modiloader | 220f60a75ba617d6c57a8b640e4546723646b2655ea146b898993d531186c84c

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
Size

628KB
MD5

672fec09c1e3b1c4371a105f2e1b3cbf
SHA1

51de31e594739df07c7ecbef4b497f6d24ebf753
SHA256

220f60a75ba617d6c57a8b640e4546723646b2655ea146b898993d531186c84c
SHA512

f799d44bc56010e87fad6ed9029303e4ca3b69c55be4a475bd0030ff26e7959b07ab69ac0dc62b35747e107b31f540c801dd5a2be00de15edf3463739ca56c48
SSDEEP

12288:2eX2dhLTl8BBg31g0Owy/HCdhIw54aGNJhhSoRhBjrhIXa061CPQgcwQhFn:xmdxTODgTOwy/HwhR54aiiItaz61CPnc

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/1596-50-0x0000000000400000-0x00000000005B6000-memory.dmp	modiloader_stage2
behavioral1/memory/2552-49-0x0000000000400000-0x00000000005B6000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	RECYCLER.EXE

Loads dropped DLL 4 IoCs

pid	Process
1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
2552	RECYCLER.EXE
2552	RECYCLER.EXE
2552	RECYCLER.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\Q:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\R:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\V:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\L:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\P:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\T:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\A:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\H:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\J:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\K:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\M:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\S:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\W:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\Y:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\Z:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\B:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\E:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\G:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\I:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\O:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\U:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened (read-only)	\??\X:	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AutoRun.inf	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 2568	2552	RECYCLER.EXE	31

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
File created	C:\Program Files\_RECYCLER.EXE	RECYCLER.EXE
File opened for modification	C:\Program Files\_RECYCLER.EXE	RECYCLER.EXE
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C1448F1-48E1-11EF-B903-D22B03723C32} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427893663"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2568	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2552	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2552	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2552	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2552	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2552	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2552	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2552	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2568	2552	RECYCLER.EXE	31
PID 2552 wrote to memory of 2568	2552	RECYCLER.EXE	31
PID 2552 wrote to memory of 2568	2552	RECYCLER.EXE	31
PID 2552 wrote to memory of 2568	2552	RECYCLER.EXE	31
PID 2552 wrote to memory of 2568	2552	RECYCLER.EXE	31
PID 1596 wrote to memory of 2660	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	32
PID 1596 wrote to memory of 2660	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	32
PID 1596 wrote to memory of 2660	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	32
PID 1596 wrote to memory of 2660	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	32
PID 1596 wrote to memory of 2660	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	32
PID 1596 wrote to memory of 2660	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	32
PID 1596 wrote to memory of 2660	1596	672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe	32
PID 2568 wrote to memory of 1704	2568	IEXPLORE.EXE	34
PID 2568 wrote to memory of 1704	2568	IEXPLORE.EXE	34
PID 2568 wrote to memory of 1704	2568	IEXPLORE.EXE	34
PID 2568 wrote to memory of 1704	2568	IEXPLORE.EXE	34
PID 2568 wrote to memory of 1704	2568	IEXPLORE.EXE	34
PID 2568 wrote to memory of 1704	2568	IEXPLORE.EXE	34
PID 2568 wrote to memory of 1704	2568	IEXPLORE.EXE	34

C:\Users\Admin\AppData\Local\Temp\672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\672fec09c1e3b1c4371a105f2e1b3cbf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoRun.inf

Filesize
172B

MD5
927852231949a3349759bf1b81099a00

SHA1
859edef102d3daef447a34a2c2db8b3e54a18bf0

SHA256
4fe401c28161efc84b7a28d236c79680fd6bc5631d23533ccaa3afe8a13e1297

SHA512
cbdcb8194be39dfea6015182a57d043c9e2de807e96283fcc967a243a9f8d6223cca4190082408dfb5b213f08aae0a2a4444787425f22f8c033b2ea8533fe3fb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat

Filesize
212B

MD5
19032213762b50418eabafd10eadcea3

SHA1
7d16d9807b64cd9b7de7961add9030a1b6ede268

SHA256
f03f6b8065e420c4f1616e8d3c395392a61bc11bd3be75c3fa0958929a3a743a

SHA512
22e43c74f4becc6862f33e55dc18b2ad4eaf043a9f4a74082438ffe83f178cbb1940ec68eb4a05d36b20b50d284b03cb6c4364ec4dad8079fc2d812961185555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6da5a2ac7a48967eaa616e4cbddf6559

SHA1
44300e0b68ced8c5940e4f2b4b0702fe96db2282

SHA256
9ce27f7371553f706b2a2dd3fed633141f9515f6c4a50d4c2a5fe55ce801f8dd

SHA512
cb6cd1bc274f31c6136baf0a921717b0f7ae7c823a1dd57f5d8da501961483e87359644947c38f829f3e0ce93b72b60d65ade9a9a3aa52b5565b948360a35a1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47241c7aa7e3258bfc9c053d56eb4994

SHA1
9073758368e8f8abac81e5b6d198929dc627227f

SHA256
e9334f4b408a627a0efeb9e5248e84397bf66b0e561ff9503ae3d033f1f374be

SHA512
b8825b6855a96bdb67be87f99050b8b4ba52a1882885a64f1883f16517bcf7ed07c7317d381dd48a7cafb7ca61c73988b8c9c5804834b7a6071f23318d705e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f302d7aaa8a102dc286300d17ccaaf3

SHA1
8b812eab807216f12f141871c1144a3a17d03b70

SHA256
a9177060a3be978668042b358350a9833642a217e91908c949b94ab15875c699

SHA512
c2b3eb45c282d876f411e95862848d67056204b2f0199442321e3a4a7152021062457767534dde36cd16497f0b71efa4c004086719e6cfa85b79c3dd2b00d920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7a7b30cb532a275cb1a2a43be9e521e

SHA1
5df5d7e34321c05e9f24708600ea7714ce298445

SHA256
833c94dbcd5d93884fcdb360313ef9190361ae1db93c22a64a3d0fdc8f428670

SHA512
a6ee38a15c553ebd4ef7c0c5eb8a845c7280a904f4cb0f7777a83966c48efa23d9f35c06f9a809e11ace6f8eaee6ee3f13f4449f237dfff23f94c9ac7f835001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b78ed26ea0e7b377e85d3a9e502893b

SHA1
3ec33ce8122151cdc666c89c29f6edf62b2ad79f

SHA256
559263613c67b135a79a160ee83132dc4111463e56b9cb97ab1ecf23c556b40d

SHA512
ed420bd53f17c64c4c4a4c0bd7d1d19bbb6116050eb741da6f9dba8fb2a51977b8f75b31dc40df9c779ec3e3c2438466b7cac954f4c93d18fa3c3172e0b20ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81b8172099fae27807e00cddb320b037

SHA1
e0f0764199b5f63c8e94148da65639cfae6b7711

SHA256
5e1ff3ce833b1f848dcfbe0fc4971b1e21758b6c023134ed9f11b08fa3886598

SHA512
a64d0bbf2e91b270d22dfb246ac4359b3600856d4510a33103dffefb2112e774609c5ded2b5d47e38706c3ad83251e9c2e75b149caff2c806f86fa15ae2256b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52f81edc8c396af693c8165ead1bae53

SHA1
0aeb7e6393e63790dcee4a55bbc72bf3652b8acf

SHA256
0af3f714728c538b1a2951f53dc3febc78ca41da762d69fd59b3ab635ad45a4d

SHA512
f0b566e184c694866c3f346319a2b85a1e7b62703aa6835011649eadfc88454e7ff76b522c9ab6a176c71555f01c846878cdd64a800d3a6edabe207c9b46eddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f1c1be6a8fec5e641c3258d606973f8

SHA1
e1664b05bd5d975787669c1cb172cbd249938f57

SHA256
f4d447447a9348977b3e7a8188032f35934108599bb2ffac9efc411ac907788a

SHA512
421a8428d25262dadb6218e2fe7323307aabad5517bf454c0573e6ffd1200bb3fb88bcc69305e11f62072de10e9e99325d3ddc60009da45e3e5b5e85402b50a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b0f1a12a686c424ab6c3c5b2b4b6b36

SHA1
62144e2cd70e685014cd150c8e587b3ed83b49bc

SHA256
f9bc64a00de7a0e84a3605000c0478d867941f4090de22691658c9ad86e28c2f

SHA512
4714ef51c687d264e45ad55d8eab77b01afda55cdc8a04f418088e62515ab96cbc95ed041098774c65f78d5c3ae942c4ddd02ab2b73b880cece31c6f587a4605

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c73160ad1e69775a6ede5221694c99

SHA1
fe993d2ae8a458e8fcb1eff12901676546dbf9b3

SHA256
f241c97a97c08781776cbe52dd3e8317d10c4ebcd7d2ba2cf2cf6758a8fed911

SHA512
29cf7401a456f508d4d97175e6a81315f54026af7b7c7c0615eda02cc6d8e4359d39fbe110a80d652e7d75b8da0df8948849dfcad9bbc6af28a76152b54bcf01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
320a08eb982e23d1b999c8e524f36f6d

SHA1
32069a6484f85d4b1a2fcdc3f6a94d1987e3a560

SHA256
082c58e82e0ab2cd860ac78dfa838b8c13dbf0406eb89bb70e197ba5f9d7431b

SHA512
13b5d6c1ed7626b223e35b79dffd79230abb8fbb42d9b0e2935e0a8df6beda2813b056451569156e0e6a0c38be33534a66d1080b58523ec3b2009d2ba2157565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a6cbfc17b06c7b1f9b425547f2899a4

SHA1
481d8077b3d0a412d35a401ec4eef4f6f6ffca30

SHA256
e87a532b7738504a2192abfa762d48805a160acc80aa938269626abee139e7fc

SHA512
6623a15c28db136ac4f389def663289f9576217d371bd476badba99ee3f9247a8578f95d101ddff9e18afbb3970dec03658e4ee34168377c3f37ded7894d18b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c539366cae95bf8d698b8de94e9b606b

SHA1
684072de2cff22aad1b54ec0e5f879f314aaa165

SHA256
49ddb880645eedf6afc1131d54bd646100ab99a171d45f8fe2e6866f8c88eb88

SHA512
2f4d2946c622c236f5cfef1ddd40b8d7a698921619f3ec17e6419bafee5317343b249ad98553d0f497c337ba62539337be0745aa12f04634cd0c78e049ae395e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82ffa597be2ab43bca87cb5194088948

SHA1
73082fc0fbd2a3cb0f21e8218983e77c19b6aa2e

SHA256
7e241be34d2cb3676bc4e6a6a72342b31a16fae0dfc10774880cd2b7e5127df7

SHA512
e106a93259b412590f634dd9c238187c21ef0d58a30cbe5983a60cb32f71796516f3dceec90de4b57e7281ee1946061b517bad165c17e6c8827807d825311229

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fadb2dbffc3533185394827ae0c68a5

SHA1
e6c7a860f7f6aa9ba7d1a15bdf0858f78b1e5fef

SHA256
279761df71a38e92dd8c176b6b83d0826920b4a6dd193de3b5aa59ab71442fdf

SHA512
4fd1ea8a0f1a4c449b8b2bca2ec0dfc91124dbc5d6cb6ee6a6d3fc12ce56f1ea06f5e10f0f6fc759bbc739db3c96a3181876762802ea169a18ca25affbb9cfa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25f861d497a2a4f72b55569e5c489be8

SHA1
c5c82403c8713939c76429f275f4a93820a5d230

SHA256
9155b86550d714a547f878987149158fb5804a28f6500cec9219bed8ca578dcc

SHA512
79594d5a05b9e867a95191c6f1770895341754e1b70e16be740adc1a0e0be8fef9668111692b4c38782d9dd33f7074506e374e316056100940972db6b5a49981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A74.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3ECB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
F:\RECYCLER.EXE

Filesize
628KB

MD5
672fec09c1e3b1c4371a105f2e1b3cbf

SHA1
51de31e594739df07c7ecbef4b497f6d24ebf753

SHA256
220f60a75ba617d6c57a8b640e4546723646b2655ea146b898993d531186c84c

SHA512
f799d44bc56010e87fad6ed9029303e4ca3b69c55be4a475bd0030ff26e7959b07ab69ac0dc62b35747e107b31f540c801dd5a2be00de15edf3463739ca56c48

Download Submit
memory/1596-3-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1596-2-0x000000000051E000-0x000000000051F000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x0000000000BC0000-0x0000000000D76000-memory.dmp

Filesize
1.7MB

Download
memory/1596-0-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1596-50-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1596-4-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2552-34-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2552-36-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2552-35-0x0000000000C70000-0x0000000000E26000-memory.dmp

Filesize
1.7MB

Download
memory/2552-37-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2552-33-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2552-49-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2568-41-0x00000000002F0000-0x00000000004A6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads