modiloader | 01d3cce7ef3b1e8d7240f115ebabc508ecd59d1f869024f771d27d040a53ecd6

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe
Size

377KB
MD5

76a4cadfc42263081e9f9180d71febe5
SHA1

31bb87ef98282c5dfd7d60b47f2195b0e881de64
SHA256

01d3cce7ef3b1e8d7240f115ebabc508ecd59d1f869024f771d27d040a53ecd6
SHA512

c38da5c92ce15f49a2b2bdef3d601f1dbc0f9a3cd170e3c3bf97b047e7812dc77fb7f29a8a6771c272124a67b86f76486349f60e9beb9637988ad7c20fc8c2e4
SSDEEP

6144:sefXQDib5SnP+oxSvnmN+0GJeLLcpNFPeWRBA/w2F+7BfV62X+7bz7:hXD5XS+0GJML+PtNVz6N/

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/files/0x00080000000193e6-3.dat	modiloader_stage2
behavioral1/memory/2828-32-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-37-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/1808-31-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/2592-30-0x0000000000060000-0x000000000010A000-memory.dmp	modiloader_stage2
behavioral1/memory/2756-22-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
1808	3.exe
2756	svchost .exe
2828	svchost .exe
3044	3.exe

Loads dropped DLL 6 IoCs

pid	Process
2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe
2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe
1808	3.exe
1808	3.exe
2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe
2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F98E85C3-CA34-11EF-988C-4E66A3E0FBF8}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F98E85C1-CA34-11EF-988C-4E66A3E0FBF8}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F98E85C1-CA34-11EF-988C-4E66A3E0FBF8}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F98E85CC-CA34-11EF-988C-4E66A3E0FBF8}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2592	2828	svchost .exe	33

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost .exe	3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost .exe	3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost .exe	3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	svchost .exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e90701000600040000002c000200140202000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{33D616F7-3C99-47F9-92ED-62E5A43607E9}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442113302"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e858c24fe8cb5841968b84e1f3e5f2e200000000020000000000106600000001000020000000525eb3f1e47202bdf8d22b12ed7902763da9896c3587f05b726409296f8cfa7d000000000e8000000002000020000000eb1b06fc73afe862d8f381274ec97033f351703db614443fb2fd423f972de90750000000a377a490bafb0937ad24f39311df7656f6481ad7b29115c857ffa4e6e5ac2718732160e4225d45534d297b5c7d7528950d5e0e25e9e15af2551b96b3f8719debd01e1277e99ac32c724ec921b3c6bffe40000000313293bbb8ecc9c77b34901620ad2815bdea2155be03705142daf89228925354b128390db87fc11b7f0326bd56c4217f95cf97bc7feed483a54972e8cfadad94	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e90701000600040000002c0001008302	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "citbx1f"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-9a-3c-34-4a-da	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000060ac37bc415edb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 60ac37bc415edb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = c00d3abc415edb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e858c24fe8cb5841968b84e1f3e5f2e20000000002000000000010660000000100002000000013267f187f2a5ebf96783ad0996a3a270ab7f4d35de2bd921557b6080170bf30000000000e80000000020000200000008e48ec7d93c8441d80506645c7c164823c452be77086bdd9ef342ac1162681f7100000007038c2b43afc083a5a3a043ba833053e40000000fbd482fdafe390e142fab6eea6ded7e9dcd942685834f47430837fe40f2a4c065c5e6ee00390314132407dfe55553e7a8360d05c31e5245c27b5cd2041492f51	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{33D616F7-3C99-47F9-92ED-62E5A43607E9}\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e90701000600040000002b003b00740002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = c00d3abc415edb01	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1808	2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe	30
PID 2852 wrote to memory of 1808	2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe	30
PID 2852 wrote to memory of 1808	2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe	30
PID 2852 wrote to memory of 1808	2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe	30
PID 1808 wrote to memory of 2756	1808	3.exe	31
PID 1808 wrote to memory of 2756	1808	3.exe	31
PID 1808 wrote to memory of 2756	1808	3.exe	31
PID 1808 wrote to memory of 2756	1808	3.exe	31
PID 2828 wrote to memory of 2592	2828	svchost .exe	33
PID 2828 wrote to memory of 2592	2828	svchost .exe	33
PID 2828 wrote to memory of 2592	2828	svchost .exe	33
PID 2828 wrote to memory of 2592	2828	svchost .exe	33
PID 2828 wrote to memory of 2592	2828	svchost .exe	33
PID 1808 wrote to memory of 2788	1808	3.exe	34
PID 1808 wrote to memory of 2788	1808	3.exe	34
PID 1808 wrote to memory of 2788	1808	3.exe	34
PID 1808 wrote to memory of 2788	1808	3.exe	34
PID 2592 wrote to memory of 2724	2592	IEXPLORE.EXE	36
PID 2592 wrote to memory of 2724	2592	IEXPLORE.EXE	36
PID 2592 wrote to memory of 2724	2592	IEXPLORE.EXE	36
PID 2852 wrote to memory of 3044	2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe	35
PID 2852 wrote to memory of 3044	2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe	35
PID 2852 wrote to memory of 3044	2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe	35
PID 2852 wrote to memory of 3044	2852	JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe	35
PID 2592 wrote to memory of 1252	2592	IEXPLORE.EXE	38
PID 2592 wrote to memory of 1252	2592	IEXPLORE.EXE	38
PID 2592 wrote to memory of 1252	2592	IEXPLORE.EXE	38
PID 2592 wrote to memory of 1252	2592	IEXPLORE.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76a4cadfc42263081e9f9180d71febe5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost .exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost .exe"
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3044

C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost .exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost .exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:2724
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat

Filesize
144B

MD5
a07c140242d501303a0c7a5ac913c0e1

SHA1
c348157ab408927eb906d8e8ed8d38eb3e596349

SHA256
b336029985b5f56777b70adfa74b0f05482f59c811f3a0522577113f9a8969ad

SHA512
6487e47cfc10579d6f2e2285501de6be2ba87b98fe94dea926a0343f1478a4dd7b4a10c3c6c32c67f3d218a9e3b304994089ba4f6c3a239e2164d1548b08808d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
4b01a334cb45543b979b8f486cede06d

SHA1
10e6b94247771906b27d5827eabcda816c9f49d7

SHA256
b44cfd11c140c4459eb6445965e518e1a5c26636da923f31c7fd50b6a1ccb865

SHA512
b341aa3befa84c999440bc4e92f1ab6df47818df02f09ece48548b7fc848ba3ccd8fac70eb4f5c3900584370fc9382a2aab9fae3928d0e2f5b8264116d1842a5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
911f874ab9a55682885f7d6de9daea5d

SHA1
d5e83435581b05b554b69aa50c6576cc05ee8ac4

SHA256
5e872acc29e3c91122ec01669143c407db90c22ebbe4273e7de4308da7aef7a3

SHA512
5182f19976647d5b17fb0d1fdb83d3d69f47913a9e964184d249541def0aaa3991ac385e9897c1dae77d7566d43180aa4a9fd2cc85b1f5a400874804c4e93373

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93fd283a0ba7dba43a8339b25d29de8a

SHA1
2a0ef88ec9525ec0e942abb267fbc96a372261d9

SHA256
162f164bc467d1d4c24e71f761842b4ad11bdba3ee5810cb6374f93910a321bb

SHA512
f31e6284c0a26cbcf343929af8716edbd3d84ed62ee042f1e4e999006f7b8686ce498d0cb1271a07176050ed1d606c8ebdc0c1ddf16c9fb7cc35abd4bc152694

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13b8344a6c61e5f182e6c03b09c84f84

SHA1
7a8d2fb319f1477551c38611e0d0ca0fc23a37d9

SHA256
c95d51dd56f38595cf0381ef3c45dcd435d012ad27619777e5a9b6b44fe90c4d

SHA512
6505a405326aad7fd68df807dcd137154425dd56c10fa6b90279377f7a25d8ad3850c872c432d03107de67b206dcc8c2074791cda98035a948d62f350a5f15b6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
048279b41e799582eadcb350a0a647ad

SHA1
a057d3a8048b36b42f3ab44c994a94ae392c01af

SHA256
77a52ccbddb30c56a61126e6618d2d9fcd178602ff50bf56f8db358befa0ea76

SHA512
c1cc5b23c470e50b6d2e0d171a5e04da841bd40c08417148293fbbf0587ad1d2fb6e230f307b2f85d8837c788608230244c87d685c1350026dbb53a7083cffe4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65a2741d00b18d7505bf786cc63f50ce

SHA1
0fc65aeb9faa46ba4884c45e25639d9b413b2927

SHA256
8637eb89b35d45cf11b6c8be4724e6aa6864d6fba91f9620fe13320073a506a0

SHA512
8475261944ba18a9fd9110602c466b88af186307c62f5f0b9aff8c324e0750a9d9fcf43894f77dd8e9a2945d019e9b70ce305a7eef8fc9c66f80f7d86be12a58

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3382f7cedce747df26864657d50d74a9

SHA1
f395c989a20d0953b8dc169e80af6aa23788ee87

SHA256
3c8db877c72720b0688781b30607190851577c72dc971266cf0aa6a9a17796d1

SHA512
1d738363b515facc099149e64e1dd84cc66ce9cd715f2242f3f146087e62945bad8b2bf165fa9c06c1c4f0ecf6fe2f0d9e99080d83a5012b67bf0f9853ebd553

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
737b96f310b30464b160ae62da25e421

SHA1
d9ff31334ff8edf3517f373c68db484b8b6e9e01

SHA256
3957c37b2bf3b83a8332be100a924f3f021c082283a5bdcdf795389d10ce5214

SHA512
f0dc7902d0cf785dc57fc59a4c783c4de53172759bde08f0cfc72e6c1b2b9d9f7fd75ea8c6e1f1187fbbf9a732fc9a5ba9b6fb0689f70d820ae8e10bc8f67d98

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
601b8e5739590cdee00d570211420cc6

SHA1
880bfcb4cb298b55e6da6e46493f1c9a39eac360

SHA256
d818ccce547a3b6b5e3d2e55d9060ed30b7a311cf4da5f4889da3a8b843b6e0a

SHA512
315728ce2ae025093932df99b283c1901a675b6fe158003ceb87ab693dbf7cbd7b4c0b5c6ff6ab519deabc9be7c9e4099e655266e76667906859fe855d6f1115

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8cc1e00fe54b0afbd27080c98755c4e

SHA1
04a647595a60b3f0a47b42064baf85c51df5924c

SHA256
098ab3b6bcbc79b76643d6556f56b8f9a2853193fa8ab451cb8df92b13874c04

SHA512
5f6fcea1dbe452b78c3d01099a11fa1e7bff273644f5541d95a61d3d2939d8aefa3f0756f3af8ddaf343f7b537247dfade0377da51e64d3d1bf3b78cf63c7989

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72391742bdda350abf4a2d23532c893d

SHA1
ad0f195fcbec22d8862099b0dd23dd728b8a03b3

SHA256
f59f0828a7d906dc6d9b33912210a100768e44da75c3fcb47974d3c4b3024466

SHA512
3ed4d470cfab8b8feb90b4b1f831099062d5ad793b809e8e90f3bf7ccc64a3af98c11e90fd5303a47edd0164c00825a1b8255939de886f20abb89c10c9f17289

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02ee2690e1cf7df854984fbbbc618a38

SHA1
2db49e098e141150cff3dda6e14247f726ccaedb

SHA256
9b81298e3227b2de2cfb3b27b8dac5305a4b7ae3b79ed796cb27935411080eae

SHA512
a03ce2569465c9b7f000f31875b21efcd8b4992d369b7a8ae35af560cecf585533498969644d44c71713878782c9e1fef428ac4d7a1eca2db44272fdae406ad9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d49b9edf6fddd4119282f1d8ed0aa81b

SHA1
4805a22cbda5467049cc173ed2cc481f7c3f3c3b

SHA256
0b2821cdb0b464d3e67d80782a850208ae5a9ff69bc88f03d80474da48b14e2d

SHA512
0d0923618347f5d47f328669d11ce2eef127216334261c1de113f16fc32403d001b07424e38d989d693a6752bf4b17dce6f7a46b8942d220a382ea5ab176e9f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7b8792283f3235d315b7c39d2722db7

SHA1
ba569a0aed81ed0cf18e7360bcd5540c0958c47b

SHA256
b853ba0911af35976cfbb7a713a5f14ebda599b250d92fc81524bbda96e20acd

SHA512
a110134466799bdbc780f577ae3de7211827ee7fecdc0d3a6078a91ce98f141454afbfb70f676f9384717b6a3fdebf5ec04eb67eae1ffa02b7e0ab007c970d17

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f92d9b6bf4b2ff3539649a38d8314b4

SHA1
2e2c933e15f4dc4895d9c9aac98fdeae3b378743

SHA256
6f3efa877ee2e7adc31828a84194c841a18303cb1fe209cc9ac52e85cd2f8b20

SHA512
615d965612c5a5c305ad7636eb77cc3fabcecf90a788d51c672e11f73384e439b385e9039e416e4fcc14c52ba6b8494876b5057847d5ff44b1a60d835c21b794

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8527ce6dfe6dcc3ea88d3df17a9d58e

SHA1
374c487c7d7831929c062d01a05526aac368a73d

SHA256
7072b0cbe7f14f77dc1544b43a4de1ca8f04afeccbf915e7ad1744da5209bae4

SHA512
559759b4c9d37d8d218bbbb1d9b06c4364487d2ce724c74312544cdd2e526c4989a5045bd0773158b483c2cab3dc025bbad045526dfddecfa2abe2487fecaf21

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97a7777f9d349b34f47ba7bbb4271d88

SHA1
bfc1248b9f2a09bf88abbbd52031aa7fcc77e494

SHA256
507bfa68d0600a0f47175800d9880edda70ee849c95fd56965ed057312cebf32

SHA512
3349499ce07cfa3c2ac2178e2187173881a2ad9acd996f6f2904874528e5a6e765d9d67d552cbc444e70298c7387ab6b307435bbb08a5b5321c6a0145b3a1bba

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3968f90d7cd3c4c75b8aef8fdb7cd595

SHA1
b0770635573ba98dec38db8b686c6aad9ddc47a4

SHA256
5ddc477e0e4daa221ecd65ef2e06826a013d9b75a21ad7891ed92975eec9653f

SHA512
09fbd3ce198d004ef1d1a8f31b5493e1774c60e2f7f24112d29d42f1e6e1dbbc1b10c751d5b6e03d68d94c0720c2d99c190f59dc9339d1214ff94989d34a4c21

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f129a26f2a7bac10013d5579a6e6a76

SHA1
780d51072a9dda6b7c1fea11a90556ebbb7aabf0

SHA256
ad17282a238e074cc9cbabace5f1eb8ae34b913981f9c1405dda4f614fb3faca

SHA512
a6bb620e1fa57c96421dceeef08ab842a1a8c1b0baee305ac68370899a7c8f0d5af0afb59e76272272ec0e541a9ac70e493dbeb38a336ed5bdcfcf67e323a36f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e4ae976b061b0df41da70bd9422f0b3

SHA1
0385aca71529d367afb4bc08b2d5c0118c4ada7b

SHA256
1d08c3d7c1e4f40fad14c7059c1ba35a0f22b9679b46d07b36c3f01a2079a61e

SHA512
cc649ec966180bf79be809c9f4f01ed2df559a49b6597ef9972cf5ff82c68ccda1cf49b95da17abebbf0c90a4d2ccbb8a7559da757d2e8651e72499ae22a7541

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9270aefd9fa412f4ed2744632c5cebc3

SHA1
c1eacc399a1b08393ce337efa8c406cc1af20500

SHA256
2f412f9e3517ad95c3cf9b60786ac48a65003dbe3a882bbaa41eb7e2d09abdfb

SHA512
d2daeaa89c405526f84577caf0d25ea6c2dc103cdddf6c84d23a87497719a117c79ca8a2ae57df06d0149047e4a26fed5d0cbcf7aca922dba0edf1c1cdafaa43

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab1825.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar183A.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar1A35.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwB85.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwB96.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
720KB

MD5
d872e886d1e229a41bdac3b0cb597078

SHA1
277d0dbda7063f692c941626d6dd18bc36958687

SHA256
19b84513f8ade8352cf8de2ec2dd140c5a39402c70a159853cf427eefdf6f674

SHA512
472fced3da2935212f9a9f3994210862d101f032e7c5264897e547524d9846695fc557f5d750b78f5aa96d6998e98a8690c29418bd2a930a19a0d6b183cfdc70

Download Submit
memory/1808-31-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2592-30-0x0000000000060000-0x000000000010A000-memory.dmp

Filesize
680KB

Download
memory/2756-22-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2828-32-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2852-54-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/2852-2-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/3044-37-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads