modiloader | e31de0c7b93e99fa7b180af7cd61aa67e86e6ae0f9f2d2730e3703e791b0edd7

Analysis

max time kernel
136s
max time network
129s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe
Size

682KB
MD5

e18f0cc290a707b689654fb92af14610
SHA1

6618fbf13dae07fa8dcf6dbe6cfe2fd47dd9e83d
SHA256

e31de0c7b93e99fa7b180af7cd61aa67e86e6ae0f9f2d2730e3703e791b0edd7
SHA512

c16f93ac723fb3f142607ef91e2c4606f1035cdaafb59f6420a5f5be978f644773cc7defd29d4e70fe5aad5809edc00ca6a494bdc5f68e044e3a78a5225f2178
SSDEEP

12288:lRgl4HcxO6/n1a5EeTaX6C8XwpgYgiZF3Z4mxxRLqjeU/D0w9I3Q5wa14:kyH21kJBCAwaYpZQmXRCV/fI3Awa+

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d59-19.dat	modiloader_stage2
behavioral1/memory/2836-39-0x0000000000400000-0x00000000004BA000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-38-0x0000000000060000-0x000000000010A000-memory.dmp	modiloader_stage2
behavioral1/memory/2844-44-0x0000000000400000-0x00000000004BA000-memory.dmp	modiloader_stage2
behavioral1/memory/2384-37-0x0000000000400000-0x00000000004BA000-memory.dmp	modiloader_stage2
behavioral1/memory/2872-36-0x0000000000400000-0x00000000004BA000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
2384	¸´¼þ20~1.EXE
2872	rejoice08.exe
2836	rejoice08.exe
2844	¸´¼þ20~1.EXE

Loads dropped DLL 4 IoCs

pid	Process
2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe
2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe
2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe
2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E69A011-B7BF-11EF-B387-F234DE72CD42}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E69A011-B7BF-11EF-B387-F234DE72CD42}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1E69A01C-B7BF-11EF-B387-F234DE72CD42}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1E69A013-B7BF-11EF-B387-F234DE72CD42}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2972	2836	rejoice08.exe	33

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rejoice08.exe	¸´¼þ20~1.EXE
File opened for modification	C:\Windows\rejoice08.exe	¸´¼þ20~1.EXE
File created	C:\Windows\SetupWay.TXT	rejoice08.exe
File opened for modification	C:\Windows\rejoice08.exe	¸´¼þ20~1.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¸´¼þ20~1.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070c0003000b000c0037000300190002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e200000000020000000000106600000001000020000000b816b47627e6a5874ee5a272b830c36235417e9f35eb7df25b48de839ef994fd000000000e8000000002000020000000a561b41586d46aaad35a1032101617ae6a378b49a8895df3a87da6b33446459010000000498581f590f1ffafb41b51bf98517b8940000000dd04d0ca3c43a67bb36e90bb09b79983a75b37ac3c7eb4efc4de4487b2e3f18724f18bb8902e9ceba8881e5b774fb3c8f04192fe7858e7b7ed08431e48250c16	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4032CC49-1F21-4E8E-BB0F-BEC91D501325}\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-2f-bb-90-95-0b\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070c0003000b000c00370001007603	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-2f-bb-90-95-0b	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = f0030ee1cb4bdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2384	2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2384	2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2384	2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2384	2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2872	2384	¸´¼þ20~1.EXE	31
PID 2384 wrote to memory of 2872	2384	¸´¼þ20~1.EXE	31
PID 2384 wrote to memory of 2872	2384	¸´¼þ20~1.EXE	31
PID 2384 wrote to memory of 2872	2384	¸´¼þ20~1.EXE	31
PID 2836 wrote to memory of 2972	2836	rejoice08.exe	33
PID 2836 wrote to memory of 2972	2836	rejoice08.exe	33
PID 2836 wrote to memory of 2972	2836	rejoice08.exe	33
PID 2836 wrote to memory of 2972	2836	rejoice08.exe	33
PID 2836 wrote to memory of 2972	2836	rejoice08.exe	33
PID 2644 wrote to memory of 2844	2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe	34
PID 2644 wrote to memory of 2844	2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe	34
PID 2644 wrote to memory of 2844	2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe	34
PID 2644 wrote to memory of 2844	2644	e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe	34
PID 2972 wrote to memory of 2252	2972	IEXPLORE.EXE	35
PID 2972 wrote to memory of 2252	2972	IEXPLORE.EXE	35
PID 2972 wrote to memory of 2252	2972	IEXPLORE.EXE	35
PID 2972 wrote to memory of 2804	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 2804	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 2804	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 2804	2972	IEXPLORE.EXE	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e18f0cc290a707b689654fb92af14610_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ20~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ20~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\rejoice08.exe
    C:\Windows\rejoice08.exe
    3⤵
    - Executes dropped EXE
    PID:2872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ20~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ20~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2844

C:\Windows\rejoice08.exe
C:\Windows\rejoice08.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2252
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f30c1a98713f2da76f8f34d7b861e4ab

SHA1
6bd48f6558068927ef455ab8a12bf7c88626a7f4

SHA256
9d1ea3a794b10e55060d5ecc4e407c95833fd2ce84d0620ab3444419300647f1

SHA512
e3d443e2d7dbf86cd1a1a066df8db4428cfc0610b9b3446fcd2f1010ba69f7e599cff20100455ae00e90b23f6be82f24da6fc5d830bf02e9650430042bfa189e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b53808f6260897bad72f51817f65854

SHA1
44721dcebf3a5400f0da3620b5a4152728c954b8

SHA256
eaac2823b2441a434f8ba2dcc7e616b77ff6349ad41f66c36d1e7f236df6a95a

SHA512
c6b57da855da53916592c10130d23bfcb7d70c9be660c8cdfb33c59de6431fb47e16bd8f36242a89fd70a521333b782fcbd938e685719d5f1ae8516cf7d14ce2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fab2b8bf40b803720649c1c8e72f35df

SHA1
0f7ffc6d5e5605ec1fec2d1b1bbfd09e146ec3ed

SHA256
041be71d2aed7e33612cc430b7830e978fad0be443b7eda07105468621d89c9d

SHA512
157496aa3d1d47a1bb161b969ea2ac45b348ad0d345b4856b6904fc3fe60e90c01eb9b6615ec88f3dc7020c6f815da6fa2f2dc90b8778929aed52f91c771bd5e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6a07fe7bcc897b09d4a155d781d82d4

SHA1
b55496a9ed1d9ead19e2fc2b105677653b4e774c

SHA256
4b80ee98a8d66401656d049ff569cf6c33f01b97fdf0f187125b1e5818948cbe

SHA512
0517c6a1a00c4969c7d0a10be377eefdb40f8eb2949fe9acce4516ac07a9f95c2e31b94eb6d6f4baddff9197ef07d90ca9ef3a8422e843a675f93ffe69b69934

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d237ee2237b1aa13e4d3960098792034

SHA1
cef7d38e9442464ef4cc35ac5be116b38f713641

SHA256
ee05d02cbfd6a27434253744121c40094eca9e418961f6886bb85e510d9678de

SHA512
500572ebb7cdfc8d02acad1ffc7e8559b31b55b998dd485de3e46a1b7e9454a4ab985c5231d93942342e0cb5201d1daefecd38e500a5cb1d8eb4bcaa7e6dce55

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0bf2254905480c51c26398ebab2c09f

SHA1
fa63b14f0548285e192656fe75b79cdcdb83e31c

SHA256
de94dbfd484da0fd929f9739d16ecc23d2ea5b3077a5f28368978921382425a0

SHA512
7a0c745470b2516462eeeb6a72aa6a86f55f67082be2758938255b615f7c5083ceee19a48afdfccf7eb974f646921aac0a8fb57f42488c6f6592b1fea65851ab

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f92b1ce9122b2eb4a7c2a4a54a17b16

SHA1
b0cab9d6321da73999c136f10a9ccd5115d301bb

SHA256
40c060371a63287002106e8578ae876139bc257a0dc6b84669f695668d74021b

SHA512
9548e7ba38aae524bf8c89ec372bea6e013e50b156675638a4689189168b9a54e2e1e5d2f4f83d58a1396f7d86db725a5835608ca7246552ed58ce16b702a718

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0a1615e24bb67fcff400c0ef413b7df

SHA1
4f963c886a09cdbc8c71e6b18562e19c668a0671

SHA256
7943a74c02cf6d2e5485bb0c6040d22a8a5eb9d13aaff8e5f2dcd4f415c589ee

SHA512
a6044fcf08ebcae563fa98eb3f67da694cc4f15aeff8cb23acae6a928afb8e67f18df26e103986966f1842acce014f692b06b6eb8558a1d1cec62619abe4ccc1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c01efdc090045f6158a4ef2bf98570fd

SHA1
737642ab52a4becf48ade5e485367b5711331d42

SHA256
706967b6c620bec0e4ca96d6d445b792e3e9670fd7d794d9969ab5b90e5b4014

SHA512
efe331f133daf8f274bdd49db90dfe959e594bb6bc2b069aed389a4e01773362ac08776cc1b079031c1d3b80373a2c21789ef42a2b10caee967ce8c5a401ef28

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff36c291bc9328f2c0bd515a1b5ba594

SHA1
1c69b61284018237df89752a9dfffb3aefd047fe

SHA256
36559c340454915daaf5e6d46b06b65f3826f0f63384acf022b3caf9f2c96cc2

SHA512
d9a1e20e24fb1c2ac95a8a0627f9a88cd78379589675ff0a6129b71352e20ff689e3c95e8b48338ecb3e0912348c1c0a7ace447439a473f1d4369874666fd7ab

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c87cc3c7365dee898d53ef2126721e37

SHA1
8b83b5184fd025f780da182da8c6194ae704a1e8

SHA256
347379b83d5f6403b83a1b61d239dc5bb947f07a45f10bc044bd3b9eb462fd35

SHA512
4b6f23baf8edd2e68cff40ea892c584ba5e1738f6c8c0bcab9ba7be99474f86ab72d57ba5deabc7a7837a070c3f55d9346274a412f8b518192647dabc3a0c73f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07308c466a6350d85c58efaf9e6410ed

SHA1
f2f69cde579b7b656c05afed9eb91e65d69402cd

SHA256
424adc89a729bdab165a4f2cb957dba9d263c85bcba54f8b5d70eb6b1c786f38

SHA512
455cd642bd489d90845e03232795a302b422508e67cf595994f7c748aa51b5275bd85f8cccdd7b51e2079b599a558cb7865c55e370d3d2a3baf58aab0bcd2219

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d716f601f704af0ffc6605637cb4ae16

SHA1
a04e756f6c12bc86f9354a950e34561ac8a1884a

SHA256
a999df560194fe3c24f154444d837f552f1abfda3c8dd1a062a671df60492478

SHA512
24f76551092a1e6073f478aeaa8e026e65e400cf9664ff884e7b8c37c3e285849d82e195857fa13089548a0151942cb7cc4210ca4cf2e1f537a1e1b9b7db33c8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d8965248b03f1ea018f458025a12b46

SHA1
df7af35f1700287be6163784a1ff0c53c2890647

SHA256
1f86dedbb50ec6e45357d5395659fa8cb2c3309df8647e86edcc394314d2be31

SHA512
10c5bf48eaf52528bf1fcdfe1d0beaf07c9d368d1f5192bc0fe1f4abacd266a577248430de3839ee9bc31a6a61bf555d4a7fcbae15210038a5df6dc99781e99f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d59a740cbf308e893cd5df2c298a54d2

SHA1
71a4be3392f080032034480f48378125ce04c312

SHA256
38dcf1f8e99e592ed30c956f50172a63311bde087cce25fab7d37a99b1773ac4

SHA512
2ee2cfb724d15ac87f7a2011d689e323130a851f0218e3758a3388783b6b0dea0b61d2e4473b9414f6bc8faeea3e9b4111cae5c68bf4695bbe04efb0905caa63

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20ba247ca925614f009b55240c3bee1b

SHA1
e68dea9380622cb6a3ca2c4e30bf1439bcf173a9

SHA256
b2ac50b15fc5a37c65e80e4d66c3c1fe37defb993cb495fcbff37e6d6ed2161f

SHA512
781175d466c238753c744716b4ade247aa7f6bd15350498ce6e162107e1e35af794bc0b27719c5c4cefbcc8567c7d22e7bc27e5d81762d5f9d5241d98b8085f7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dc3fb3105f8524375557d8d5547cb7a

SHA1
2cd1f2dee05217f296173875f058f71fbb5ccfa9

SHA256
6139cb560869a70844af948008bf2c2b22a7bff8790014e00acf59dd8a697faa

SHA512
23d2a629c49e87d10e37c97e0f175c577cf37eb99b6c1ba5a475b91ef7585c48f0c04446ef29eb1c0c806b25db32716b362f227000d4fc9e1e34b568e90db02e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a04c40269c812602bbb26213195e44d2

SHA1
151d6f93ff93d2567d715e5161fababdf334c9a7

SHA256
d6bae98627b505d4e29b792ac2df84b05a0e3b194fba94b0270e870c0167817e

SHA512
6587d0a2dd69b7107e2ef0bd4f174344b59621a2622168fa6edc4e89d3f81f56e0fa1c6717459e5a287bbfbd0f5a910222cd60a865d776c5bccfbfbf13e5da04

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a7ec04d1c6972a04373dcbe9dcc7fa7

SHA1
024ac20b0d8cac874074a62530b4f7aa72e664ab

SHA256
d90156c6f143d4977a582c370e2324d1feb07ed181568632297d4dec08b5eb2b

SHA512
644696c66de4ba819ae928a308575649a2ade5d7bea6506a7ba40cade397df97de7c2fcb117797151523ef914972db1b811c365a0319c3905dfe5fd2396e2309

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb3c391df339ca317127ac3bbceeb1be

SHA1
2ff57cf5effb95d40aa41d8bead61472eac0a8fb

SHA256
8bf03fba224488cf4c147bacb022bd20b88b67b4b00e9372461e73d36a362bba

SHA512
4154e1406e440f576d6ec49d7c001ca47973ca4a71f81cb177e490d57850192e32deb79590ec3b26da087d01427c228787358e36c459ad41e99e0b6861ff548a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2ee009d1f60d2187e8e4958da6f4c80

SHA1
5aeb07c0c3b141de6a2d66710b8ba66aab84f5bb

SHA256
3074c6d22160c13d70b40abb7aef9f8410ea6e722d4af9b49e57246b2e69be77

SHA512
f3e4d1a21ebcbb02b2706becd5e584237d4d687e605316e8f0d4a70db91c48cf2fe6d2aafdad009daeaa6cabfed94b894023054f9aa267f50c11f73f3a9d5c8a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f6ed7076728767a264050663eddb5aa3

SHA1
13a99e15757714635f41ab8fd71ef33b50e24088

SHA256
673d1cb2e18880b21c9c2004a070c49fcf555eeeba41d49f12e31f00de5c340c

SHA512
6b24cbfd79a796d8731027d453d1d362e2c62d82559b6dbf010fda2dde03c8f82bcd67c14ea7767ea7ec111296f2bd7e1efb8dfa4609c7f79b91c9ea57542766

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabC0A5.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC0A9.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarC295.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwB4DE.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwB4EE.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ20~1.EXE

Filesize
719KB

MD5
d62319fb4e8240d7d814817bc6fc9deb

SHA1
5569166e733fe54058864a18e7c53d8208f89621

SHA256
077ac2671ba6bff28798f0da650a271b4c368ec9092ea0a9419d9b6d6d91481e

SHA512
2a2c48038323f81f96963bc86f88badf69c53683393b5c3b8ac1d5ab8a09cc058b732044130cd95b45f7e0806a453e496f398690f3f59ebf1440b9b805e3173d

Download Submit
memory/2384-37-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2644-10-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2644-6-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2644-61-0x0000000001000000-0x00000000010BA000-memory.dmp

Filesize
744KB

Download
memory/2644-0-0x0000000001000000-0x00000000010BA000-memory.dmp

Filesize
744KB

Download
memory/2644-16-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2644-15-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2644-62-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2644-2-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2644-3-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2644-4-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2644-5-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2644-14-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2644-7-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2644-8-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2644-9-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2644-11-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2644-12-0x0000000003120000-0x0000000003123000-memory.dmp

Filesize
12KB

Download
memory/2644-13-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2836-39-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2844-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2872-36-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2972-38-0x0000000000060000-0x000000000010A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads