7a6dea9a1f132fb60fda6b9ab1c821189881d093a64dc62f7903c2a819cb7adb

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Size

216KB
MD5

b8ca0108f4ae400ebb7169e7cee05f4c
SHA1

710b305e72129ad1ff69f9434f27f64298060292
SHA256

7a6dea9a1f132fb60fda6b9ab1c821189881d093a64dc62f7903c2a819cb7adb
SHA512

e1836c66940f82c95b5f9d97a511b0b3910b89416bd59523ad4bc442c016cfad00e58789d2a0cb52ccaf127d46073574c9e68f2790880832b541969f57cbf7af
SSDEEP

6144:SwHysFRnGrHQAVUHjzIOh4OzRk1oOJ4CSrZ:JFRnQVU3IKM1JiZ

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\InputSwitchToastHandler.exe\""	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\InputSwitchToastHandler.exe\""	InputSwitchToastHandler.exe

Contacts a large (532) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\InputSwitchToastHandler.lnk	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
4752	InputSwitchToastHandler.exe
1748	InputSwitchToastHandler.exe
3500	InputSwitchToastHandler.exe
4976	InputSwitchToastHandler.exe
4828	InputSwitchToastHandler.exe

Loads dropped DLL 9 IoCs

pid	Process
1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
4752	InputSwitchToastHandler.exe
4752	InputSwitchToastHandler.exe
4752	InputSwitchToastHandler.exe
3500	InputSwitchToastHandler.exe
3500	InputSwitchToastHandler.exe
3500	InputSwitchToastHandler.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InputSwitchToastHandler = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\InputSwitchToastHandler.exe\""	InputSwitchToastHandler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\InputSwitchToastHandler = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\InputSwitchToastHandler.exe\""	InputSwitchToastHandler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InputSwitchToastHandler = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\InputSwitchToastHandler.exe\""	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\InputSwitchToastHandler = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\InputSwitchToastHandler.exe\""	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 4752 set thread context of 1748	4752	InputSwitchToastHandler.exe	106
PID 3500 set thread context of 4976	3500	InputSwitchToastHandler.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023288-47.dat	nsis_installer_1
behavioral2/files/0x0007000000023288-47.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
3708	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\InputSwitchToastHandler.exe\""	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	InputSwitchToastHandler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\InputSwitchToastHandler.exe\""	InputSwitchToastHandler.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4508	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	1748	InputSwitchToastHandler.exe
Token: SeDebugPrivilege	4976	InputSwitchToastHandler.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 1108 wrote to memory of 3980	1108	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	96
PID 3980 wrote to memory of 4752	3980	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	99
PID 3980 wrote to memory of 4752	3980	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	99
PID 3980 wrote to memory of 4752	3980	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	99
PID 3980 wrote to memory of 3252	3980	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	100
PID 3980 wrote to memory of 3252	3980	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	100
PID 3980 wrote to memory of 3252	3980	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	100
PID 3252 wrote to memory of 3708	3252	cmd.exe	102
PID 3252 wrote to memory of 3708	3252	cmd.exe	102
PID 3252 wrote to memory of 3708	3252	cmd.exe	102
PID 3252 wrote to memory of 4508	3252	cmd.exe	104
PID 3252 wrote to memory of 4508	3252	cmd.exe	104
PID 3252 wrote to memory of 4508	3252	cmd.exe	104
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 4752 wrote to memory of 1748	4752	InputSwitchToastHandler.exe	106
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109
PID 3500 wrote to memory of 4976	3500	InputSwitchToastHandler.exe	109

C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe
    "C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe
      "C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Modifies Control Panel
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3708
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4648

C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe
  C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4976

C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe
1⤵
- Executes dropped EXE
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsm3DEF.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Roaming\159 dk orange bl 1.ADO

Filesize
524B

MD5
c1499bab3b267f3cae9da5c2bb1d0852

SHA1
b3d22f0f91ab2f48797fa87729b1ea62739251c8

SHA256
5b0f22c90efa9627d7e16179e0ca713cf596aac5850d776a9c619ae6cc6baaa2

SHA512
10bef0c4bdfafc2bf98c6cacea3a3bdc652e028df268111caf42961ac1f89b78c958b6f781d8cd8063e4bf90a231d0efacb2f5ffc2859e71101991d1c23211d9

Download Submit
C:\Users\Admin\AppData\Roaming\404-5.htm

Filesize
1KB

MD5
b32ee0da29e26569bd038838f1928528

SHA1
8d50ef0a8ed90ea61ff3393009e795b3cea4b590

SHA256
b560e11a6bb6d7585b216bf2139ab01f36636f9054d26a4179a5b6ca8080ccfc

SHA512
f1ef5377936a193465117ccce25e6c4b90628a32eeca1f2a40ae5ebe170389bd41462bca9684916d8809e74da3c208a5a5902e2908982fc52bdbca6618ac6679

Download Submit
C:\Users\Admin\AppData\Roaming\Bamako

Filesize
85B

MD5
313a92eb9dc6f52cf9368d7bdb49f636

SHA1
119974836f996a58a14584497d853e3f24b68057

SHA256
cde9b6a758da6349dc02027cc178ff4dd2b51676844935d134456bc814b74bdc

SHA512
15a851200cea62c693f3ceb03d56e77147aaea7d1019da66ea8cafca627a1316115a523c8f4f2aba9f4869d7e2cceb1e72bd328b7cdb7a11aa3f3f9a7b336d21

Download Submit
C:\Users\Admin\AppData\Roaming\CMYK very cool.ADO

Filesize
524B

MD5
f4c42aaf38232ca3e7047113845d54e7

SHA1
2ba20b769905bae855a109949ef926945c95aa7d

SHA256
55dce613e49d0b7b29883109c38ef4f5db7f1b0a4473b9d5326f73b5e5a18160

SHA512
54165d17ebfa2224e7faabcd02c83d6c5ed6c0aee687f4ec6e8c87a4877e3eec50f57ccfb0812c31f17ddda176b592ac0409bacb5c6b8873247c2489d50c2c20

Download Submit
C:\Users\Admin\AppData\Roaming\Ceramics - Eggshell Blue.3PP

Filesize
1KB

MD5
e83ab70fbbe4313da354090b019c93d5

SHA1
a3706e0604ba7d341646a383017c6dc259c4e29c

SHA256
15565a7fb183a4d86ad3d32e01544d01b99cf9feeea31476620317dfd993b01c

SHA512
f95b4302c06491b56077d77566752f6a700d95752118c2cb9ae6b50b48a95f6ef8abb2c0b96dbb3ff9bf1ec2a830db66b2c26d9b6124224b6bc93a21d38344fb

Download Submit
C:\Users\Admin\AppData\Roaming\Dublin

Filesize
1KB

MD5
d712a8597afa11cf28d0388c48970397

SHA1
0f8460d523dc7efa13c25d2f0d4bd72dd7dbdc6a

SHA256
0e588c35ad9344cd2bed21c95732cb94fd252ba77b36fb5ff49eaab3fec2762d

SHA512
051642d3cfa09d8b8af5b10bc22837ad98826452fc97fbb8da64efe784746603588df3431c3a905d3bd30daa86258879a4ab54f51b620b97be4d0ce629d9a074

Download Submit
C:\Users\Admin\AppData\Roaming\Efate

Filesize
233B

MD5
a1e91923c47567f6a6e8b4759efbdce8

SHA1
96472c46cc0d85901b0612b27e6ed1b927310534

SHA256
3947884f27876aba39f268da374a8aadffe79eb7068e85c1d244487294e132ec

SHA512
26cf0f0e925b4da8f49fea549c95d171e2c771057c52948679efd17ec821bc1e7774cf78ca08dcc60adf2cb449da67526f6077f0b0f582ab5126f5a743729e13

Download Submit
C:\Users\Admin\AppData\Roaming\Escudo.U

Filesize
127KB

MD5
30815aa3f29a08a5789be3d1ed5c7075

SHA1
4537969a7de49d0eeefd538d82a4328891911966

SHA256
884bc6651ff7ad799a12fd2c94d2761b20c5a4bc92ed3f159274c123db4abe54

SHA512
cc5292b15b6d078ab7cf4d2acf8b02b8f7890d485fdfb9036b714aaf2ef10da55e219d98cab5eb1489cd72f869a70fa0b68e6d5c5b11b301a1ca4924d9374bf3

Download Submit
C:\Users\Admin\AppData\Roaming\Graph2.mpl

Filesize
2KB

MD5
f9ae5583a287146f0d87eeb7c35af94c

SHA1
88ce5650c88cfd3143757448a33ab480001c831a

SHA256
da8d05e61efa2f72434ce673c8e80778a7dc0f5f8edaa66d0d4df45392e6b4df

SHA512
2166532e0b911aa9d662356859cff6ab3e427901230b4650d1373d9a85edeaa16bce86cd44e310ba205838060bc6f66698734c310b51a3d6ae7f6796e508967a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\InputSwitchToastHandler.lnk

Filesize
1KB

MD5
33ba78f83e699c3774113d0ddd33c442

SHA1
92fdc9f1ebb581f034b7f7c0c0c52a3a186f1bdf

SHA256
6d127246db711d7578a99d1d5250cc1a2583ca2c3b9a17c5e2c4b26163ebd391

SHA512
ceda9c96c80f5b7d6bd092cf12e5382134c7cd67ba9eb7b5f20215ac8b6ef2c1b0da84b9264fd0b4ed188085708ae578d055886a8ba27313001020428ae6815d

Download Submit
C:\Users\Admin\AppData\Roaming\Pwgen.dll

Filesize
25KB

MD5
623fe81e0b18bd06f69e1cf75feaf479

SHA1
80227605564679e2e4ccc6d751d1a963c456b8b8

SHA256
8a13c3648c759b83870969e25bee41af6c2253c6b48514b97b37e621fdad1d61

SHA512
4f7b9a3924f75091414463e5b138a38b667aea036ab9792e1b9509dec91033a820727a263e59b029a7b8fafbff86aa551d97000b2ce619f4e1f977930bee859b

Download Submit
C:\Users\Admin\AppData\Roaming\SildCrosswort.d8u

Filesize
5KB

MD5
cf5b996326404d95e56e56c6095fbf8f

SHA1
c3a1cad85e50dd01ad358e5233cc656fd7781395

SHA256
feda19c2b46dcd7cb8d33bd10e6aba57085cd679c1eb22081a2d03a141925840

SHA512
cba18ee5588a007272673099faf9f7b515ef4b962994823ea986df341af8559ea4868981ff4469c008a6407e5197584449d619dc2d017d8aaf149df59ae06621

Download Submit
C:\Users\Admin\AppData\Roaming\administration.config

Filesize
4KB

MD5
ea8786a9e8c53d4136b57da721d3a530

SHA1
ee83b68c4c9f40b3d3eb4a04f61d9952d7513a0e

SHA256
85835a7c2f33dd24fd15d48f288ef0a8e07745611a08bfe6dcb9b8f547321f2c

SHA512
b7e4095ed87a7dd922a6a5afbb02acd7e4761c03645819a6c8690b56296f8839db2e355a1bb83d243a42fad4e5400a6f873f8d6caf9a1eee9c6fd86951511016

Download Submit
C:\Users\Admin\AppData\Roaming\backgroundmon.xml

Filesize
2KB

MD5
395c2be15da5e47505ce16f2b3dfeae3

SHA1
f26d6f1b523c6f58bcdae82c99abd83ebdb6dd7c

SHA256
97ffd445a849672e57a3a674af7e86472698f07a319e9354617081eed8ae1e40

SHA512
749ca3415332f623c59a21a29342aa6d93e2c1e6979d22e7ebf3ba88e51180e2f3d09edb6270c23a2cc251c76abbfe6b4676f10617e887914b2361251751d12f

Download Submit
C:\Users\Admin\AppData\Roaming\benchmark.png

Filesize
4KB

MD5
66774a13c8f3917bd188d164749e9637

SHA1
505452afdc8c064bd36d520e38f98a6c2b854348

SHA256
27fd5c0dff36fdceb96f8dceab5230010c86e94e295625e46f6ab12ba4b7e69f

SHA512
fc43cd5f3aaacdf5ee9749f467b9a86fb661340d3e4a47b8b5096b3dd0a69a4f43a7ccd751f451491b66b29bdf787578f6d29bc5a06aaaeff5a4cf862feede9b

Download Submit
C:\Users\Admin\AppData\Roaming\defaults.ini

Filesize
232B

MD5
0a8dc502c9c3ed9ad092da7363e7bbb5

SHA1
36150206df0c1054a7cfe034d4bb1d9a7aeeae68

SHA256
df768994da3713682658fc9c5f635a981f1566adfa4554f06555cf658b490dc4

SHA512
6d2c333748130ffcbdc3e9895c057885ba833d31dc5e43752dd3efa84cd0c2640bcab290252059bb9f63ee75822479b7179c2c6e0bff5179109ff0f8e41d9a80

Download Submit
C:\Users\Admin\AppData\Roaming\externalcall.jar

Filesize
4KB

MD5
b730ea0c54af71df0fe2367b746b378f

SHA1
d37fa9b16c8d43360807129a48fdd67537f4d323

SHA256
0a4a717dcd9cc0d3f7259c237210ee8cae8e3a2368d09f4d4f2d3fb42cca43a8

SHA512
437ede4346b3d7f36e0eeca265aead1c8bbf7d92bc65aed05311e0545009073f9ca42f47d3b8426b3305402e0ed8a028494ed02f251bc105bb6642cbd2f8c128

Download Submit
C:\Users\Admin\AppData\Roaming\fnp_registrations.xml

Filesize
244B

MD5
cca42bd5b580bbc9a4a9dd1528b3cb40

SHA1
990b6bfee988f5a48fbdde374a24c8e9879c45ab

SHA256
e4808967f2b21eb05a3454b4cd13d8387da753e367177241eb4639614d83b64b

SHA512
c14c3afcc9334f8c521142f8414ae26c8572b1b402922d7ae61f07f1505711c95c14e7b4df4770df4fde9d06083b3531d3460f70f3cb5f48b099b55737cd811c

Download Submit
C:\Users\Admin\AppData\Roaming\poofs.nex

Filesize
63KB

MD5
0385931abab9197608516aae98f1981f

SHA1
ede99d3521c822ace97a6ed01f29d20fe094dd9b

SHA256
8a22796214b9f883c55e0cce3b4af2c7008761289d9a1bb132161863d8b2654b

SHA512
01f41a224832d2455ec81bd3c141eb152d07c7835d13d660ab7a2650d7ff32afcf62fcf2fcf1d266fcc6a2b5cbec1c98ada3b4959efbbe91ca6a10a4db76344b

Download Submit
C:\Users\Admin\AppData\Roaming\poofs.taf

Filesize
63KB

MD5
3490b854f5746440e6b4aa0cb84d6949

SHA1
071c1c7cc5ed0d637157b64d03295f1333b9b3b2

SHA256
7e38a43791b2c18218f69613b8fbff009e3cfdb3d1841ba84cfe530cbf8397db

SHA512
8676b3eb28491f65f1c4955485dae948fe87ba65829cd13ff3be04b8868065dad7de72aa7daf658587cd488f4c6624be7735f51c3ff3ec04229784d5d9bbbcf3

Download Submit
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\InputSwitchToastHandler.exe

Filesize
216KB

MD5
b8ca0108f4ae400ebb7169e7cee05f4c

SHA1
710b305e72129ad1ff69f9434f27f64298060292

SHA256
7a6dea9a1f132fb60fda6b9ab1c821189881d093a64dc62f7903c2a819cb7adb

SHA512
e1836c66940f82c95b5f9d97a511b0b3910b89416bd59523ad4bc442c016cfad00e58789d2a0cb52ccaf127d46073574c9e68f2790880832b541969f57cbf7af

Download Submit
memory/1108-33-0x0000000003010000-0x000000000301A000-memory.dmp

Filesize
40KB

Download
memory/1748-114-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-120-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-113-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-181-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-115-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-119-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3980-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3980-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3980-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3980-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3980-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3980-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4752-107-0x0000000002270000-0x000000000227A000-memory.dmp

Filesize
40KB

Download
memory/4976-184-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4976-185-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads