99bd6452dad7eb2d9904184db057947f9bf68490b3f13f39534dfc0b479079c0

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
Size

249KB
MD5

da3bc9346be10987c91c372c7e178656
SHA1

871531b578d12416f988bd50fd1efdec42aafb6a
SHA256

99bd6452dad7eb2d9904184db057947f9bf68490b3f13f39534dfc0b479079c0
SHA512

6a0bda49f64409ea3a4dec0818c3fcdeb9ca079d222e3cd16bcc1e59d6f0eb3515cc5fed43ab98b2346585be99bf248f7a0c50b4bbde1d6250ebe39e8a79f55c
SSDEEP

6144:iEcNClmzABdXUEq3lqivP533DtUwU1zdyI6DhTV6S:FlmkvkbJ+nldB6DhTJ

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7ED1223D-143B-1380-030C-35E70B26A60C}\\icsunattend.exe\""	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\icsunattend.lnk	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2628	icsunattend.exe

Loads dropped DLL 6 IoCs

pid	Process
2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
2628	icsunattend.exe
2628	icsunattend.exe
2628	icsunattend.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\icsunattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7ED1223D-143B-1380-030C-35E70B26A60C}\\icsunattend.exe\""	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\icsunattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7ED1223D-143B-1380-030C-35E70B26A60C}\\icsunattend.exe\""	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2628 set thread context of 4516	2628	icsunattend.exe	100

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
File opened for modification	C:\Windows\	icsunattend.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsunattend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4204	PING.EXE
692	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00080000000234b4-64.dat	nsis_installer_1
behavioral2/files/0x00080000000234b4-64.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
4780	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7ED1223D-143B-1380-030C-35E70B26A60C}\\icsunattend.exe\""	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4204	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 2684 wrote to memory of 4352	2684	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	94
PID 4352 wrote to memory of 2628	4352	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	95
PID 4352 wrote to memory of 2628	4352	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	95
PID 4352 wrote to memory of 2628	4352	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	95
PID 4352 wrote to memory of 692	4352	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	96
PID 4352 wrote to memory of 692	4352	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	96
PID 4352 wrote to memory of 692	4352	da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe	96
PID 692 wrote to memory of 4780	692	cmd.exe	98
PID 692 wrote to memory of 4780	692	cmd.exe	98
PID 692 wrote to memory of 4780	692	cmd.exe	98
PID 692 wrote to memory of 4204	692	cmd.exe	99
PID 692 wrote to memory of 4204	692	cmd.exe	99
PID 692 wrote to memory of 4204	692	cmd.exe	99
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100
PID 2628 wrote to memory of 4516	2628	icsunattend.exe	100

C:\Users\Admin\AppData\Local\Temp\da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Users\Admin\AppData\Roaming\{7ED1223D-143B-1380-030C-35E70B26A60C}\icsunattend.exe
    "C:\Users\Admin\AppData\Roaming\{7ED1223D-143B-1380-030C-35E70B26A60C}\icsunattend.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Roaming\{7ED1223D-143B-1380-030C-35E70B26A60C}\icsunattend.exe
      "C:\Users\Admin\AppData\Roaming\{7ED1223D-143B-1380-030C-35E70B26A60C}\icsunattend.exe"
      4⤵
      PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe" > NUL
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "da3bc9346be10987c91c372c7e178656_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsaF955.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
C:\Users\Admin\AppData\Roaming\11.png

Filesize
565B

MD5
253393cb367ad6078c80c3ee1ced0b10

SHA1
e4e56fde8063f05fd6d09d937fc7256c7ba55557

SHA256
807b0c77c9e27c58a5098011265bc8f494ed411227cac374200819102a29e4f2

SHA512
3a62a4cba60f751cea8562433b0a531ec2ee411ba7a14b25801b42df4b0e2c85e48e1b8d878736175b1b832f279ba1d644f91cd34bf5d3cc1c279a5f503cf075

Download Submit
C:\Users\Admin\AppData\Roaming\25.svg

Filesize
1KB

MD5
81608b503510aaff28c4fc9af1a34aef

SHA1
ccaa75d99467f04f48a7ccb3e4a228039782ff1b

SHA256
c5bec41cf09f196558dd562dc223fade4c6de35cb01846dc7decb7a9db4e13df

SHA512
4ea78e56e017ec2a0be2e10e5401c54a27813c55c17eb888e9283e7b95160d45a82562aa1353dba3058a751febcb4f5e1fe6132cd50b2609d25c53cf236b831d

Download Submit
C:\Users\Admin\AppData\Roaming\403-8.htm

Filesize
1KB

MD5
0374c72114201f84bf31ecb733a4034e

SHA1
c81444b9c9a3aa5f17f5ea863ad99f00b33546cc

SHA256
436749a052e67667dd28605c2445ae2df94d60177d3cbbe6038b7fd23366bb7b

SHA512
bd0990857c6693fc4f5d7278e0f28c888fa7b7fc0ad93cba78c4c9a3738c765cd82fb8409208eecbd7555f9b8c8ecd7a6d66e0575c33340c6ab0dc7f5d9b11cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnimGif.dll

Filesize
109KB

MD5
a12772cc4ef12b6ff7aed611e5a00a68

SHA1
a0e097dbd97137a6937e8d3644f3441c6ed33538

SHA256
1518750608126d44484738d36f054fc5b8903f2d9438afc2a0012bdc4b4db6a1

SHA512
8f9c58b7cc1fea94c7ae072da36d192b279997f67d2246d826858c0be0c7e4d461ab017b32c380a2725382bb0ac2a82b08b9ba081119d6f799b806ab709a6109

Download Submit
C:\Users\Admin\AppData\Roaming\AsteroidVertexInputInstanced.hlsli

Filesize
428B

MD5
b7c11d789abdf3d76a17a4fe6657e68d

SHA1
8fc9b7c5b8860510da75571bcec44555e17bc792

SHA256
2ae783861da692bc508457e5755855c365c665ec79e9e9e9158efa5ca423d0fd

SHA512
937640436dbe8cf38539fdb45678283a53e88b0a3abf5ac104d6867f3f7cf8dbf3b1e51503df369b1026b0621b3c1b0f0cc5df0436a414342d94c207665eebdf

Download Submit
C:\Users\Admin\AppData\Roaming\Brass - Polished.3PP

Filesize
1KB

MD5
b8248786b3eb332dc5214ca2022667dd

SHA1
6e0020d6f5275c868d91eac47e45cd735c9e715d

SHA256
217faf4f69bd6911776f221f6866933c72c7e4fcdbf76a1f1e050ad40228a1b4

SHA512
2312d08778de5ead7e5a1d0a52c0f34fb1f6a28d14830213b1351db5324b3759df33e190afd9cfa68974f2a3172b0b0557a4cf51be3c3a48f313891e259a4fd0

Download Submit
C:\Users\Admin\AppData\Roaming\ExampleFO2PDFUsingSAXParser.java

Filesize
4KB

MD5
7f9e18fb070fbc43175fcdaacaa674bd

SHA1
455318deab797c8110dad52fd5940865fc70a548

SHA256
204e41af4678e3ccca8dd8e36c3812f80dccbab4185d121cd4b411cd0364bb8b

SHA512
05635cb8710feb946f60cf758d9e027729d4345e4287c98dc283eca2a7efbd24214fbf4952968def90163f67c89b97dd961b3f65f8b5fa3de7d625341b356ee5

Download Submit
C:\Users\Admin\AppData\Roaming\GMT+11

Filesize
27B

MD5
41dc583620885308274e1af0be12e78e

SHA1
9f96a25b7539ebc2a5bc0661b65a03992b63e210

SHA256
f3236a2b39954dc659c25482fde3dcdc735b6b6829e3827bedb7c8c8dc72dd54

SHA512
ec50aefdae3b9e276b1ca87677dbb89841a91169350eb88da1bd61b84726c8ffd19de6ab037bc0159a16bd44587f01daa3421298640c168ac2562a66170f9e3e

Download Submit
C:\Users\Admin\AppData\Roaming\GMT-9

Filesize
27B

MD5
3e5e7f59b78835b605d1559e9806d29d

SHA1
aee36c61c7e5ce1e95fc29fe97eda4254d00b323

SHA256
d1fc281b021228c2373cdc886f786432bc0b7d95110b2f0a6bdf8e57cf48be27

SHA512
1670b3e3dbd434a337803518b137aba604865ecd51d5e465b452e51a453288dd1b66b882f22a71f8420418c2a311906d2c6185d888cecf503c578194cacfb7ae

Download Submit
C:\Users\Admin\AppData\Roaming\Photocopy.WsN

Filesize
3KB

MD5
662448e48efb6ffd267efc6416891252

SHA1
3edc621636adc986cad512105f78a69f76041116

SHA256
1c8d89ecc3f8645bfaa84d8e474fd1afa5712e2af476e360b5e8dfebae152fa9

SHA512
11f61fd75595cb563641687e8e48a6d15f2ab3eed6e32d4276932bf5c0b57ae2b6dca45e32af8e63f3c1857758bc0aa70d8d0cae06de621505e8a93b54392860

Download Submit
C:\Users\Admin\AppData\Roaming\Scrollwork.h

Filesize
127KB

MD5
de95601df137349ef6e0064b6a87c4d9

SHA1
995c16f51f878b883ef06a0e79cd341d96c8dc07

SHA256
6cc19dcfb44f9b56413935c58b24cb85a93ba24f77265716115842fdeacf1306

SHA512
f32c7bf820c5b5fd8e667c40f1f5c5ee823e4bd240d461e16b17ee86fd5350a485006c96d775aabc687a3b4bff508092e24ba85d319523346ee336d19c56c56f

Download Submit
C:\Users\Admin\AppData\Roaming\abstract.title.properties.xml

Filesize
1KB

MD5
65f6724a3f445ee4bbc44788c3b2b5c0

SHA1
d36b1be6a70f9414e39fe303f4e014ce4e59366e

SHA256
d7e074b563e4e8882c0d8aeaf8918ceb3ca9520d32ca8267ef949c67eaf44529

SHA512
648933d8c7a3da5b52c01a9898042696adb6d07f2709e26fb296ccdae0310a05126a65b5ba3319fdf732438f01a451c0f20e41627256e545c47dfe0e2fb37116

Download Submit
C:\Users\Admin\AppData\Roaming\align.fo.pdf

Filesize
4KB

MD5
73f5d492a95cf337b9d4f664eb3e192e

SHA1
dc31a94ba07adc1f398eed03941e5d1088aaaf0a

SHA256
eb66388cf50bbb7cef3332091439b21f0863825eedc83486a0843fafb6dd6de9

SHA512
45d75ef804436974dc280f5bc3e33e8f496965c6aee20b89c18eb3adae93ff3f63142e2a2fb0466f26fb427c6d60ce043839dae0ef4466527917d8c41b208387

Download Submit
C:\Users\Admin\AppData\Roaming\arrow.gif

Filesize
144B

MD5
0b31842824faacd1751abbb01ddf5fa9

SHA1
5674b77233b89be37cdcc2f869072f453c485534

SHA256
6cd839340040110df50a75eb6078718895a178b09769daf36e70978ec6ce4c73

SHA512
cc65c25adbc41813461b15716558ebef11faadbefa82b2afd16b610e54f3b978f8e4736cb7be495aaa8eec7aea295b983dec888fb1138101480d1cd816ca0d36

Download Submit
C:\Users\Admin\AppData\Roaming\base.dir.xml

Filesize
936B

MD5
f2541b73de50877fa01ca3f9a2861776

SHA1
f03b743d5bc1f94cf1baf5ca39647178050edaf7

SHA256
806ae81f511b8fb16bb9959b9b117b1205b2c9079a0926f2626b76cc555b4d51

SHA512
f6ab00a36cf38bb6688359b81c1bcc38b128f481ccd9b5d72045cf136d268faed508f0341cfb9317e3d258e0a4e822db0d69e155e2a5c4b2c5419c741f0cafd9

Download Submit
C:\Users\Admin\AppData\Roaming\biblioentry.item.separator.xml

Filesize
921B

MD5
0624de35f93fa2da5c041cbe42504f6f

SHA1
fea65b58084a2b72ba5147e88264431c507aa25f

SHA256
b91715aaf83e2b9229d2f12d558415b8a67127746b64d5d29c5110803e5753b3

SHA512
8cc41098b16a42d76b2332e9a6ebd6d832857edba28f80c1bbe2c618d9f508f9b96cdcdc2fad738aea009a76ffc69dee823e8ca851f5196be035e08d39e19846

Download Submit
C:\Users\Admin\AppData\Roaming\blue 286 bl 3.ADO

Filesize
524B

MD5
5f24f63bab50f02bf71645653cbb8104

SHA1
072accd7c6da89df9d4abf22dd71f8735a8f8b77

SHA256
098ed2558d4e638d369c200b2f32d36645549e1939f4b0dc05d895558a7c2d33

SHA512
fd108841ab259f7daa7cdd5f84cf3d7900402eda4ae253e6358da482c36568f8a6fe163ab09ef78264a66b1ec16b3d10fa15c2da35e73a1d144a29ce4ed298b1

Download Submit
C:\Users\Admin\AppData\Roaming\body.margin.top.xml

Filesize
956B

MD5
46c6c423067742d452dfe0daab667fe0

SHA1
7b76ecdbd8533f4e121d4adf02ed87b7e45770df

SHA256
b18ea1c788a98c5ebda4cef7a5a2f54b8a675d49d547bc7dfd896269e0e7c1df

SHA512
29e0c9f1e943dd2e13a9c114af2d8c1d48030b66edffb7177b9d77a99441566d3b95948790b486d04b57aa16e9f10d534c2e614ccdad119a27ae7dc5b314a778

Download Submit
C:\Users\Admin\AppData\Roaming\broadening.uqe

Filesize
63KB

MD5
f5201793d0b7538173f91f19af6ad812

SHA1
dde3bfb9f4fc6dd2cc50679004b72f86e5892d09

SHA256
d585b92665481cbf8f94c1ab00f3b462a9f24a12f9ed4e97c8d286a9a5642c5e

SHA512
8bfc2910a2ba55693dfd58ee248cc87e43646d71e6f088686e309bd1b75d0dfbf01adf513d8f2d66f777b75addc393e2c846a12c119bc725a7eaecdfab45ecf4

Download Submit
C:\Users\Admin\AppData\Roaming\chunk.toc.xml

Filesize
1017B

MD5
d676d37a6291b4f2c52a9c009646b249

SHA1
e9cc72d677d255c9a931704ceac14f06dae9c670

SHA256
8c2b119b31c6ab582ef93f9f3788f149fdb59a56ba428bbaec05f9640de5b43c

SHA512
0fd48ecf86eece84371a6aaeaa4f7a30e7cb5c2e17a182b802ec59c24f46da8309584b8c69a118ebf91be50f6dccbbc393c0ccbda9a16ecce6482cdc9d94c019

Download Submit
C:\Users\Admin\AppData\Roaming\circle_red_x.png

Filesize
3KB

MD5
3aea056e9b0b58d7f9c38be9133e8d9c

SHA1
5d11d7c5cb35e54a50fcd9278df056c5b797b4ce

SHA256
931f2c3dfd8b6838ee5e002ce4f9b0fc915096f3141bbdb14777c0d2fc44bd7a

SHA512
6ee9d352ea46533563be4bcd721aac87901e565f269fc51ee46545c822205bb6b8221e6c8055309cad1fda9901eee81acf53d5d4a33cec254e516f83f62a522a

Download Submit
C:\Users\Admin\AppData\Roaming\citerefentry.link.xml

Filesize
1KB

MD5
f5318e3b3e9ea56e31cbb672cfa327d8

SHA1
bcd6758368b4583bf80066bc1284f5a96e558efe

SHA256
e0f55229bebe71a2b94cdfb33060a28347ca69ee7480fb42bec2f2edfa464e1f

SHA512
0735d6e8fe1f0aa1e8504a5ecf86c7f576f5a3c47388f895fbd82ada7d9a5b3abbed748f33f29aa6583ddde52a9f80465a12e1586a29a94205b4475ce476873e

Download Submit
C:\Users\Admin\AppData\Roaming\column.gap.body.xml

Filesize
941B

MD5
d83849b50a657019cd5d5999d8e698cf

SHA1
7fdcbe8b3fd0adb9328775c70d60e1ff2fc89f0a

SHA256
abbf9ebf5f0d007384143e6820ddb3be0754a6f512c424fd8c29be39b53da3d3

SHA512
831002d01f906fb983de18c04055a52ef69e85397beee2a6e8ceec07d76dcd08b92e45ed4c8604eea65c4dfd36c7bd33e410a569ba703b19c11bb55f593449ff

Download Submit
C:\Users\Admin\AppData\Roaming\column.gap.front.xml

Filesize
956B

MD5
7bc409b7645ec7b8da88d7476af3d3bc

SHA1
49a73eb68fbbfbbfa799f695703b9a4b0605b91e

SHA256
e1973a32a2a0b16dda8a813c1d1096ac0e91224fbe25d16667ee93e8b76f8c6e

SHA512
0c9aaf3a4ea70d918587ce30917dcc9219a687a30b8b68fbe5969ca6136e5adc919e55d92d79fbe39f73ec3c758fb7487bcf615241948ba054fdd68043edccad

Download Submit
C:\Users\Admin\AppData\Roaming\contact.properties

Filesize
766B

MD5
511e823022328ad18c7de591b7b4be28

SHA1
3df8a77202956648a285ab2b50a32cd78eac4f49

SHA256
1d4e1132b35ecdc2970e0a2d8e2ba0ea5c0ac3b5f702eb8c17bf0255244b5582

SHA512
1be0b63108b6e33d6dbe57fa604b091a0a8b9d21204206c865eb0f6a3ce17a244645f7217b05cb2a2af140af33ba0b5e3946fdddc02270cd42a0c9816051c81f

Download Submit
C:\Users\Admin\AppData\Roaming\copyright.xml

Filesize
427B

MD5
50918be758813ccca5bbab2f2a8647f1

SHA1
f9a4c4cdcb6cae463a9e6c26ba369a81a1b3f76b

SHA256
3259d4766b04cf747efc1515d78864ab036217c6e2062cd1322b60395e3ae83c

SHA512
6097752b641fb40d83d742384d8e2d7e3fd8e0fd3ff758e7ecfc1f479a269a3f77c40616091a89a6b88e0f6f1995d4c9c29c4047d74eb79d18fd86d4d118f54f

Download Submit
C:\Users\Admin\AppData\Roaming\doc_to_epub.xsl

Filesize
430B

MD5
9fb68cf4fa0825500c0f913de8b2b684

SHA1
2ac9b4bf8f04ee993f2cc213d92979e1b8851a20

SHA256
662919f36942439de1e00a6af515b376781f37ab3fa1257544dea10bc890aafe

SHA512
58c83a224e29337af18e75345c51aecfd4619f25f1d51ea9f68e7dede5d50dbf856afbbcf07346cd333253387062b1579c2a26a85f5319a6cc4f668685b2683f

Download Submit
C:\Users\Admin\AppData\Roaming\dsc_drivers_tile.png

Filesize
4KB

MD5
92ca1541005202ad550de352644c6222

SHA1
9bb3595795ccc2f92e5c9a522556027e279875b1

SHA256
89c05910f4be67dfeecdc5101615683b1561c7fff18073850e43f6252804e281

SHA512
5755a72dc85669003808dda44576d7aa8277abc9a99ffffe236dadef0ac9f807a859202bddc1dd82fec5b73466618db09851e1e4a48ee56bc03872d5f5d3b008

Download Submit
C:\Users\Admin\AppData\Roaming\feedback.link.text.xml

Filesize
1KB

MD5
eb1b38494710a85486706cd26ecbbf0b

SHA1
e82899197415da340691a8faede249a51f139544

SHA256
dce39beb0fa38c782e99c97a2accc4a0bf0f241854a0d7a0c9cd2d2500075d8b

SHA512
ccee19adc0070128deada628d197058eb4ef9ff967c7d67b188ec368edde89a8a1bf46fc8a7027a4a64d0215108145556b7e19753e72bc51d8f21fb1fc6a3332

Download Submit
C:\Users\Admin\AppData\Roaming\get_drivers_downloads_icon.png

Filesize
3KB

MD5
2fa931ab0c127cc18731f36317b72fc6

SHA1
b021bc7565202865602ce2953c4e7d06e6fe318c

SHA256
0ef3b86f3372ca83ec1c3523945dcd5dfef986d19790000f3f5fa3c28c86d719

SHA512
f4eda357e8c8ad5cea71ebf34a156221f48d76cf26f2079c6d62bb0837918e6f15994d3345595f41dcaab894eca3b2d14f03fc3f60ec17aa844b77faca6c5a10

Download Submit
C:\Users\Admin\AppData\Roaming\{7ED1223D-143B-1380-030C-35E70B26A60C}\icsunattend.exe

Filesize
249KB

MD5
da3bc9346be10987c91c372c7e178656

SHA1
871531b578d12416f988bd50fd1efdec42aafb6a

SHA256
99bd6452dad7eb2d9904184db057947f9bf68490b3f13f39534dfc0b479079c0

SHA512
6a0bda49f64409ea3a4dec0818c3fcdeb9ca079d222e3cd16bcc1e59d6f0eb3515cc5fed43ab98b2346585be99bf248f7a0c50b4bbde1d6250ebe39e8a79f55c

Download Submit
memory/2684-49-0x00000000004D0000-0x00000000004F6000-memory.dmp

Filesize
152KB

Download
memory/2684-53-0x00000000004D0000-0x00000000004F6000-memory.dmp

Filesize
152KB

Download
memory/4352-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4352-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4352-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4352-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4352-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4352-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads