14171b192cb15343a25959e1f96fe58f4a2e443209d9fb125e33abbd7970c346

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
Size

113KB
MD5

a3a82c32cf51689050f1d4d38d81e155
SHA1

141822ddc25a38e1d2cabfd9acdac35caade902d
SHA256

14171b192cb15343a25959e1f96fe58f4a2e443209d9fb125e33abbd7970c346
SHA512

41688086b320fc98b74c9df52ab7b61eb522509c83bb0e50ec4240a89d49a3a182953dddfe301131b706b1ee475c8812b7b3d61cb3e481fe0d17ff135c79c510
SSDEEP

1536:Lwql7JmQ9g7fGqgkhB9I4BcDQX2oooD+AyxArAIVJ9bayZbScKEang5V2pL:uBjGW5I46QXMmAIX1tanUV2pL

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
2972	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ACLControl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ACLControl.exe"	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl\DllName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ACLControl.exe"	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl\Impersonate = "0"	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl\Asynchronous = "1"	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl\Logon = "ACLLogon"	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACLControl	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\com\en-US\comrepl.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\cttunesvr.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\chkntfs.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\ftp.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\auditpol.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Autofmt.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\choice.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\comp.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\it-IT\migwiz.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\dpapimig.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\arp.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\bthudtask.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\dccw.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\eudcedit.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\bthudtask.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\extrac32.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\AdapterTroubleshooter.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\doskey.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\DpiScaling.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\getmac.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\cmstp.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\autochk.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\choice.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\cmdkey.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\dccw.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\finger.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\DWWIN.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\gpupdate.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\cmmon32.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\ktmutil.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\cmmon32.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\charmap.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\forfiles.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\at.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\fc.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\de-DE\WMIC.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\eudcedit.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\it-IT\WMIC.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\iscsicli.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\diskraid.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Autofmt.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\ktmutil.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\cmdl32.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\dplaysvr.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\bthudtask.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\dccw.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\de-DE\migsetup.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\EhStorAuthn.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\eventvwr.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\dvdplay.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\bthudtask.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\hostname.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\compact.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\dplaysvr.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\attrib.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\dialer.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\autochk.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\diskraid.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\compact.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\ftp.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\hwrcomp.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\find.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\en-US\Sidebar.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\Solitaire.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\wordpad.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\shvlzm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\de-DE\Journal.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mip.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\Sidebar.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\it-IT\Sidebar.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\wordpad.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\Sidebar.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\Solitaire.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\WMPDMC.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPSideShowGadget.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\WMPDMC.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-notepadwin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f4e91ff9e4f148c8\notepad.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_6.1.7600.16385_none_498d334c14a3b9bb\hwrcomp.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c077ffac1da853b\explorer.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_windowssearchengine.resources_31bf3856ad364e35_7.0.7600.16385_de-de_75bf6e6e7351e7b2\SearchIndexer.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-at.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ead71ea9d8c23713\at.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..ger-utils.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b1202d6a314d68a\fltMC.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..nistrator.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4017446210fdfe81\odbcad32.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_6.1.7601.17514_none_113aea0e8374286d\djoin.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_sdbinst.exe.mui_258ad624	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_bth-user.resources_31bf3856ad364e35_6.1.7600.16385_it-it_59aedbf5912a46a7\bthudtask.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..utilities.resources_31bf3856ad364e35_6.1.7600.16385_it-it_120176c01f22f4fe\print.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17932_none_d26a33ec18cb49c4\conhost.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..docs-main.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4c687a0442f05be5\sdclt.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..serverbox.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2840d40276de7820\RMActivate_ssp.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_6.1.7600.16385_none_851e6308c5b62529\quser.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..dlinetool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_059f0642d7c8765f\sc.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-applaunch_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_99931ad927972550\AppLaunch.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..layswitch.resources_31bf3856ad364e35_6.1.7600.16385_it-it_eff382b28ed73077\DisplaySwitch.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ktmutil.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_abf4b8e877056d64\ktmutil.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..cconf-exe.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c538bc47d1d27eb4\odbcconf.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ativehost.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_30543e550f31f395\sdiagnhost.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_de-de_abea0cec26556a09\slui.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ervicing-management_31bf3856ad364e35_6.1.7600.16385_none_5e7ff93b6f0000b7\Dism.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e6d6265644c81c72\userinit.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-credwiz.resources_31bf3856ad364e35_6.1.7600.16385_de-de_66ea353935ffda69\credwiz.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-timeout.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f1e1165ec4fa9c25\timeout.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\servicing\fr-FR\TrustedInstaller.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..roperties.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ca087a1b05cd3b59\DeviceProperties.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fontview.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bcabd31371adc367\fontview.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..c-results.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dfd3367c1db96e1c\MdRes.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..up-prompt.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b7ef67030f8bf387\fveprompt.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_6.1.7600.16385_en-us_611ad8f550d1094a\regedit.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-security-syskey_31bf3856ad364e35_6.1.7600.16385_none_1838ef0586d5af46\syskey.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..ntconsole.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f582a9a573dcf890\Inetmgr.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_90b7c0fb4a98d0fb\explorer.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c79c27afb69ccef4\setup_wm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a415063899c742ab\rwinsta.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wusa.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f4f0d2752099f29a\wusa.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3_csrss.exe_06529458	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_es-es_72ad61937e044eba_ndadmin.exe.mui_2e106c3e	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-clip_31bf3856ad364e35_6.1.7600.16385_none_a7b238407d550501\clip.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\Boot\PCAT\fr-FR\memtest.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\caspol.exe.config	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..g-adminui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6b5a3a798fb698d0\DfrgUI.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_69c1a6bca9b7e0cf\setup_wm.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eventcreate.resources_31bf3856ad364e35_6.1.7600.16385_en-us_184cabde288f06d4\EventCreate.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-msdt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a073745453d35d28\msdt.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.1.7601.17514_de-de_4d80c42f0e5ba716\route.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.1.7600.16385_none_9cd3d8b937a10c58\gacutil.exe.config	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..p-support.resources_31bf3856ad364e35_8.0.7600.16385_it-it_464c91d7f43a97e8\ie4uinit.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..xecutable.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1409bffe3d7d822\msiexec.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msmq-triggers-service_31bf3856ad364e35_6.1.7601.17514_none_864c8948d3a4b9f3\mqtgsvc.exe.cfg	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.1.7601.17514_none_1229a6f0546e2346\lpq.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc53e808eda33786\rwinsta.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-where.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e5a1323c48d6dfb2\where.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7601.17514_it-it_455fad27d0677632\appcmd.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..gtool-app.resources_31bf3856ad364e35_6.1.7600.16385_en-us_059b965799e73c9e\SnippingTool.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_6.1.7601.17514_none_f8852afc12f84e8e\nltest.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6fc7f6bc4cb64c48_expand.exe.mui_3f54e013	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_98f46d0af032bae2\arp.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_es-es_df0d6b82587af86b\SystemPropertiesDataExecutionPrevention.exe.mui	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe	a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zFM.exe

Filesize
950KB

MD5
aaceebb5fc56bafe8d47795bbde322bf

SHA1
5ad3ab527336967f544d1fa490cb2a447efd5cb9

SHA256
29c9ce1ddd008bdf7f5ec35c8fea8114ffd457ddb01b517df29e1fe5f61b7a97

SHA512
e2589c55ff87ca6b715be7c74234d3089f70c2e24765966359eb5697298191e6a0f736523efddc918de20b2343756a3f48157abfc037c92ee9b7da8725d20349

Download Submit
C:\Users\Admin\AppData\Local\Temp\_a3a82c32cf51689050f1d4d38d81e155_JaffaCakes118.exe

Filesize
94KB

MD5
aa705edf5a22ebfe61d872c90deac7ba

SHA1
92df5ef14e265739653f80a8385c8ce16871a868

SHA256
7b7fca061479afa5ea0fbf6abb287da40569f2586ffa4b83656084eff29e8d3e

SHA512
18ef926d6a2ae50eb2c54a93c51b783e359ea5314c50c54bb1bca91fc765a388c26d868a8bb14a05e1acacac124b78c01570ba8fa708f4102637b985069ea530

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
464KB

MD5
0878fe32461ac5652a0e08b7e5ae90b4

SHA1
c2c45429028d76610aa188220650f1e19a712cd8

SHA256
e6566ca602e772f002d0c97b3243042a11b45b54f115d43e31fdc7ba0f7fea93

SHA512
ee0f4eacc59bcf4c3c1a4516baf0404fc76de075f0cb828931b6b5ecbb8ae93793ec09938186f112f3371c11b15f0f402d6239d0d5447cc5d81c3fa1204f60dc

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
653KB

MD5
ccbcb724db0a95a9126b63382dc5c745

SHA1
e517f87f61c05474c3d2820b1b83f03cb5299509

SHA256
e7e0472a223f6470df96dba5ca836e14e3d292c7b793bd18e1e5113be2f65e4f

SHA512
7d92b6812b92b18a177eac29d49eb1c63354d187a4f04c70e7d69a5b220d908554bcbb44eff045d4d694da44fffee69150a1e7a6f315128d27fe70b9013ef7e4

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
653KB

MD5
bb66f7c8e3149e305d0a281f5070afaf

SHA1
77920a94cf83dc4e722e853cea1346b331173e21

SHA256
ffb40cdcbb4bb0c9cf53fbc021cd2cac5120e80cddece0b9aa5cd111c893b58a

SHA512
5213f9e78acfe4a8ccfb8f5e0ba59e038dbaea58a46afa43239d1743a14754f2b68a866288d6c9bfcc6d079e78021a6326ce63287c467b45bc3a5956b221160f

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
474KB

MD5
5f5692c92e7431670671d287673904df

SHA1
7452306ab15fffe3ba333d160da944c9a0bf6288

SHA256
c7ed0ccd46fcb93421bfad03f7f4ee9ec87a97cdaecd868627549fdd60bdd9ef

SHA512
51e7e16df744defd0794281dc695723ed4753791b24f379e90c165cb8d5b2c298d5d9f394611238a214e2cf7422411b6bb283b4d7fd8141d9ad3251cfd9276a2

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
464KB

MD5
3e120b2e21bf5d21e2b5c0c3f02650b3

SHA1
3f977bef15b1b7e1e95fa642dcd35e0b0a7505cd

SHA256
4547cfcd15a09479e0625e43d6a2a48ee29b98d7dffba15d72f54658dd5ef7b0

SHA512
a7a1571e206eef15b7e3de68436250a6adf7cd2bc022ae8c06272e02e05745399f9a4bfb8973349110fbfb0878683de82c4ecf73487ac0d91501e5d599de844d

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
474KB

MD5
350dcc1176f69aa4659f59a7f50db401

SHA1
adb11b9c530e6638dd107627beb894b57abee448

SHA256
70c62060a180bc92ff4fd82b82154b594593efdee7b13722fb5d3a09917c3336

SHA512
b2489e105352f96f20a0282364118a62250548f4048074bd3ef5a9b3789350afe3afeba08c4b6a0190f082f51731e06508f2e55471d81ab43bf54615b2cd86bf

Download Submit
\Users\Admin\AppData\Local\Temp\ACLControl.exe

Filesize
113KB

MD5
a3a82c32cf51689050f1d4d38d81e155

SHA1
141822ddc25a38e1d2cabfd9acdac35caade902d

SHA256
14171b192cb15343a25959e1f96fe58f4a2e443209d9fb125e33abbd7970c346

SHA512
41688086b320fc98b74c9df52ab7b61eb522509c83bb0e50ec4240a89d49a3a182953dddfe301131b706b1ee475c8812b7b3d61cb3e481fe0d17ff135c79c510

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b26ca36ca5acf78e\chkrzm.exe.mui

Filesize
27KB

MD5
5ed85100e855915dd9485e62aa903a73

SHA1
3ecb45250c301b33385c973da54f2a2e982b85d6

SHA256
63d4ba45f1df45eb4a173550be919477767aa0899febc57682a4633aab46faef

SHA512
463f4689dbbd2a5ddd67789340e286b815e4ffb2a46818e40a6c1f3ebbcb0ac5f87e9f6f767c7c55544c8ad4a69602e5cce444c8bc95043318148287a16f63cd

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5b5d7965948b0353\chkrzm.exe.mui

Filesize
27KB

MD5
9e17d67c50883245d601753e43ae9f78

SHA1
383ea69158f03754653a4609ca18198b007d8378

SHA256
6a79d85c552ebf7b3f26de89cc7b42dd074e516b839d342907ca901fafcb03a3

SHA512
70927beb2d1ccfd0254f0d6cb94fb1a87f424d9a713cfc1768db152127e3dbf9afc1f90da7025a59333e36ce50371585003a75edc912372670f11bf7db890302

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5b28d64994b1f4f8\chkrzm.exe.mui

Filesize
27KB

MD5
60debd77f55b8b8a151a8046e3d02733

SHA1
a01333634de8ed55f423236b54a6987987ea05d6

SHA256
33e749a61dabb639cd134c5cd61f0f855dd05912bbb7a0d50ef309b2129f8a95

SHA512
d72b227c64a7d4b762c6d82a210e114e1eade926a16bfd33bdfdeaf0ad41e1e0ae3f9ab58a049a7021590d7851b27132171edb09b0a33f09e7934337906064d5

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fde04c4887840b5a\chkrzm.exe.mui

Filesize
27KB

MD5
3078f62f0bbfede92326d38c995f5501

SHA1
a95ef08172de3f6de3277c113d7e0cbeecfc714d

SHA256
5e31926c0b96769d0e6bafbf796d956255e2fee703b81dbacb78c9019eb26cbe

SHA512
6e7b28ab01139ac5d2b50bbfd1401e108ba84d17ea9d2ac293a4af605776b4127fe217ada561432b37c9c2591c2601299150820fb9ae94515a0f38e62655657e

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e808428f5eb5f0d8\chkrzm.exe.mui

Filesize
27KB

MD5
fe3d89f0e0a468543f6dca2cf49e9add

SHA1
60fb347c5d39a86c3e221510fd31962356840152

SHA256
d7a916bfebc2cd8699f9bd59c50b34d834d7e6b5b59a6135df697eb8ec6dc224

SHA512
bd51ec6377012344e43fdabad60a6d5651ce881306ca23e7b810aa2d18028108b6164ef92550389447bfb7aee2f5f9f9756a5ef5093a6c3e43535643a83f595c

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8a2dc19c51d102b3\chkrzm.exe.mui

Filesize
27KB

MD5
ecfc255a50009a37684e2590a6e01825

SHA1
bce73142d57ade7b78e1402cfa7746a971f6faad

SHA256
93889531e1d49a19e6536e8d19c3f670b509d93b552a0fab39408fb52c9a51e7

SHA512
3e66ffc4ec58efa3817a5f9febce20c930933130671c5400e81b5e90b7cd0f8eb15273b12bc998500f18e76d949edae87bb6ecd0e58a2ac6a9eac163cacd25ff

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-freecell.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cbc7ace537b928fa\FreeCell.exe.mui

Filesize
71KB

MD5
771ec41e4ecc92028237e6aae9e5327c

SHA1
cb12cea8560395a9dc0fa6fcf702aefbb4163538

SHA256
234071635240a72f226c1140d12ac462f258078ef8a5f6e35a02f0f163875f7f

SHA512
fd9963dc724df1e380f01037061a87e4053af4299203444357524cf921f9550f157f43d3549b3fc609fa0cc3c786b6afb475c698349d05096aa3ca7b33e1310e

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-freecell.resources_31bf3856ad364e35_6.1.7600.16385_en-us_74b882de269734bf\FreeCell.exe.mui

Filesize
66KB

MD5
d9292bc5b0af251b2bd60045e7247154

SHA1
83006a9bf3f331172303210763dd7388814bd155

SHA256
1dadd24d36d25a16ed540c6ff5e63df47d0272eedba3ceba04f0dec42ccbc58a

SHA512
7e0959a37e0b42d44b4e2fd61c458d2116db4e5675e97a617f13062cbce074cbcd608173d459db99e147ee60f61fd20b1b09ff6ae04d0cd81218fcfa3a697b95

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-freecell.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7483dfc226be2664\FreeCell.exe.mui

Filesize
70KB

MD5
bcae1383fd469488e8a9e3a8667c4367

SHA1
97e9b58c3637fedfb1b01e152358b2b3062b9957

SHA256
73f99c36826b0e4a62dbf5e35c74c7da5b116cf7856a28549cabef1023a0fddf

SHA512
869a484cd5d5dd71a739004ec12d230deacd2892a8c957e5daf8ba645d4df08e646856539dd9c5dc521dc2923c655da253e51fdfe23ef39f2cb391ed39edef44

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-freecell.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_173b55c119903cc6\FreeCell.exe.mui

Filesize
72KB

MD5
16372d0cb1404db133a8269db8ccc370

SHA1
1e68544d541998dc255f84cdc70f869481509350

SHA256
0908173c8196824fae216d081fe2455950e13b07474cf484c55fc0a52794cacc

SHA512
ca4f54f4521ee6ef472ca285a12303d8b488d088096bf2e1b2f267c3de5a7a08d7f04469e9e459d28bb2da67e5764e13dc739af5affb84f7d0bbc5cf20d775b3

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-freecell.resources_31bf3856ad364e35_6.1.7600.16385_it-it_01634c07f0c22244\FreeCell.exe.mui

Filesize
70KB

MD5
ffbb9ffb9f956d99d8bc5fd3a5fd1dfc

SHA1
b8b32adf7aee92543cb189f83f8a9f4342b538e3

SHA256
628e4c3c15b6b644d728f05c14866d3aa001227089df1043d502b6e3edf96f90

SHA512
5e19ed22a2339e2efb665f43ff621dd6b5e586b67d0266525322b9e617e0ca8f89a44902d36e7888c5022426e843d810239e8dc0dce8b738bd833de8729b2516

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-freecell.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a388cb14e3dd341f\FreeCell.exe.mui

Filesize
57KB

MD5
ef776d4f6f2e5ecce17f38b5b542ca43

SHA1
78206738a08a82d57508a7265cb20b838baf312c

SHA256
e2a4b708e0b5c0bf3e7a3d5e10a68e71469e9d0f3744e222a0360ff1ad6878d0

SHA512
e1f656ead4857dcee932cc8b02ae3dafbd83de7a7eb84551c731d1c30685f1d8136140ee3ccaad444bb6c62947f311a5dc24ea10d86dd4f483516afeee62c60c

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-shanghai.resources_31bf3856ad364e35_6.1.7600.16385_de-de_775e5acffd45d164\Mahjong.exe.mui

Filesize
70KB

MD5
fc8e8bf4c293225f143b09707122fd16

SHA1
70b803a8e5ae478bb0fdda96716b5167d13456bf

SHA256
07b53bc3e633e26486df1578453aebce5e6fdc2eec0e8e4523a5c7d9dad6cdd0

SHA512
da61a0f79f3192d6c4a5143b8cc28ff55480e174f9851da683fb9283c2744fb16c5790e2da7f3d310f41f66c91b149d0775e71182f13b9a4763798b14a72036f

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-shanghai.resources_31bf3856ad364e35_6.1.7600.16385_en-us_204f30c8ec23dd29\Mahjong.exe.mui

Filesize
64KB

MD5
dcea05eb9b367b05ce98b2971346a774

SHA1
3a6492caa64ce47bd4a01d4e5c2e0af358f85209

SHA256
654cf72097daeb0e860ab71a28e9c960bac49050ce924a399d5ce92debfdbd28

SHA512
7d28810e13eaa6d9ebbd5055561f205d3951b7d7e051a2b3abc973a09c15e930b09526d933f093eab5be2539005b1ff4ef457c1e37327ff0d4f4b73112cddd69

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-shanghai.resources_31bf3856ad364e35_6.1.7600.16385_es-es_201a8dacec4acece\Mahjong.exe.mui

Filesize
68KB

MD5
4f262f0ac292b007facc64339b7e3719

SHA1
56342d8f5efc134eef6c3bffa48f940edbcb6939

SHA256
d9734d3b8e197e542a6592f4918b7c4c70f3ae7235e52cc1b0c2e356382fb040

SHA512
d7e654ac1d41a2ab5b088aede5d2a3c109d7dae5b033d2594b142c46a562b871782fa02599969e7e9bae60cc7782fc913ba3a86ec0335d5b28f06a091bd6659f

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-shanghai.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c2d203abdf1ce530\Mahjong.exe.mui

Filesize
70KB

MD5
d6e059f4cc92c7a97fd9a8f67e1be152

SHA1
bc06e47395b07100b5079b5a1541fbf168c572e9

SHA256
d4fab015df2b77826bf3cc9111deec8ef5796de144370bff4d47b3724dbd5e9d

SHA512
aa2791f2c32ba6265a4c32705e6de4b2670874bbf7fb30bb207d146a71e8de53af64d2f119590fc6d014bf6cf31dfb33962913c79b20c49f0598907b68ecb879

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-shanghai.resources_31bf3856ad364e35_6.1.7600.16385_it-it_acf9f9f2b64ecaae\Mahjong.exe.mui

Filesize
68KB

MD5
163e793b53947f99f6d7f288464026b5

SHA1
e040d1fdaa4fb380b6d518b627966e25866b3777

SHA256
d692313022f2ae05273fb7ec4c89aa0c90fa452444621d549197ebb2ca5211f3

SHA512
51085b09ab9944773367e8da65c3d8073e023a2a6ddae82fd6c0ac891199a4312eac60617ec1d71082a9e23e34dc7a16415dd2ec80654417aea39d6dbe506c2e

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..-shanghai.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4f1f78ffa969dc89\Mahjong.exe.mui

Filesize
56KB

MD5
e5c68faef5e6bcffad505f4a1cc3b3b7

SHA1
0b7aea2dd2e7a67db9910b286cbb8509de54ad40

SHA256
b549668e3546d0ab897811377f7af639def48cc61a0a55fcd6c754957ca744a9

SHA512
0d8e6755581d8c5f7ccf7c6d817e8e1e829559a875fcb05695cbfdbac066679f899ed9d019242b6831f81f1c0b2c5f9e060d9d7d0a0caf18d0e65af2e97c6da8

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1970b11cfb70c9ca\bckgzm.exe.mui

Filesize
27KB

MD5
08d163287bd169d84a0bad26d59be8db

SHA1
e5ef647d1f08bb879e0d0cd712af67c455325534

SHA256
15fbe3b02e4c5ec4f71858c7ba2f14f5cdf1a44969bc1e6c92e5dc0e713a865d

SHA512
e037073961a992efb86a8c0e1c5a38d6f77b38bf63096d5cd9e5e1214c5f5ca20c5291bd1488dbb739493942e5a84dc455b94229d111559e0ea91ee01c6a0f9c

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2618715ea4ed58f\bckgzm.exe.mui

Filesize
27KB

MD5
bf421d510b6b4083a78d30bd80d902a8

SHA1
5d80c41ecfaaa213f73033d59ce7216c9c7965ab

SHA256
91a5321d6de5f69a75eae4f84599141f48d61f55775c5d512b71f8217c281b65

SHA512
a3df093c7fada3f122ddab068658e1de48c02894c085b84aea9cbb95fe529117c45a387c1c144f03e6f13dffd8955cf9e25042a1e0f75809b5471751618de039

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c22ce3f9ea75c734\bckgzm.exe.mui

Filesize
27KB

MD5
b70e3eaf251b802c1b7013044b266435

SHA1
7a5e9f0f830da16e66818c23e7178b273b937334

SHA256
940b6853ee40f4eabf57c4627a21a81de47b8d4c734fe8fd07cdc5410f214aaa

SHA512
6ac40da5b071f92099be4cb05a28e432d1b9800347a576090b4d684602dade3f6fe21d811014bc238543c572fc702c97a374ba47d833c28b7631d5e3c6486438

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_64e459f8dd47dd96\bckgzm.exe.mui

Filesize
27KB

MD5
3d44bde50b6f6b7ec144c1c6be058679

SHA1
1257064e53c37ca929d8c28db3625eff5febbd7e

SHA256
7ee8731895d185ae57bd51ecc2cae0be76b45d954b8a9ecc72426b782042540c

SHA512
ca9f6cf88934276d4c3bc35f6dfb534080089a3a6e1b51eaea41d9328674caf5454802deafa3ccfc8feef274892f1571cad69215c376c4b083e0c945fd7f926b

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4f0c503fb479c314\bckgzm.exe.mui

Filesize
27KB

MD5
01097e8e9742a40365691ebf0ca54fbf

SHA1
380e9c38eff33f749d8f95bf7f581701a5110cc1

SHA256
3ec0b0adedff38b3f68049fdced146ddcfe0395722805d3358d57761bccdc3ae

SHA512
2a5a80dc7428506c1aac5ffaac718d4107d7efaaa6c859274be56e35341f12c11a03c98f8e7a6d6e262e932c41ce38bea66a5fbb9f57e3585a031898095c1326

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f131cf4ca794d4ef\bckgzm.exe.mui

Filesize
27KB

MD5
54ed59a0c6cd8d15b4bc6bf133d3c708

SHA1
6f468d394dc9814f77974b008f740a59f4c70c9a

SHA256
59585def14837621470a7ed4300c2dc52920dfe62def175b2e08396dbc2a43a2

SHA512
1d8d239b7b041d7b0f5a421f61aa06a069233b026209f16f31a81ee65f7f76da746692bf24279f32b447738252eed84d36b8c5ec014e622ab1c842a0025c0e41

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe

Filesize
111KB

MD5
a578958f71380e575c8bb606c3d2ba12

SHA1
07968a883f39d6d5f9923b0e0618f41ee86da71d

SHA256
1a3fb4d54eedc7f16fe90fc5eca6c3f135082410101c3f38852fe1ddc3cc3702

SHA512
cc38fb988a3590d34944eec6af294887a8af789928d34225aa1a6d205f44c4d05af134d203bb1b9fcc2d1649450a072a2f0d566f33e77099f1194b4f84715e82

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-hearts.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4017d5a51dfb074f\Hearts.exe.mui

Filesize
77KB

MD5
c38eac18131d39248bac463ca8fe3292

SHA1
b332285a8fa572a59face9bcaf2210f0a4663f8c

SHA256
df075ae1c94be1e25755dda14b48d913f6f2c2a4303255b101a69057689982aa

SHA512
02e295e184328dff8850ffc1ea7401e7d72a1f331e3d420facc31c09e38a4f9be02ac7310680c6adfbbe09057922ec16c084d8df333ee8d840a310ae8ed29573

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-hearts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e908ab9e0cd91314\Hearts.exe.mui

Filesize
74KB

MD5
2a1b3c2aa4e1c74efadf9e83ead23b76

SHA1
29585f39eef8ac31ddc5119bb549b3b563225506

SHA256
743bb149a51708fd51969d3429e0f9dbaf6909d14ca3f097bb4a254ef7c4747a

SHA512
d2b7bd9cd20d2746bfcc41dd28ba07ddbb9dc7a5be741b0d6ef4f3f95eb2a32afeaef27c18ae6eabcbb12d372f266de6ae6b2e1c94ea5c27bdcca0acb21bf383

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-hearts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e8d408820d0004b9\Hearts.exe.mui

Filesize
77KB

MD5
7993bb91444f4dda3b16d944a2f629ae

SHA1
b00edcdcd449e5aa60e1317fd66729297315732b

SHA256
16cbc78e4c412975bc80003f915add35838c8de39ea49db49bc0a72b5c2b404b

SHA512
3b77aa04adf9556765e2bb7fbe322af5ff75c5dfa05921b3ffe7b9b276c267d865f1f96394851fcb30c9d62a3fb6591ed56ce0e4821cad7542f405ef2f92dce3

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-hearts.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8b8b7e80ffd21b1b\Hearts.exe.mui

Filesize
79KB

MD5
053e9c08624bfd0c33e9c154f67f9e53

SHA1
e3fa59f5b511321074ac789fddf8b5db6f1f2c12

SHA256
7ca8e9bc398d4aba2da6069b9a5f7cdca5fa8856cb37e1461e89e71bec974ee7

SHA512
d51a7e96f4bb974b866c3211a87f475aeb202151db1a75126128773ab765808fef6315ced4ccd2c1c9be3ef1d8012642470949c65772f0d2f9f0369819e259f6

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-hearts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_75b374c7d7040099\Hearts.exe.mui

Filesize
77KB

MD5
6ba7fa57d8be456facd1a8af8516e2f4

SHA1
87607abb1b8eb73d74ea38221f43a02279a9f9e9

SHA256
fa514530ca859e73c8e64470381927eac7bb489cf4897bf0e90d71943ab66b2b

SHA512
77c72e10fe3acae4c420ce90865f71cf60c41ad6d2497bfa313a65fa554ca5bcfcb0e86434e1466a5ebb81044a9a6ce7529ab8fd9988394ec1378bf65ddeb416

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-hearts.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_17d8f3d4ca1f1274\Hearts.exe.mui

Filesize
66KB

MD5
663f4ba3a3677301d886ab5190e977bc

SHA1
f36c827fc75eaa596a54cad52fc6afe074219eef

SHA256
7b6445544beb426133f020132c3c7dc4a98dff4a87bab2bb5fcb67eebe3abfc7

SHA512
37546f4f65b899c8b87831cb6106d8412792955a4cec28d6a49e4e4ad1a6b2910f49ffea14f303a5237acb733a84893dd2c98abec4f309f85d5b38779596ce0a

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-spades.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0ac7bb58de12e1e0\shvlzm.exe.mui

Filesize
27KB

MD5
8ba8959475eff5fe8842324ffbdb75aa

SHA1
369295ce92ef4673b058d9973efffa87acb811f8

SHA256
97f2135fc0678ece9e9425ba761c61648d0f947016e844056bdc46619c9658e7

SHA512
bf17d2a7ff44fde31cc6e13bf8418fe7741526ed453764a7a0f698515c6cdd708b200924ed58d04688923c588294c8433a926c9e56c8ef493ff49629fbec3bf5

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-spades.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b3b89151ccf0eda5\shvlzm.exe.mui

Filesize
27KB

MD5
adcfdb1864a88738102563c8a1ff739a

SHA1
fafd913e4a9313feb5c09cfbf5ba560fc000184a

SHA256
99a5c9323001340f74a461af75af2f516c31dedc3e316095a02767d2fac4a69e

SHA512
95b761aac41c7d3ba7f22c6794e447450ffa1d3d21814ed2d23de949aeb2a98c45957c52a1926c072ca6dfba34f15a2eb0091202e806397bc8c6fb0316e2de9c

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-spades.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b383ee35cd17df4a\shvlzm.exe.mui

Filesize
27KB

MD5
6ac8993e65a297e09ecf00f17f525cd7

SHA1
aa80caf9b40ac31ebe4929b5067bea9e0ca2c2a4

SHA256
cc266baa07975da74c2690df551ad33c84f8a4a18c36c36501f1c73deb7ece21

SHA512
e6d856366fd3fa0f084e841cf9c36042887a0ad02f59876abc44ee8c736aa3721f763277ab860d73da87ae4d451d0ce96ea067b1170fff33d43d935bdc1cad4c

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-spades.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_563b6434bfe9f5ac\shvlzm.exe.mui

Filesize
27KB

MD5
8a44b44b0d7d36ef39b70fffe5ff0054

SHA1
33584d1d14d9eae3066e01cd6fffe6c2b2c95224

SHA256
ffc4cf7a8b3c0901d97933d3b3004d238a7b5b0cc92ad01a8c119725eea5f33d

SHA512
16ed17082d82df8ee13bdd2ced73877ab31ea329410cce9f6262bd19abbd8edf710385380ce23851fc0f7d001bb763f8b68365d7386f8ebd1631890d087a25bc

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-spades.resources_31bf3856ad364e35_6.1.7600.16385_it-it_40635a7b971bdb2a\shvlzm.exe.mui

Filesize
27KB

MD5
cf5fd0d4a4285e5b770c626c62e0b865

SHA1
d0ee8dd545bf38e762de52cc9bdd310d5d291db3

SHA256
7fd3817ebbd226c70c9ed9ae2836bf9d137c66370c5c7ae7ca0bb28f6da2ac04

SHA512
c532ab38df343037b1cc6be7221b39d0255b9f1693b7f5c5c3d416aeedff4f42ab181c04c5208300914d847a2893155f6ced6a0cee2bcf391ef45e005950353c

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..es-spades.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e288d9888a36ed05\shvlzm.exe.mui

Filesize
27KB

MD5
e923b9779f9987d427339ab8c13106d4

SHA1
5396be83e33b692b2ea79789fee0c6e3de4b332d

SHA256
3361a79e63ac39dc501a135a7a154074aed23da92510edbb2c6b0cb818268e7e

SHA512
e1b48399201817ae136b013c0704474a996548097e532841c15d0f32d029db6fae84ed03418f33261351a7b225d727881a2829b3544c0d37b47a1934d87025ae

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-checkers_31bf3856ad364e35_6.1.7601.17514_none_d467c138cbce0b24\chkrzm.exe

Filesize
120KB

MD5
669558d4753297e0c9b2c8e73bb700c5

SHA1
559c9da3481726cc3f094a13171cd5ce4c8165b4

SHA256
493ebda8e2a86d0f90b00c9d0a5ca690b8193c032f06b8588ea85e38ec76c9bb

SHA512
9f58659a0d60d96b459cc11fa2ba26ed975535d3c20b4b993bb767c350aedb79a263f27fe33697601b0f1b58eb723c75fb3aec849564db3c5f1c7070a8bb95c6

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..iuminboxgames-chess_31bf3856ad364e35_6.1.7600.16385_none_d0c99374981840d5\Chess.exe

Filesize
3.1MB

MD5
203c7b2635e663f374fb1c1d4260a40b

SHA1
3183c47bb8736676a513fce62145968a9b0c5873

SHA256
07c815db9ffe0933415a594b209d332337a148c2b49497a07f566a69030ec9c1

SHA512
6520808e41f9eb93e90175052fc12a931dfddaeb5755f0bb460713f79e9c8b8de639ced2fdc42db154b969931a61806d7daacf9407c3eff97730ea26772eb312

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e3f0a987ddb08f85\Chess.exe.mui

Filesize
74KB

MD5
6db56daf89882a84ceb8d3254e4e4810

SHA1
020b3030da330f74167296a60ff23938c27d91fc

SHA256
ca26840d9948c52c6f95369a5845e08af6bd966ef74b84fb87bfade8c48e8b80

SHA512
9bc7c02e676bfb3a390fea7457bb1d7639bcd44be7bffd38f0e6565544ebce73917b2c536d09239e325551d57fba5bde860420a17c6bdf8a6d62063c6749292a

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8ce17f80cc8e9b4a\Chess.exe.mui

Filesize
67KB

MD5
876f74d0953972834c4794486aab8323

SHA1
3dc36dd664a7905ea6fa0a222b5cfe7a16dfdb02

SHA256
d9dc28b2d25c039fda48bd09a25ed748592374e4256339d7fc74c7e877b18c82

SHA512
2900536f6cf86fb8c2054e563605d613d21bd7d41e3ffbf0910b305875ee877a3df6947704af4dafaa2af7fd94c64ea47a6e577d775f014ac7eb3e194866195b

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8cacdc64ccb58cef\Chess.exe.mui

Filesize
71KB

MD5
0bc0149eabbda733504d499db047c00a

SHA1
e810c9ff097ed1465968cd7de41baa64549fa2d9

SHA256
01face8602ec4bf50a340d57be836f8a0f49ff7932dc8f3935129a1d8dcb0390

SHA512
a98a740ebff3a97be51226500c125f841960a101c044d974f898491b3719baa36a947bae7571d52d826043d4c6b90b58a3d97d041bb46c61e8e70569ae922e49

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_198c48aa96b988cf\Chess.exe.mui

Filesize
72KB

MD5
e412b1bf606d509e55251ce3bceaf20e

SHA1
4198884e0d9c337e04a7b1a136a8bba2753ee171

SHA256
539297a259818a8296429aa0d04d5a06401b048bae3624ec7c5eb38707e653ad

SHA512
1b5dd20cba5770017952f452fda6104d107953f5df3300c2ea0e9706b903ca03e899efa7c21d171366bd75e0bf6bae9d2b292f01577137e265569d93eee097ab

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bbb1c7b789d49aaa\Chess.exe.mui

Filesize
55KB

MD5
a279ebddc50b9ad6e58b6edd7c5af095

SHA1
87b254d7f31f896604139b247dccecb09a2cac36

SHA256
80a2a4d2c345e19e940c4261da0eaf787fcd249e8d1aba770021fc025a772c01

SHA512
cae1e232e554b34fbe2f7b2d05110b31b1197ad771219648be51cd7cf66fc777795148d545710bc2263c2c202d44e15910dbe59f967c198e18849d1b4e2d1566

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3195662bbc7626eb\Chess.exe.mui

Filesize
74KB

MD5
c928eba566bf06605a3bfacac89c3be2

SHA1
bd23c5c1eadc6dedb4ec0d858fc0bb8478c05a2a

SHA256
3e4ece44fae406b82b9c0b8a013765f59c6e2830e3069b085b57272228166116

SHA512
05d024a18965dc3f6115d727b7985dfec58f4a1b7cef68ef20ea46e038537bdc78fec835d05bb9dbe787352d9916119ce81727c07a94e2fd27519cb15d1f0b65

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..nesweeper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_422835eff6be42a0\Minesweeper.exe.mui

Filesize
59KB

MD5
27e87451ac5e3f87d3c81eba84dc422e

SHA1
c80e9d022c3915e4f0fbfcd4ea67b1d7aab91861

SHA256
ccc805c5f78021bce0575ef5e20cf8cadba30aea2fd41dbf37cf0b949a774547

SHA512
a563edf53d47700c3831c549582738c822b1f0f83cff226e90523ed7268a44bfcbe4347268e8f8b88949393c56a611897866bb9d9d7ac4910a634327598a6eb1

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..nesweeper.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eb190be8e59c4e65\Minesweeper.exe.mui

Filesize
56KB

MD5
e5ba3f2e7eaef89a9cc54ccd68dd3ec1

SHA1
dd57ce570d3b3286725d01408eb1ea26c74137a2

SHA256
3b4ff1e9b9fb98472a0d40f07edcef2723673cde14009ec80232d1ab68eab1d7

SHA512
a8ef5bc503a0630a96305d0b04d018f73205d95b77a1edfa59344f5acefaa442428e2b7cece0aacfc9fd620095e49f37b2470f99fce735e5ee337460b1c859f7

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..nesweeper.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eae468cce5c3400a\Minesweeper.exe.mui

Filesize
59KB

MD5
0bf30cbe041dc9430a70c3df1532e30a

SHA1
c8e276c92d88adaa72c1cd60f46e1ae00c568df2

SHA256
3b789da3de8e131adbbaa0c7096080b3de7501c3106797dd54f2a9135bbc751d

SHA512
b405d6f433e52e2b4639273b83d34796051c87cf7ef46620e17342e0e9c4477e2044fced45a94f237a04afd8dfbb58f8dadca0531b810e7e9a9eee5255494e59

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..nesweeper.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8d9bdecbd895566c\Minesweeper.exe.mui

Filesize
60KB

MD5
e5cd4ee9f3b76840c63cfaa9fa875116

SHA1
5973d857ce52f82d5b58da6f9ac1781dd05a9097

SHA256
5c866ca244b3023a6642fa29c5844b1373ac7c0756f2b9e6ec83bca7305e0bf9

SHA512
1e7493f226ab63a9ad9cb9d2b475436cd7048d1184b56475d35834d10992664024a009f10d429de6222c4a701086633825b90a724edc797b6215716ba31a8f68

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..nesweeper.resources_31bf3856ad364e35_6.1.7600.16385_it-it_77c3d512afc73bea\Minesweeper.exe.mui

Filesize
280KB

MD5
58e49c8eeec6cccfd9c686250e1ad82e

SHA1
9083baf9bdb5d6f12a5f45ccfc0aeb2d67019ca9

SHA256
c8502d7b6cd21db2e443e244bf7b733b8fb911c11a1f24af1e2f09c921843d5b

SHA512
be108fd30ae72cbb343939b5b067d41c951a91cbdf72845b8020cff76169015f9b0b2e519b82abb61cb8b3fdc5b56999561dd2debf59e5f8d9eeab3b3b1410a5

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..nesweeper.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_19e9541fa2e24dc5\Minesweeper.exe.mui

Filesize
49KB

MD5
72ed7718c6f118e2547e93cc002cdb51

SHA1
cbc9ff26f95606b6e5f3da80420a6cdb7f1e4f94

SHA256
2ed81b4f5ae3ce93066d1947a57537afd90d9e4de08f958990f947eb163ba542

SHA512
7b3068df969a02a90337d1e095f369ff39e610dfc52016cff2ddec8091296d18a002188267c9a01a4487bc265fa30c4e3b0697287ea37f611ea9e453caa29d59

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60cb57bf22de85f9\PurblePlace.exe.mui

Filesize
179KB

MD5
3a6f77b9f0c5a7d6c2942eaf3cfdc611

SHA1
f569e79957f4d8a22a3f8393004ce619af32a0f9

SHA256
94c71a619f10bc08672489e58036e0723f9a136e71e1ea0dd51e302f481db419

SHA512
232d5d5869f1bc0e7ca60c1d66eb524c41f4dda9982cbf49870c8c953cb32cca831287025246ef85513164ea585878a98bac895084f42804bc8b9cf6ba67f32c

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09bc2db811bc91be\PurblePlace.exe.mui

Filesize
167KB

MD5
fa14024e1393a8227a6a084f409d84d1

SHA1
66010af3d36c26bb45493f59d22777a08a706f45

SHA256
3e6079581d3e151ac1666a714e97ee39483b16f1067ff96904b22c2b208f165b

SHA512
8b3c84fe970ef0770c950f8e755721bbedb3f83ee27b66105d2edf9a72c805ee5f0cb05ca47abb3c96c6af832422aea454dc27a1d59d2d9c1b88bdeddcb0117d

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_es-es_09878a9c11e38363\PurblePlace.exe.mui

Filesize
178KB

MD5
7b5c45d7df5ba3a9c4ce5346e0531e5e

SHA1
f81228741a687d52261e496d18102e8e5c3d5cb5

SHA256
010e7756e23a989a5279f972323272cfdac7f48223c1e7fd7cbdc254cb7544a0

SHA512
9b840eac76e74e20786aad246a5027ca3c920d2d3940db8cd1b3733bf9b6468d2168526962f0e88bbd016974819e2f319f9f129de83bd8bc5ccf1b85fc551716

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac3f009b04b599c5\PurblePlace.exe.mui

Filesize
179KB

MD5
ad406f2daa20bacefe5ac14f6a0efc29

SHA1
cad0127f4f0c260e1772d80ae359fb96a764d105

SHA256
cb5b712d7f3cfbace97d3411e86a689c11bbaafa383acf1596ea4ecf60e1a6bb

SHA512
a35221f4b0065eb16e35d467c00a913d673eb5d5c35d45a896ca532be95f0d51128ec35291996367921a866c342a4065ad755ae29256850c3370e622835cc934

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9666f6e1dbe77f43\PurblePlace.exe.mui

Filesize
176KB

MD5
d423f471b7eb0405aaaf11c78f942f22

SHA1
1cf163564f43ed305d9cd6b3dbc4930a75fe6ca8

SHA256
69f2eb1f33a6adf58f9085378c79e7be82b9197bc4d30dda193c6da6a55eef3e

SHA512
22512dcabfa1f2f63f6f4a9d44102d9819fe3ccc349d50a5aadc978bca7afd7d4270fd89ce2945f94566acc0190dbabbeabd063e78768115f5118c9157fd4d03

Download Submit
\Windows\winsxs\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_388c75eecf02911e\PurblePlace.exe.mui

Filesize
137KB

MD5
69060e4941b71ea8a3ed24a65ccc0667

SHA1
cc1eb7bea3c47867a40673ccb547deada8930d67

SHA256
862bdfd87886bb8567889776ba2cb1cb59cea9aa1d9831e6dbf01fa02a78b752

SHA512
11ce1de18bfc4651ddca1ace03fafc9ee79ad39e3051dcd72a6cf2801c5bc19305568884dc2d57025cdb6a0aaa25df39fc4331e36d38678ed88ca8e47b3b783c

Download Submit
memory/2972-229-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2972-230-0x0000000007160000-0x000000000774A000-memory.dmp

Filesize
5.9MB

Download
memory/2972-232-0x0000000007160000-0x0000000007748000-memory.dmp

Filesize
5.9MB

Download
memory/2972-231-0x0000000007160000-0x0000000007749000-memory.dmp

Filesize
5.9MB

Download
memory/2972-406-0x0000000009100000-0x00000000096E8000-memory.dmp

Filesize
5.9MB

Download
memory/2972-407-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2972-408-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2972-409-0x0000000007160000-0x0000000007748000-memory.dmp

Filesize
5.9MB

Download
memory/2972-411-0x0000000007160000-0x000000000774A000-memory.dmp

Filesize
5.9MB

Download
memory/2972-410-0x0000000007160000-0x0000000007749000-memory.dmp

Filesize
5.9MB

Download
memory/2972-412-0x0000000009100000-0x00000000096E8000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads