smaug | cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c

Analysis

max time kernel
128s
max time network
132s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
Size

2.4MB
MD5

a239735cddd49236ae3562d43d83a8e4
SHA1

35bad8d66c79af9dabdcdd8dcebfc0440efc42a1
SHA256

cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c
SHA512

34bbfc20d82c4227f9e745f0f7cdb5ce68c684a4a84cde0340fa82601f9340fcb7d21c6060564be8580dcba8c3d1b5a16b28ab6964508e0d1ab994b59a818fef
SSDEEP

49152:czlsjR3QZgRWsu1s8thudV3HGSQFsBL55:Q2aiRWs+1Uo2

Score

10^/10

smaug ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HACKED.txt

Family

smaug

Ransom Note

Your files have been encrypted using military grade encryption. They can never be accessed again without buying a decryption key. You can buy the decryption key at http://smaugrwmaystthfxp72tlmdbrzlwdp2pxtpvtzvhkv5ppg3difiwonad.onion. To access the site you need Tor Browser. Download tor browser here - https://www.torproject.org/download/ . Once you download enter url in tor browser. If you do not know how to buy bitcoin here are options-. https://www.coinbase.com/ , https://paxful.com/ , https://changelly.com/ , or locate a bitcoin ATM like https://www.bitcoindepot.com/ . If you dont buy decryption key or make threats then we will auction your data , passwords, documents, files, ip,router,company server details, along with decryption key via an darkweb auction to highest bidder.,We stay in business because we honor our word. upon payment All your data will remain confidential, and not leaked.

URLs

http://smaugrwmaystthfxp72tlmdbrzlwdp2pxtpvtzvhkv5ppg3difiwonad.onion

https://paxful.com/

https://changelly.com/

https://www.bitcoindepot.com/

Signatures

Smaug
Ransomware-as-a-service first seen marketed on forums etc. in early 2020.
ransomware smaug

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\oobe\background.bmp.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Arithmetic_Operators.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasic\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\lpeula.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\_Default\Professional\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_command_precedence.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_If.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5500t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\Microsoft.Wsman.Management.dll-Help.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_methods.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_Comparison_Operators.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\de-DE\Licenses\eval\HomeBasic\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Ultimate\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Starter\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\es-ES\Licenses\_Default\StarterN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_jobs.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Line_Editing.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\de-DE\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_do.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Special_Characters.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_Variables.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Return.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_parameters.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_While.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_requires.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\Professional\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\sysprep\Panther\IE\diagwrn.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\migwiz\PostMigRes\Web\base_images\ClickDownExpanded.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\de-DE\Licenses\eval\StarterN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\fr-FR\Licenses\_Default\ProfessionalE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\it-IT\Licenses\eval\EnterpriseE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_If.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1400t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\ja-JP\Licenses\eval\EnterpriseE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Variables.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_jobs.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scripts.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremiumE\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_Path_Syntax.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_regular_expressions.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_escape_characters.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_parameters.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\HEADER.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\THMBNAIL.PNG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\THMBNAIL.PNG.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_ON.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099199.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10255_.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Traditional.dotx.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp5.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05906ea4445b6301\Report.System.NetDiagFramework.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked-loading.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\Report.System.NetTrace.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_es-es_35ef874ad0caec6d\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_logical_operators.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\notify.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Language_Keywords.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\drag.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dddc28e2de1063c2\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Windows Shutdown.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\eula.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_es-es_47a66c4231b590d1\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b2e7f4377ced572\prnqctl.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\SolitaireMCE.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_corner_top_left.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dab8991dcf40c3bd\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_en-us_8618b2759ddf665b\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\Microsoft.PowerShell.Commands.Management.dll-Help.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_split.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_WMI_Cmdlets.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_arrays.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d98c1b4a56b2d378\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Roses.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aa2519d66015923\prnjobs.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\System.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_job_details.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_it-it_db4800b9ab3a5067\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Characters\Windows Feed Discovered.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9eea396542b09367\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8a2102afb657186e\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_remote_jobs.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Information Bar.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd5060t.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Comparison_Operators.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\MediaRenderer\MediaCenter.DigitalMediaRenderer.ConnectionManager.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\.NET Memory Cache 4.0\netmemorycache.h.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_transactions.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d158ae10876efd6d\currency.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_moon-waning-crescent_partly-cloudy.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e9f79a70efa455da\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_it-it_f8991f7ac69b7211\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-sports_31bf3856ad364e35_6.1.7600.16385_none_c1c84490c211896e\sports_disc_mask.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Logon Sound.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Line_Editing.help.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_de-de_14f8635dedf1d007\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_630d9bc151625afa\Rules.System.NetDiagFramework.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\row_over.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\osinfo.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\34.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..s-directaccessentry_31bf3856ad364e35_6.1.7600.16385_none_52b3ba1508e42ec5\NetworkDiagnostics_6_DA.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Information Bar.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Performance.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a56f103a5087f318\WelcomeFax.tif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\38.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\ClickDownExpanded.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_image-frame-border.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Rules.System.Diagnostics.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\play_hov.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Delta\Windows User Account Control.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderSchema.sql.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\4.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_150f20a903fefd61\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c	a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a239735cddd49236ae3562d43d83a8e4_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HACKED.txt

Filesize
921B

MD5
a30e60f273ba38de6829f0e1767f8e38

SHA1
38b1b683837c2604b0880851fa0f1a56c2990982

SHA256
c9f16826e578e396ba5eb74cbfc566a2a35ca2a0d834c38c50579a0b08f5fa98

SHA512
f09c34d68f059f8e228d93e61b148b5fffe3ac2887685b254c4e755a6d004394a03ea478a5ca10f8efe2f2a4ef84f247368efced9840d44927f2efe43f51ae61

Download Submit