb339ca0884d0844f3
SHA256 2179cc3b19e32346e74bc7c5bd7b65ef31e2609d0db2d5503ff58786fc086965
SHA512 b415493ac7e6335d5a6701fe3f0a0bcb55a200083aa23693ecdeb4b6512b8a8fe3fa5a60e8582b38dd5f5375985ba45f455ce88e378489c63966c83d707659c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb5e9525db2116493d147fab6b51da40
SHA1 190c1b3046ed26632890fe0ba48946fb67738789
SHA256 da0f0449486ba03ee38e1d27187ac1b95c5fbe1d1566d01e0d5666c4cd3fd656
SHA512 d591a88f280497fefd0f7acfb976ff38419aec1c8784a614450d3946878a92d2ecaee436ef9f01c22eb0d01b06fd8f294162b2e395fc5b79eefade055473492f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db273df221c7bc7493dccf14acdb30ef
SHA1 0bf65eb8c2186caa8ea6331976a45b2340f7f2e3
SHA256 f516254ac77d9721fb87cf93da2fb6aa14612ff7a9f61f85621f09a285eaaee8
SHA512 c2c66f4588d3402c2a5bd73a8d3763afdc1382c4c00f61e9d1ca15573c429cb216a1cf3d6e3e58acc6f13641bfd24beb6e856577077953a9d96ea84d8f790f32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ea8107207ad3f252b889255b479842f
SHA1 e412bcf0e056677e50b506669a55b451ce1e3e24
SHA256 86844351b0f6e013fbf8b2ccd642256dd98076e45ca044025890002d9a3466b5
SHA512 9a336dadd29d5edf3fdfe695b2e2a62989c84ae5a5c39505d98bfcb0cec12cfbee99b9ee058ed96baad902330053fe4e05bca413e3f86347c523a9a392cb4b94

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 15:11

Reported

2024-02-03 15:14

Platform

win10v2004-20231222-en

Max time kernel

89s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1272 set thread context of 4092 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\_RECYCLER.EXE C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe N/A
File created C:\Program Files\_RECYCLER.EXE C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086259" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1801833551" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{96DAE147-C2A6-11EE-A0B6-F2334ED3B5DD} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086259" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1801833551" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086259" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1802927656" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413738099" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1802927656" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086259" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4360 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 4360 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 4360 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
PID 1272 wrote to memory of 4092 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 1272 wrote to memory of 4092 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 1272 wrote to memory of 4092 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 1272 wrote to memory of 4092 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE C:\program files\internet explorer\IEXPLORE.EXE
PID 4360 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2732 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4092 wrote to memory of 2732 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4092 wrote to memory of 2732 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe

"C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4360-0-0x0000000000400000-0x0000000001688000-memory.dmp

memory/4360-1-0x00000000017F0000-0x00000000017F1000-memory.dmp

memory/4360-2-0x0000000000400000-0x0000000001688000-memory.dmp

memory/4360-3-0x00000000017F0000-0x00000000017F1000-memory.dmp

memory/4360-11-0x0000000003580000-0x0000000003581000-memory.dmp

memory/4360-13-0x0000000003430000-0x0000000003431000-memory.dmp

memory/4360-12-0x00000000035B0000-0x00000000035B1000-memory.dmp

memory/4360-15-0x00000000045F0000-0x000000000460B000-memory.dmp

memory/4360-14-0x00000000017F0000-0x00000000017F1000-memory.dmp

memory/4360-10-0x0000000003590000-0x0000000003591000-memory.dmp

memory/4360-9-0x0000000003410000-0x0000000003411000-memory.dmp

memory/4360-8-0x0000000003420000-0x0000000003421000-memory.dmp

memory/4360-7-0x00000000035A0000-0x00000000035A1000-memory.dmp

memory/4360-34-0x0000000004610000-0x0000000004611000-memory.dmp

F:\RECYCLER.EXE

MD5 8ca5f1fa2d996a25c0d7d46e8a0725a2
SHA1 bef0493452f8830663321cc19d6f98f01f27c152
SHA256 547b319609a15ad9aa358122f6730843ae541d6dc6b6c3ecc0135767664bf865
SHA512 7a03715caa48029ec35dd283652c12a94a5a97d1aa14a949c8ea40334feea569aaf1fb8b9ac4e5e7a8d62b08a53025967354ebc365308597ef8bfa8f7287eb5f

C:\AutoRun.inf

MD5 927852231949a3349759bf1b81099a00
SHA1 859edef102d3daef447a34a2c2db8b3e54a18bf0
SHA256 4fe401c28161efc84b7a28d236c79680fd6bc5631d23533ccaa3afe8a13e1297
SHA512 cbdcb8194be39dfea6015182a57d043c9e2de807e96283fcc967a243a9f8d6223cca4190082408dfb5b213f08aae0a2a4444787425f22f8c033b2ea8533fe3fb

memory/4360-6-0x0000000003440000-0x0000000003441000-memory.dmp

memory/4360-5-0x0000000003460000-0x0000000003461000-memory.dmp

memory/4360-4-0x0000000003320000-0x0000000003374000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\RECYCLER.EXE

MD5 3f55f18044d59d8ae9a14c1efb1116c4
SHA1 f65ab6e5ff16affc96866785848eece4a55d075a
SHA256 d5f07ed5bc39e7bd1e2270d6bce8e9633ddcc4f8aa45406265d6bdfa5a66e636
SHA512 a34765e813f49e6be769b7c9dfd910f715f7197844e6562ebf1a6c8062949bd1d8613f5ca6df605d4ff00b75be8f6a4c51b97b0c1305daff61bbde09a4ca6aea

C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE

MD5 63da2513b4156f984b19fb009507d721
SHA1 0df317b683f9d7d34f234cd9e9403f75c4918c1b
SHA256 acf20cc28f671c649120e20a60296a941c5f282cade4eb129d86148dd877e803
SHA512 0a2023b8f168e05366a6975d0bb8aeb68390a2c601a630531ee6102998dd98378a9deb1da7b1fd90cc48f35ec3cf4b2cce35a2b555edcd0577dc0568b7e66a50

memory/1272-40-0x0000000000400000-0x0000000001688000-memory.dmp

memory/4360-41-0x0000000003320000-0x0000000003374000-memory.dmp

memory/4360-42-0x00000000045F0000-0x000000000460B000-memory.dmp

memory/1272-43-0x0000000000400000-0x0000000001688000-memory.dmp

memory/1272-44-0x0000000003310000-0x0000000003364000-memory.dmp

memory/1272-45-0x0000000004510000-0x0000000004511000-memory.dmp

memory/1272-49-0x0000000004500000-0x0000000004501000-memory.dmp

memory/1272-51-0x0000000004600000-0x000000000461B000-memory.dmp

memory/1272-53-0x0000000004600000-0x000000000461B000-memory.dmp

memory/1272-54-0x0000000004600000-0x000000000461B000-memory.dmp

memory/4092-52-0x00000000000D0000-0x0000000001358000-memory.dmp

memory/1272-55-0x0000000003500000-0x0000000003501000-memory.dmp

memory/1272-61-0x0000000003500000-0x0000000003504000-memory.dmp

memory/1272-60-0x0000000003500000-0x0000000003504000-memory.dmp

memory/1272-62-0x00000000035B0000-0x00000000035B1000-memory.dmp

memory/1272-57-0x0000000003500000-0x0000000003504000-memory.dmp

memory/1272-63-0x0000000004720000-0x0000000004721000-memory.dmp

memory/1272-56-0x0000000003500000-0x0000000003504000-memory.dmp

memory/1272-64-0x0000000000400000-0x0000000001688000-memory.dmp

memory/4360-66-0x0000000000400000-0x0000000001688000-memory.dmp

memory/1272-65-0x0000000003310000-0x0000000003364000-memory.dmp

memory/1272-50-0x0000000004600000-0x000000000461B000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat

MD5 095b5a7603826bc82c0715bb4e020857
SHA1 ad0058751abc54e94f3f006a550da5ad9b77a19b
SHA256 957d0e448031ac5ee780eac63970e355a67d083cecf02999ca655e81e29ffa87
SHA512 9edcf303d8562589708eb04fdb85c1a0770fe11de8e244051dcc664e13305c637e9063b10a50f90b25775e76ebbe09a6bea255887bea02d4f51dd20acd17de25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 52bfc02b370f1b48b834ce1c58ad6560
SHA1 d3dbca3ed04caabf69ec8d525a83cde0919809cf
SHA256 fce02a7cb2ed194e21949d8a394e69f1dd30c4c517addc831018b8a0b7235a97
SHA512 5fb4c1b2d4173f5de1237e2fd55b9081b99756217d5d639da3e0e1bbe339d87be2e9b732ef783446bdedee2af8730e4bedb3184d58ba0bce0881ddc199495289

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 2db673590c5a15126b128570d1b2d3bb
SHA1 7c7163ef647b8be3cbebb8e053a1a21ed62e5ea8
SHA256 373a5d8f5d297372eae3ad761e8beaad18b995b47d6c6505f410042e8df49f65
SHA512 e9e4d1bbe455304735ff92c322495bbad4e84df539303543dce32589f7af8cab039d1c746e352a335136efc9a7df41936a76348f910243b325f9d74d1c2cb900

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verCF08.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee