babadeda | 26be141d5d5d25cb277e5be51f1ab728c41d987484ecb8b2555fc85d242e84e2

Analysis

max time kernel
118s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Size

6.5MB
MD5

c1f266588c8062a8298e45e60e5bf565
SHA1

afd49cc707d6cd328e29fccceda275e99c73245a
SHA256

26be141d5d5d25cb277e5be51f1ab728c41d987484ecb8b2555fc85d242e84e2
SHA512

7808379337ea5159df728b61fd101d15c14f67fbc31f6434afcb45adc39336f175837f16e4dc8c1cc5394e9e3cb5fda813271298549d15363d36a516a416b224
SSDEEP

98304:WPdx/6o/EJ6N6ExIxrnumYq429EoQW4Bf1ayqn1wD//mUuAY+V5oFqojeOdJ9OXH:WL6ocnT7pV4BDqM/ONA3zU6OhOX/+I

Score

10^/10

babadeda cryptbot crypter loader spyware stealer

Malware Config

Extracted

Family

cryptbot

cemnek45.top

morihg04.top

Attributes

payload_url
http://bojxyg06.top/download.php?file=lv.exe

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda
Babadeda Crypter 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\log family_babadeda
CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Executes dropped EXE 1 IoCs

Processes:

fmod_controller.exe

pid process

2788 fmod_controller.exe

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\log	family_babadeda

pid	process
2788	fmod_controller.exe

Loads dropped DLL 11 IoCs

Processes:

c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exeMsiExec.exeMsiExec.exefmod_controller.exe

pid	process
2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
2444	MsiExec.exe
2444	MsiExec.exe
936	MsiExec.exe
936	MsiExec.exe
936	MsiExec.exe
936	MsiExec.exe
936	MsiExec.exe
2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
2788	fmod_controller.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

4 2140 msiexec.exe
5 2448 msiexec.exe

flow	pid	process
4	2140	msiexec.exe
5	2448	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\Q:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\E:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\Z:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\T:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\S:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\W:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\P:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\V:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\X:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\M:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
File opened (read-only)	\??\U:	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI763E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7729.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f767265.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAC0.tmp	msiexec.exe
File created	C:\Windows\Installer\f767262.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f767262.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77D6.tmp	msiexec.exe
File created	C:\Windows\Installer\f767265.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fmod_controller.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fmod_controller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fmod_controller.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2804 timeout.exe

pid	process
2804	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2448 msiexec.exe
2448 msiexec.exe

pid	process
2448	msiexec.exe
2448	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exec1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe

description	pid	process
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeSecurityPrivilege	2448	msiexec.exe
Token: SeCreateTokenPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeTcbPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSecurityPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeBackupPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeRestorePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeShutdownPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeAuditPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeUndockPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeTcbPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSecurityPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeBackupPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeRestorePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeShutdownPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeAuditPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeUndockPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2140 msiexec.exe
2140 msiexec.exe

pid	process
2140	msiexec.exe
2140	msiexec.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

msiexec.exec1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exefmod_controller.execmd.exe

description	pid	process	target process
PID 2448 wrote to memory of 2444	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 2444	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 2444	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 2444	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 2444	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 2444	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 2444	2448	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 2140	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe	msiexec.exe
PID 2180 wrote to memory of 2140	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe	msiexec.exe
PID 2180 wrote to memory of 2140	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe	msiexec.exe
PID 2180 wrote to memory of 2140	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe	msiexec.exe
PID 2180 wrote to memory of 2140	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe	msiexec.exe
PID 2180 wrote to memory of 2140	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe	msiexec.exe
PID 2180 wrote to memory of 2140	2180	c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe	msiexec.exe
PID 2448 wrote to memory of 936	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 936	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 936	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 936	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 936	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 936	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 936	2448	msiexec.exe	MsiExec.exe
PID 2448 wrote to memory of 2788	2448	msiexec.exe	fmod_controller.exe
PID 2448 wrote to memory of 2788	2448	msiexec.exe	fmod_controller.exe
PID 2448 wrote to memory of 2788	2448	msiexec.exe	fmod_controller.exe
PID 2448 wrote to memory of 2788	2448	msiexec.exe	fmod_controller.exe
PID 2788 wrote to memory of 972	2788	fmod_controller.exe	cmd.exe
PID 2788 wrote to memory of 972	2788	fmod_controller.exe	cmd.exe
PID 2788 wrote to memory of 972	2788	fmod_controller.exe	cmd.exe
PID 2788 wrote to memory of 972	2788	fmod_controller.exe	cmd.exe
PID 972 wrote to memory of 2804	972	cmd.exe	timeout.exe
PID 972 wrote to memory of 2804	972	cmd.exe	timeout.exe
PID 972 wrote to memory of 2804	972	cmd.exe	timeout.exe
PID 972 wrote to memory of 2804	972	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\adv2.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\c1f266588c8062a8298e45e60e5bf565_JaffaCakes118.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1712002920 " AI_EUIMSI=""
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2140

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2EF1C781D79FB1A53D51055381D7D9A4 C
2⤵
- Loads dropped DLL
PID:2444

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 56803FFE5EB14D1CD9DC713324C2F8BB
2⤵
- Loads dropped DLL
PID:936

C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor\fmod_controller.exe
"C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor\fmod_controller.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\CCkPWpMr & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor\fmod_controller.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:2804

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f767266.rbs
Filesize
25KB

MD5
4ddf2faedc0b5f875f8d87691a5b59ee

SHA1
50a1ab894bf91777625bec9c6492f5da58667c28

SHA256
b88fecd339c29a272ce8dcf359b0817b272941ca109e593499e4d24b8e27d1b5

SHA512
3dd32eb7a8125c4d7b7b9748a95565fbc21c674468376c0dedbfadf155efaffdc9113953ab0a1175aaa2b2bc1e73d4aa0fb751440cd45f067513c278c2bfaa05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c32e88334bbd32d18b4c61eff5cdeba2

SHA1
a690963e9d94495bc59ff20818423a7733623486

SHA256
f14d378cec54395f282cd1fd3723c45e10581dbfb596bad46b35abf3ff736669

SHA512
79dd89c7647c30ef489f8d5c17428d4bef4fbd5ce8bbfcc8dba9ee433dcea3d3019edb3e1cd25205fbaf8a454360df6a54d906596e89900b67b701068d72d970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0aa32cfac7f45dc847411efcd6b58598

SHA1
4cd7a9de6c6f0d36572eaa3d6b5bd21086d6df0a

SHA256
fc4d65953963987249e02009c9092059af42dc3fe99c989419165b8a193e0017

SHA512
3030f80b913ac07b52592d4e66c4e5fac03ce7593462b42c6037e7a057e714bf64103d588ef3ecb2a0f93c40a04d90258695e36b49607350c2e73abfc91f9af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab621F.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab712A.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6D7D.tmp
Filesize
393KB

MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EF4.tmp
Filesize
866KB

MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6260.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71C9.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\ChangeLog
Filesize
34KB

MD5
61b5298a4f6b7b33ae8d26ea6b76280f

SHA1
fda284cf4780a5e7b4337ef1075db1b05a89ec2f

SHA256
7238705dc4c5cc59cf320e6eddcae520c65b217afe9f8ef32437a34cad12174d

SHA512
e14d5e1e49a59ef71ef1e3ed6d65aac54f2ec005f27ae145c285dce71552c2773092f0d7e606e86520aa4f88a8ac3216b3a7a9510e5a7db1dbdd2bd739e64b54

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\Microsoft.Win32.Primitives.dll
Filesize
20KB

MD5
5b2b93ee8801c83b4e652c7fbabf8c83

SHA1
89a8df867ccdf916881234db9de45ed4c57e5b0b

SHA256
7a1462297eb910a44c35062e021723b5553346407dc52cf013e78c8be032331a

SHA512
1d3f06f8bd04e6b85748e09bdd1e5bc6ee14f4bfdc9cf426fa76d3a268fa537557d7ad4fede1ca2e263a2462272bdb294c9d907e6f7579c60cbaaf1db41a41e9

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\Qt5Svg.dll
Filesize
566KB

MD5
7b80103c5e287dc427a6e9435ab05f35

SHA1
272f90165ff6d440e2d4ce21f69eeb44ac8a5c9b

SHA256
25ad9cf13bbef3b7f7f99c8effc25aedd20dcf8b2455e4b685ebb27d510f9ecc

SHA512
522037c7aa50cbf122d1e11e1b0284afe7b7f77dc6f1fafd89d803816e8ab92a98b8f9a14c2cca45bcc475405f4b6c89ba9da3973572982a903d38fd6bfff2cd

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\Qt5TextToSpeech.dll
Filesize
114KB

MD5
99f5b275115a749309c0febb2c553a2a

SHA1
c3383e554c5c8d66ab1656603ff4f6d23568a520

SHA256
f4f008cec54534178cfd7164871adf4962c269e2b44d22491c580d2d589358ae

SHA512
f80ad1e94ae58ac5404e8a548200ec01e4941dd2460fa470fb6508c2d9a036d7d12f4547731999bd7dfa7ecd8b4bdf8a6ee4ad3d32ff07e39f6fb99ce1cb1f69

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\Qt5Xml.dll
Filesize
374KB

MD5
2d7b4de29e353a852df47f79f5f878a1

SHA1
1f26edde5f9ed6bace9c843d4dc4257045abe956

SHA256
13eb7cbdcee32f08aeaca83f7beea41212cd22cd4b028572ea46b209394c88b5

SHA512
5a9dc9a2304c8e6c28a78786425e1f4e921b36e8ff44a802adcb19ed582a694a03679b38d342ef0e1b29e1e4deb94d696458865ed9799621f0bfc776da44cca3

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\README.txt
Filesize
8KB

MD5
7539e219a0d2331524b97605c4fe641d

SHA1
718d7c209915ff4944a81ef38701542d63ea30e2

SHA256
3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b

SHA512
c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.AppContext.dll
Filesize
20KB

MD5
82e7fd917dfd1bda64ab990606d90bdd

SHA1
ab92034645c77737b6ef482e18296e896bea3751

SHA256
f0857a7c3737b0e80d9b4a9a986acb69b0d18d1fe0adc3b1e05d81f02ceb103b

SHA512
81ab0c3a10d64cdb0bb03ff65a10c3333d5ee91f21404acec41eb638a9eae77d38f00f18758d4cf8480910905d677349c71e762bb44a1ff4068084d5205c6f51

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Collections.Concurrent.dll
Filesize
20KB

MD5
939cb89fbb0da435b9528d9edb3feab0

SHA1
3825f2b13d43f34330bc278aeeefbbbfd95239cc

SHA256
9c887cfd9e21e9ee31ab8232248059b677f9a3086b033d38fbad053b4f20bc25

SHA512
4159cf39f29198942245e3a16a67e8b3fe54e871af407291204b5f5df2a76c2829680ba0d5bea261e31335bab2b6b8afa5a895bf635e515c94059a122dd36a1d

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Collections.NonGeneric.dll
Filesize
20KB

MD5
a3fdfde8c2f6259a3da55919679dda3d

SHA1
a36bc9fd0fd5319a36c523ae0c565e6670e6a403

SHA256
0f63c8b909689effec4c17122ff4336a14cc9c296be28d6172a11c5d8bdd2ffe

SHA512
4a917ec7f626d85cd24ed5518f29bf8acc546d34b8f86a2cd00634b54ccb5c9bc7725707ffb42c08d3ff008abfa5ffef07df3263c13c0796ed7e8f98c6200832

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Collections.Specialized.dll
Filesize
20KB

MD5
f72152d834fbbb9c0d70a2822e0b68cf

SHA1
49eca7ac3d34ce69a1d48c0be56cdd13995adbb3

SHA256
ce3dd8b3cb2bfbbe5cdd1a339e593ad604f6bb6eb4f981555a3f53257609c8e5

SHA512
3b8018450aa7676a35fdc8bea1997d67e45e945522bd7ac963ef0ccf574aa6df67dbd85c8773d704b0daab05b20f6d79c2ce2a42f10610f73a303246d44078bf

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Collections.dll
Filesize
21KB

MD5
4a264d07346dc69303bbe6e26e049883

SHA1
e093758cec19749f1d92b280b42aee86d4224fdc

SHA256
e256940626e265de760586937ce5ed2a45d9b91c96e1fa768f719682505db5c2

SHA512
d6cf4024cee7679b73f1b9aef749728a3c0851934016ab391315c955689dfa3595a8f6e2a9580244ace991895b4e255a65977490264258bb9f3c98f9370b33c5

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.ComponentModel.dll
Filesize
20KB

MD5
4f167e1cf791cefa55fde1949dde7d2f

SHA1
08badaf0444ca34230d82af4590f44c7ade78533

SHA256
df1a7bc429159db17be8c79a2dc56c0fa54c6a7e5174d5082f7ece9b67a4f982

SHA512
d804f60f3d2b5891eaa38ff683194924a705aba371c872e8bfef2325c90b7bf910851cbe89cdfd0a66cb1bf801bc25c92830b37947a7e60df8fe6bdcb53de15c

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Console.dll
Filesize
20KB

MD5
564d1a61bae30f01c20a5808e8f7a82f

SHA1
e6039eb23d3a10ff31e40851ef0dd594c5689712

SHA256
1ca9706a4593bcc3b232efb14d2497812ab1797bf112b16665c6674c42fdc061

SHA512
c546a8d4dc852d133baf576e81bfca16763ca0e94c964d657cedbbf3153c64fdbea79329fd2a9d7ff04a0f28720a61e6d0255f8db91ed91dca2f56aaec5b5f4c

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Data.Common.dll
Filesize
150KB

MD5
689b12c7a06ce496f0fe12fef990b3f6

SHA1
01b2a93bc4ca69818d3bc9a7b5dca58cdb5380cb

SHA256
aa69eebe18cf7f7b19d8523703c73e4d2639affc76babbfb2ce93664bbf06329

SHA512
b4fa3f0b9949626f7db9e6dd5259c52683a2e0fccffec222b1bb8ba086d7098cf580f887456753e80a95d248748ab59fcad59eea68204d37879af099cadcc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Diagnostics.Debug.dll
Filesize
20KB

MD5
cf668ba196134d611d7b4fac0b571e8d

SHA1
2a960aef8bc74c7893dd225398298ce8b912ab10

SHA256
2769f8bb522846338bbe9aafb10381f64fcbdfbc6929a848463b8b9857f1d4fd

SHA512
302ca14e3c1985f34656c48dc175951d27dac6696724f9db33c0097314aba677f244421677ca1a5949a7d7a11077a0f564142d1136998127c216616f42abed5f

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Diagnostics.FileVersionInfo.dll
Filesize
20KB

MD5
54ba6e35897cd238118b745c84d579e6

SHA1
07a9a5f273a65796ae77416a0d35905e949e3257

SHA256
a354569ac90b53002c7e447d72795013eb20c391d01b73197688057d07bcaa42

SHA512
2f2fb02c76bc1af89a6d97b8c0b9c2a6b176f912d2d76e3acfb5d5cf4741e58f6dd1335bdaf626c7bc92c256eb353d534f718b59e4e52bded9907e604115a5f4

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Diagnostics.TextWriterTraceListener.dll
Filesize
20KB

MD5
2967113593429927e7938d95b5d3471c

SHA1
34a84e6878172df939f9748279490e1eb4533926

SHA256
d8631076802f2e9b690998c65d8e7f0bede7a772b3c04e7cba5f3391c395a9e1

SHA512
502295d8eec6acd1c7e7f4f6759bbbfbb452b7581b9e10cabf0b9735737e0baa61bba0e32bb4688f0ba43fef445e5728c7001a9a364118c13eac3d3332f13e3c

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Diagnostics.Tools.dll
Filesize
20KB

MD5
bd36e482e5cfde3c791e62143dc5deb1

SHA1
32fb1bd024be0b7a2af182739fd384bd74610844

SHA256
d9562ec4dc0430ff3ab66a5d0238b72402ebdb17ceb31eebdb1daf91768c7d4d

SHA512
6e128b3bf3850c1972fd8fc8cee4d82ecb7dc98fe7c5a8b887523011dc270dccbb99a0d5496954c7a156ae3c92ff3435d30c0a87768e2dbcbbf8672b9e68cfce

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Diagnostics.Tracing.dll
Filesize
30KB

MD5
e338e2a9e8e3325d696dd18f46a6d82b

SHA1
eb907bd53f78b91e5fcf27fd76050bd682d80e0c

SHA256
5052b3701850537611da44858a0a8feb4b4cc936cd5bbb95b64cea4a987e5860

SHA512
ed015b37851138a2e503bce8671ac81d158948cfc3e8cde9ab751c8264cfb1da56b1f02fd281921b3b0e1c1f42b7b5cf97360c7ee263555e21fc51ea0162c4f2

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Drawing.Primitives.dll
Filesize
20KB

MD5
61b6fc62c4003ce711377a97cede84f5

SHA1
3b8f870b0da16bd6bdc6104aa44d036b24b61ac0

SHA256
2ff0d64f6d9bb38e15208c4d632c767a669a68e6b41adb0f27d99528b801ee3b

SHA512
611707f5d54dfffcbe5cb58204c925cab6ba488ffbd82a5c5efae9d1cfd10cd32205e5d05ead2cf7f8a3f5b392ca7538060a87695be40535d6657542b2043ab0

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Globalization.dll
Filesize
20KB

MD5
a25d659fff26c73b2f34ba6b92c84551

SHA1
69e6bf884f40d6d78e3c4f5f1d0103a666931619

SHA256
f4e9f919b625dcc6e2a5d0c76308543c71b7c3a6314a138058e7fa9f3426b3ea

SHA512
7f5632cf8aaa380e1f7c76b54c1efb5cac0412647a0f2e1986af07ed9dcf89b8c4563178ce79e54ef283e487706f61c156bffdd5a4b42317b39d74a92e236bb4

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.Compression.ZipFile.dll
Filesize
20KB

MD5
c4c4e310f604a98404f756bbd2d1fa6d

SHA1
2991e215a479ea048cb53f328b740db610547b75

SHA256
1209835143aa950e64cb9d28c565fae7f7df5278c013af621f4e689527279bfc

SHA512
f498f05bb85381cf9f91cc0a60eaab8a4798772ce18cf8c53329061fa461582a970b37d3578a800c80d8c87d8954d976213ee587894de51ac1ebd79422ab0f1b

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.FileSystem.DriveInfo.dll
Filesize
20KB

MD5
ab0b6870db47e35d54bd1809b4c60466

SHA1
09beb5e11a689205694dc3ee3bdf6a66b6eebfb0

SHA256
f09acd2d42983a7683e34c772e73c02f542450b681852836f2472d6977b764e7

SHA512
ed24b929666268e6a959bc2331e46cbaadc7a9b38e3da10078ae5d8ffff77a9d8d1757a0bad1fbc699156bc4471948f008b624c2a6c4eb35b58fe4758eb4199b

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.FileSystem.Primitives.dll
Filesize
20KB

MD5
f764b511af044c89927070d413f54197

SHA1
fe6726705fb76bb64c11c787599cb044799a3f6c

SHA256
00762994e600cd4db1ef21c7161d808ddc409cadeca547ef49553f3a4d920ed8

SHA512
08dbc68b3ed5b519828537fe1c97158eff6754dcb219001c65c1ae344b2d8bbd6e3ac19c2d34977a23f36da3a67df8f9e94b10780cbfb826bd4e448960d765bf

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.FileSystem.Watcher.dll
Filesize
20KB

MD5
6ac5596f4aeb88842716640ae1047045

SHA1
fbf23bf89732b8b32cbc123830f20b2c2147ea60

SHA256
f875e323e57d704f1b17c84c7bc50f0d1ffcb0bed08c5f6af74a60fccc04c3bb

SHA512
ecb1f8d458e3f6b14d9086772f2f0ed33bf00f7f9b778f6896eaa45e38bbef493184f2296ab14588f3eacd698a5a96fb8adee6fb944a1553d50713bf5227ffce

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.FileSystem.dll
Filesize
20KB

MD5
5e1824522e05f3612bd8c4f599763a86

SHA1
3372d225504cf30df6d3fd0e9b70f07ba34a8166

SHA256
ebfaa7aac28863225ca4e55305c2627239841d7e0070fa4567e1aea6eca6fdcf

SHA512
10234a737a12f25ba52b64a78cb9fb457fe10f83707a0fdc85b0ce357c6ec3846774cdf7476f427828476d12639382d2f20e5e69f863b6d5a98461ffae91e239

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.IsolatedStorage.dll
Filesize
20KB

MD5
f37c2957428bade9781b58f1fc32b576

SHA1
94ad0c9e7b3fc0b3c56ac7574f429a43e6db67fe

SHA256
b7bdb4930cfd82361b2f59c164aac4687798c72e3d0e0c73d21ca7516f19adc0

SHA512
301494cd941a5e4aef6ad7d6f02edb13d183625d18f240a37bb9b7971d166ba4c8c38da11c05a9d9080defa0ab1a7057dda47e98eeebafda01035339e380624b

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.MemoryMappedFiles.dll
Filesize
20KB

MD5
a58039e022feca900e6db589672c7ad8

SHA1
804333e184d8c7f306bedd5a86e9134461c0226a

SHA256
841403493c0b651bb2d78d0befe912d438ee60e406806cad21b9a30f227323b4

SHA512
1c4cecaf1579f0a67ba18d0b7ad50edd2afdf16c98770e801affaca358a977bd2108327723d4173d95b5c86fe8bd6cf0bb6aa2dce69c84ee5c83049ec07ad88b

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.Pipes.dll
Filesize
20KB

MD5
004cc9cbffb46f50c1f037002c3655ce

SHA1
86947f12790e70bafd4c3f72cad8e386a6015d04

SHA256
0f387e9591a5613ef02da3c6d32abce4f9c3e1e577a3ffd0cef85c345a3fa1df

SHA512
69d1545c912d82d6ec1eb928e16e0c1d45c9a04e980adfa77f7a764a7f5b642c91b9e74ffa3e5a33343453bcaedf0aca31258f78495cc3c10e771ae1e917e7ac

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.UnmanagedMemoryStream.dll
Filesize
20KB

MD5
64abb65b37b941b10b119ef32531b50a

SHA1
9cf171c463f11575fe0a7a507101da6177cd10fc

SHA256
a0c98af8925ac0ab86c1f768f9ccac1cbcf19027b23814f64860d3f28b686fb7

SHA512
a5708fec9d02449409a931b8fd998fc27f6c7ea2a0f32a7a73707550ec298cdbf5ab9ee13388c5a01f6f3ff9e99fddfe8cf563c6f8e55f1ceb55139c1178efeb

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.IO.dll
Filesize
20KB

MD5
18a32afb2c4d9638bb0bddc1dee60788

SHA1
1e76b32a88cb2fb7bd0caf962636058426dd6230

SHA256
f534d81c3f035c5b91c303096c4dc5b4d46f6d75ad5568eaee92cc9dc6aa75f3

SHA512
48121a28644b8d46b2ffa129dbc3061712eb6377c6b1d76df577fb9929cd1c48bb0deecb5bab1f43293918f3b7f453b880b4fcefc15019b4dd290ae36cb71c88

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Linq.Parallel.dll
Filesize
20KB

MD5
0f96d351df2db95d86d9615372df8872

SHA1
b300ac53ccebc21cff5ae5c2d3c4478b1c9db93e

SHA256
c1972d6526d942152b3c205f87cf6628bf4f8fd88a981fe013b198a4900e2a4a

SHA512
09fc6384f93da497ac0d51065da592f6b83ef488f44e684fd9593e5045b8c9ad184d4f2fd9c2a2193f816db7b7496988c41e9710c16709b8a9aeeadea3ea7996

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\System.Linq.dll
Filesize
20KB

MD5
6d6917bae13e128f00d95da1fd3f191e

SHA1
4c5ae1e9e7e4c8147f913c350a9b4561ca3f1851

SHA256
dc9ea055006a22a2faaa81b37d48a8ab1c98127b158181fd894388bd6c2049f4

SHA512
eabf0f2fdf1f29f425f04198c920451bb686a900931b9dfe418b62252c7d025936784fa0251fc7fb25809e4933c8e1f872b8290870c8afa2b24177750a24e105

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\Warden.dll
Filesize
49KB

MD5
59391cfbee2a880611a8a77582f2824c

SHA1
41f8bc228a5988668ec8556cff1e9cfb107ecb98

SHA256
24f05a73da2e34c4ad3c67779cae8214c9f0e3e19a217f6a917e8d42abc42669

SHA512
a145c844186db28194417094e191e0f1cd225067ffb44dca32ef46bf70ef72145bd0132e6cf7f5d20c49e2ed94c8058c7ca4a6744cabf866ee5b97f2e568a4ab

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\WindowsInput.pdb
Filesize
45KB

MD5
50e869af7b21aecb7598627f9d90e3ff

SHA1
e1b081b0619d8a63070d2d0e78c0ce760c919e6e

SHA256
ab913e1b256c09628963e9bc1c20c8c20ef29b408289a4b2655293f3fd4e7127

SHA512
72ba511de08f0aa7abd3962d4e047adbe137d7048a251490b88a9ba97a6b96227b3f74a444a6c636331dadc5b32ccbf59d93b087045fdddcf80170fa52a0d7c1

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\ZetaLongPaths.dll
Filesize
61KB

MD5
09374c4581177a8c866b866f108c8958

SHA1
05f861bd4d4c038e8181e83a46e6e93bc04ca5df

SHA256
8af34db2c25f4387b878b2311ef60e74c4f83774c779689393199ecdb039baa2

SHA512
2099c97a43c59592c3af3ccd45551a883ca9654fbb1a1b98e4241693b60ef982f688a55488f394476cedcacb850a18361002179d383ea3a93bb98b31a5c0371b

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\adv2.msi
Filesize
2.1MB

MD5
bfd6d65846436c788f1d3844ddd3b5d1

SHA1
1f80453086be437e94fe06b59d4b3ef6627f5d0d

SHA256
9eb9febc1bd10833601a2a0f7da7b6381c7d6b10517da70b9deb2c435830254e

SHA512
93b7e36d5d47b43f1dbe3073a8140fd251e9a41f67b7abbec75c6c5a80794a3e7386b3657fcf576688e8ebd94ec6be8732bb530ec8a862fe650dde5a2918c3cb

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\fmod_controller.exe
Filesize
3.1MB

MD5
4039fff45e6d256b50efd4221b17ff8a

SHA1
bd61e6caa86b8468bf2c6783a310ae8fa704bb63

SHA256
49baafe9295647ba39119db2fb30410a9f241f8ac229c8780f03690ebea4617a

SHA512
88e9ef0a14ee70647097348b2f01d4fc50214c24dde23c7c8c33c8f8e58d8f7a8924fd8f4940d4cafce0fd7619d987fd136d56fb37dcee3151495104dbdd5f93

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\libEGL.dll
Filesize
67KB

MD5
2874582e39562af961a6d1c59447459c

SHA1
3cf7d154637aac69913b1f549938a21c7c4b16ba

SHA256
b1070d55627c2899d5928eff2f2e3187537162e93e189458fadd7ccfd6a2ca3d

SHA512
eeca63a7020346bda9a399b83f4e57b6b54bbb222c4a3cf7191ab7fe0271f6473bcc58f0e60ce5f7d5cbd57298b858ffa042b62ed9a9be0806e08e4c6f5c7091

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\libgcc_s_seh-1.dll
Filesize
74KB

MD5
534b365361004828059600f05b34006d

SHA1
d8ff411b0939a021f47c845c6a90f1240bab5268

SHA256
438ae82ffd621a2413199155574cc85681f8986f05420b1485aa4be936c3bc0b

SHA512
1ccb3732a82f2fedca85c27afdd48e65dde70d5b1620e436d457624a2cb796887c5e7dc2983a0794ebbbcade3e5b9f9fc9320b390894471993c7b1e85268592d

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\libwinpthread-1.dll
Filesize
51KB

MD5
db18b7ec5f93127e6099744ea9568c1b

SHA1
e9143c76e308a816837e2f1a19dd0c5e2306ed08

SHA256
5bbef249a0d00e2d32c699d0bbe89f714ebeb872b3990a5cbeccb1d89f63e5e8

SHA512
ee1e645bed0bc3ad9e959d6342153e608ad21a7f5aef60b4cd8cc96fde7aeec4bbbb7474b59cab8ced8f28dc9f66cab32f4825333c891524901dcc40e70a1580

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\log
Filesize
544KB

MD5
fd88c733b5820b0cdfeafc3d751386c5

SHA1
d881d034e66e79df4784461cd3c58f4cb0699247

SHA256
c551709bbcf31c92f9af06a632773ae86dbfb17c80bd565c4f315a8034261b06

SHA512
9bab0e7812d9451b6ed0a50fd8976e8fae29b42fdb7c900e21082ef424763ac8f7b81835bc2b18cb25b0cebf9996577e74612bb8c82f646122ca6ca7a42a0bd7

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\netstandard.dll
Filesize
96KB

MD5
3501cf072f2a0aa167efb5e2370efc1e

SHA1
1de11fb25075e81250c4c47ad80265cc98c44c3e

SHA256
dad6aa523b80f2bbfb2b3838ade29ce6f4a7a634f66df50484f05a63905df60d

SHA512
66f5a62a3c8cfcd1b55f65b48134cd1ea7766c165722b303b73a50609ce8546d678acac292c999d5932112ec195a890ebb3645f5e44bb2c2ed951fa09b6cf53c

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\00AC18E\ue32ctmn20.dll
Filesize
2.3MB

MD5
ac083ac90ffaf56bc088dcad9d54dcd1

SHA1
1875e63037e8f8e21e6e8fb9cb56ca594b418831

SHA256
be70e4b579d34a9f712d32a54ec59917dd1074cd0a06c8b90a4ba1cfbb31ec67

SHA512
f95bed8b5fadab1bee5dc5832e95e7393d4cae424a0a556933c131da8484a667df7b66b740202d07f0f866a3df31db87c071f241398099bd678bb2efa4baa2a3

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\Smart Text AI Processor 5.2.13.5\install\decoder.dll
Filesize
202KB

MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
C:\Windows\Installer\MSI78A1.tmp
Filesize
573KB

MD5
2a6c81882b2db41f634b48416c8c8450

SHA1
f36f3a30a43d4b6ee4be4ea3760587056428cac6

SHA256
245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

SHA512
e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

Download Submit
memory/2788-471-0x0000000001070000-0x0000000001395000-memory.dmp

Filesize
3.1MB

Download
memory/2788-477-0x0000000001070000-0x0000000001395000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads