xorist | c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Size

137KB
MD5

0db31955e3dc63769545a494d23cb356
SHA1

53799e1ba3cd3b2d24f225e7785864b54f7581aa
SHA256

c426a40d0495cb8bbb413d91501ea9907bd85b12be901e07c358555ad1c98aa5
SHA512

3efb45ea260e30815f28d8504b5c8cf6594e0df7f918d8ae849fb87b1f1fb9b9353ac2370e629cd854b0a5e1155f618e947c663c97670182a264f33631a34fd3
SSDEEP

3072:bUQvMazs2YGHHAhVd1nut+uV2mTVDjFwkWl176jZ1hCagdjvBl:XQ2rH6VdRQ/vqkg1gEagdjZ

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 7 IoCs

resource	yara_rule
behavioral2/memory/1240-4977-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xorist
behavioral2/memory/1240-4978-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xorist
behavioral2/memory/1240-7964-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xorist
behavioral2/memory/1240-7965-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xorist
behavioral2/memory/1240-7970-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xorist
behavioral2/memory/1240-7971-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xorist
behavioral2/memory/1240-7973-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (539) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe"	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\c_media.inf_amd64_2dec3adbda5f7bb6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationheadset.inf_amd64_47c7e539c0156424\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oobe\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_sbp2.inf_amd64_db7034ac4806cf05\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthlcpen.inf_amd64_a2917ed464cbbc93\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rspndr.inf_amd64_4e80c2bb5314f071\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rhproxy.inf_amd64_7d28259fbc48ab7d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetQos\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmarn.inf_amd64_947cdd3822225c16\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj6.inf_amd64_5a503c811e650e70\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_snk.inf_amd64_213eeba98cc6f2f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrast.inf_amd64_935f1046c28ea0dc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Nui\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_06bc8afcd2617abf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0816\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\btampm.inf_amd64_445ffdc4132cbc59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpsion.inf_amd64_28542b9aafacda15\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-CA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_firmware.inf_amd64_36e4e17f210128ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdv.inf_amd64_5c153f7ff7d0d00a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdlsbuscbs.inf_amd64_0eb96a1741539c14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_1183fd0f13045f2e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthleenum.inf_amd64_11f9ff6c12dbf9b5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cht4nulx64.inf_amd64_641bf08bee8ac46d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netip6.inf_amd64_f29ffcd2b14f21f5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_3abc48e730d08fde\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sensorshidclassdriver.inf_amd64_b5ae080ff669eab3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0011\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iai2c.inf_amd64_a77c815b2999404d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_1daeee8f3aa30fcb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic_heartbeat.inf_amd64_ad33c2d1c7a3023e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Engines\TTS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lltdio.inf_amd64_4faf5a37ebdbec2b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_a6da30fe583368a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSDRM\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_a192dbf28b4634a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obegjjloobdggjll.bmp"	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1240-0-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1240-4977-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1240-4978-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1240-7964-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1240-7965-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1240-7970-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1240-7971-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral2/memory/1240-7973-0x0000000000400000-0x00000000004DB000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\RenameShow.odt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-dark\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-directx-d3dcompiler_31bf3856ad364e35_10.0.19041.546_none_d1a00ba6af407536\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_es-es_81c367117552d701\default.help.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..gshellapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_b4c98345579ad387\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_10.0.19041.746_none_e27e4d3a562a402e\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winreagent_31bf3856ad364e35_10.0.19041.1_none_930e792e63599553\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-xbox-gipmanagement-component_31bf3856ad364e35_10.0.19041.1_none_98dd0a9878d62c7c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..orecodecs.resources_31bf3856ad364e35_10.0.19041.1_it-it_86b855572c427fcd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\http_403.htm	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-peopleband.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_ed79d763f906898d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netrtwlans.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_424d19777fa7cf0f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..c-results.resources_31bf3856ad364e35_10.0.19041.1_en-us_0aff0a21e61fee90\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-networkicon.resources_31bf3856ad364e35_10.0.19041.1_it-it_2d5c90257f379a82\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_10.0.19041.388_none_a20ca0845507ca5e\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-windowui_31bf3856ad364e35_10.0.19041.264_none_e52bc8884276fb38\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ontroller.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_0b3b5017bea897e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cabview.resources_31bf3856ad364e35_10.0.19041.1_es-es_96cb5740729d1bf8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..nager-api.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4b3633a231e4474\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hbaapi.resources_31bf3856ad364e35_10.0.19041.1_en-us_468f592c03894065\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wlan-dialog.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e5c0ea6326c818ef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_10.0.19041.1_none_d31059e0b2fa6d47\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..xinput1_4.resources_31bf3856ad364e35_10.0.19041.1_en-us_c549728273314dd9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.84_none_44bf3519cfab87ee\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_50c364bea60f767a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_usbvideo.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_f6cbb409409f2270\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_system.speech.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62c09cff9fc4f0ac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ldifde.resources_31bf3856ad364e35_10.0.19041.1_de-de_92c0fed770a35565\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_dual_ipmidrv.inf_31bf3856ad364e35_10.0.19041.1052_none_bef8a6b7672fbe73\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-vmcrashdump_31bf3856ad364e35_10.0.19041.153_none_f0679117f2d7a799\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lsa-secur32_31bf3856ad364e35_10.0.19041.546_none_c718e46bcaf72355\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..emsettingsthreshold_31bf3856ad364e35_10.0.19041.1266_none_943a4986931bd930\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\INF\TermService\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wsp-spaces.resources_31bf3856ad364e35_10.0.19041.1_en-us_50be0500bcbad1d2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-hlink.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ba11f7f87e89c565\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_system.drawing.design.resources_b03f5f7f11d50a3a_10.0.19041.1_ja-jp_29062be2e7c7d3e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ders-appx.resources_31bf3856ad364e35_10.0.19041.1_es-es_7d043c6c97e17455\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_et-ee_0c998c4d8bd40713\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-imapiv2-base_31bf3856ad364e35_10.0.19041.746_none_a103bab27170fd31\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnssui.resources_31bf3856ad364e35_10.0.19041.1_de-de_49e9327770afe047\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netax88179_178a.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4b328e555d39d5fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_microsoft.web.administration.resources_31bf3856ad364e35_10.0.19041.1_de-de_4d68a7cb2e65e735\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\Globalization\ELS\SpellDictionaries\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-tiledatarepository_31bf3856ad364e35_10.0.19041.264_none_ac56521bfe3760e4\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..arydialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_be8a1cf90a92f9f9\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_e27edab5d4240b1f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-m..imedia-broadcastdvr_31bf3856ad364e35_10.0.19041.264_none_77a8daaa3ed6c3d4\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devices-midi_31bf3856ad364e35_10.0.19041.264_none_d3106e972ee929f2\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-powershell-events_31bf3856ad364e35_10.0.19041.1_none_9917db0976c7441f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_security_b03f5f7f11d50a3a_4.0.15805.0_none_05eeedc225175621\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ppolicies.resources_31bf3856ad364e35_10.0.19041.1_es-es_4b500533b5e9ff92\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wvmic_timesync.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_391ceeba738cf4a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-browsersettingsync_31bf3856ad364e35_10.0.19041.746_none_192fd2e81c0b8a0d\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..stall-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_c4579cc09c773ce4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4b7d699c61176a95\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_de-de_616681ef3692b1e6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1_ko-kr_3b083d6d47d1dfcc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-dpapi-dll_31bf3856ad364e35_10.0.19041.1_none_382a13e3e63cd773\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\r\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-xwizards.resources_31bf3856ad364e35_10.0.19041.1_it-it_28d384a08bc3e319\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_system.web.entity.design.resources_b77a5c561934e089_10.0.19041.1_de-de_1d85debc0cf5b6a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-energy-winrt_31bf3856ad364e35_10.0.19041.746_none_ebad89df23385ede\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msvcrt_31bf3856ad364e35_10.0.19041.546_none_af4e7d20fdb56824\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasmontr.resources_31bf3856ad364e35_10.0.19041.1_en-us_d5d2edf4eb729cbc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe,0"	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open\command	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypto	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypto\ = "WLBBZNKOEAWJDDA"	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\ = "CRYPTED!"	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qAxMr02XPSFEbd2.exe"	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WLBBZNKOEAWJDDA\DefaultIcon	0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0db31955e3dc63769545a494d23cb356_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
32KB

MD5
60a5b6e7226aa2953639a10b40e09e90

SHA1
f3fa3e41200b5bf240ee881a2b5074f11052682e

SHA256
902e5f5b560306db445ac674b2e5ad710980a3f1bb3e2d4bf07106857fef102b

SHA512
ecc55ba959676087c3f789ea431b3b8b55ebf877540fcdcd78df0937ac1224cec0265f66fd8ba8a02cee79f4436c7249cd93422b837a35b7af7689403df1f281

Download Submit
C:\Program Files\7-Zip\Lang\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
443B

MD5
ab1a8fac5478e77d2c9351652cac7288

SHA1
a7843a4af990fc4b4dfb484549258eef60037e22

SHA256
e6e856e12d2b572b2353642380b78c3a8d9333615a42034f1ab0121c976ca242

SHA512
25dbd2952db75f31df0b61541dff7e2f1d27b2760ce478c9cd27b971cdd05c1d2bf3d69fc9b1390ed20c3741c0e73cf90ce22e3606a2428d7cc3d02ef5a4a3c3

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
190B

MD5
bcdf3f15ad129ea9bd15620e45a1e7ef

SHA1
6634712da51e6dd98751f9f6fee280634e64d73c

SHA256
8fd2dbc100501c36273ff391aa32ca02fd008fd075b21d6242d0a32e58b1a3d9

SHA512
6c95f72c54b183ad8f2fc7cf5f3347c5658ea6f0a2b85ffc0ef59935f77be3a25dcf2ccac5b33938e2e6886a47cef004e7f40b4358b1199eb380fb8eb2156c41

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
190B

MD5
fdcf4b3d007728938790cda448ce1c27

SHA1
cf217d2127aa70feee068e117234e24ae8fe6c95

SHA256
f3d0651bc497a688d1506003a1fceebd84dc1ea6bf14de2ca5853cf051da9110

SHA512
8ccb7b449f18ccbe96e484904a671c34faa33bf73f0e691feb423471424762701f54d679b2d2ca768172b85f460390fad91704f701fe2859330ad320a1997554

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

Filesize
1KB

MD5
83c92362cb4c669599e28dc2a8840e8c

SHA1
9085382f66fbe5f43c884b7768878b15b40c1a59

SHA256
98e31b85f8076021e40d111d5b3c9e07df99673b1b0f0fe522c978b4f6abb7b0

SHA512
2035ca9f0c5a827d5a039c71118b89b998371ae1431e0ddd51469e0fe8b4ca96465988687bf9598f868f59284dc3ef3c49895022b2660933c7bd0fd98ccd8647

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

Filesize
31KB

MD5
b655d0e10d5cac949a2440020c0399c9

SHA1
9e5c53e17408080d8a149ad5f3f0c11584648f95

SHA256
998ffc8dc045b56302d6532f8ea8d2c6ff0fe9d8907668dd60772c2d57dbf749

SHA512
a2ec64f8115172fe302314c7a2ae0bb5de96db020f47ea55a30fa6503a1787897fc20066d10bcbcdff1f4e173750fa6396154fdec9f93379210d5079e14f18b2

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
dd82ea2d0d2ed96db2157d9a198a617f

SHA1
916a6361854a389a0c3645f3b37c72df05227f65

SHA256
f96951d05031b596dc644df025c4c2606c03b3170a400881d57f5d5540f418b9

SHA512
5fe104da70af6a712569389c619b08e65906ff0e7d7bf41a01410818ba9d04629ae5fd46b44a587381e786d10260559e106573f0c1be890069cd62c3bdfcc74a

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

Filesize
23KB

MD5
1dcc4876a702cf4b33a5b660cc62af54

SHA1
8aa730247ff3754a2f439b5ae266b61e643df7c7

SHA256
d0f1889eac6396eb15bddbf5906311790ff13a53cc1a47e7635ac8ab6edc9488

SHA512
e0359dbcb65402eeb8417a7ab52fe830dafb6f9fb73c38605381955726796424ccdede97b503e2684a01790caae3c89d4fbfc85f54e3b8d709483845f4cfe8dd

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
19a8fc8e7dd377c21f570b68a371742c

SHA1
18cfe0b5dc7642f9d786b235102158545e51e96f

SHA256
48d9d628d0b99621d8bd77ab62ea7962d64d7a4187f6358e5502d758ac48951b

SHA512
1e271f4169dd8aadfdb220d659368926d5efa069b326e4e6f980f5a1b4631050fd0f810d6b5549714330bbbd52d703ad74acef0cb9386194c06371d4c440d774

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
eafd983fc5f2f15adf3fb5bea3801703

SHA1
ad09c003ccda50d94fee9f93454e187648faa7ea

SHA256
06557cda85fd5bcee0de5730545f5137cd5c2b958d4a3647e43264c34c10e5bf

SHA512
0b22624aa9f8c7eda6bf77c29be511bc505618938f0b3e1a0a9b930ad94bab2b33fbf2233287548a8351c300d19a3dcd685e699899bace719d87d7dd35883cd8

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
2627363b5d0369c38ce51b5e7d4d7c33

SHA1
e3419be0155922919397d1323b96c2f4db48380e

SHA256
bfe3912b264efc42211ea9bfc28cf276fb002ab0588c1423be8de43199df3d1d

SHA512
d0468b9ad4cfcfbff240e5c5a08107d90ff1b70462c32c26ab00af17467fa3823c886ab55a10d1629a8ad9033a0a4ff2681cc1463169089619d9f93fe12afc38

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
72f3516849e63d7938283e57df897fea

SHA1
2cbcb4498aaee5dbfa39ca41998075e49a06ad30

SHA256
8e193b6e12b4cb05a6dbe567969f1809c02fae753bf0eff077b44329df6cc22e

SHA512
cf809d985512856ae0fe4e07c87b1b2075f50aeeed3376aeb6c56dc3872ff5fa363d8f64eee0b03e06c95fc3dd555dbaca9396a28a129ad01c64b32787e8becd

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
5KB

MD5
d87d4e007175d3e32f43d84ad6901773

SHA1
35a98582f69045369b166ccc466f7256f265c7f9

SHA256
4e801780ff227edfcd8ac602a636d4abad0a6aa9d96ff38f91c000884728369c

SHA512
a9dd8707b71e2d84022ecdcde09eb46f46095223344a1bea007253357dc752b304fb0fcc80f604cdd12e42ee03d0d80d5854d4a8d8cb889e0bc9c2c00785b420

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
772727826447058c5d72cb7e126b95ed

SHA1
451baf31ad5eb27196c78dfc8d065f95b40e1b74

SHA256
f27d21dbf36116d4c01fa3be1033796c3c1ffbc24409db5dddba41f59a8b7802

SHA512
e8180a47775f9f74875ed4e32b5299107934cc0c90c90adbd66a86e3cfb622cebd446470b6f2584ad49863700b21a1ec63477845b2885242aa572e7dc2406225

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
5fc06c971107948994b7ddd396748692

SHA1
cc04156797997d6765a8e97fc35ecade1b7ed3c8

SHA256
bf49b4de5a08ce43fac4edd0c4a9b6e2ae86271e2f77ff7baac91cbde68e279f

SHA512
b2062fd347196310ea2be356e2f18f702be97fc64edaa63c2b5be17728799c337279976ca510a9e78f7f7a62b7e85c5fd651678b437ef8eb9e4c5f1cbd13c972

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
ed38ed9981ed786b957a354a87173138

SHA1
9765ac6c364de37672a795e8f454d1c0c743f666

SHA256
d585cfe02bf55ca3255cbe40289f64b25bc9538ac4ccdc114370d4a3d23a5d61

SHA512
7938029dfc163fffa4859a9956ff9c39aeedcf0fcf652d0c43072e3442236635edaf62838f5337360cb7abbbab3fd4c9c3488a1d78658a0a295d4530712fce72

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
e06c57271dd52cdbe4582bccc14881e0

SHA1
8ab73fe058823773e83e15056ceffce3612fe04e

SHA256
9d540dddcb15cd51ddb0d0a6df7e45e637c5157375e2af39c62eb0ef85c355ba

SHA512
733fa7f96b6991831209361f1bcfabfbf6e7ff2337e934ae3e55ebd9806e556b957afe43860a07dc34e9d8d2aa9cfd47f65775d6cdb1c4b86893c9fd3070cb46

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
947704b78b27808625b41ea10480487e

SHA1
e3e169822bafe682cb638b15c9ba4bfa87768260

SHA256
0d28dee6f9b42f04241a493507aacfa362c86f7857da8941ded15b7755406874

SHA512
877aef79d8d50166a6494331261110a0df050ad65cf344d3487dd814467e5ea09c253226e5243626aef952ae52f5e954fcf9430b43fa098278fce4357db92a53

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
162B

MD5
0d8a4e1e48beb597783ffc22b12ff6a5

SHA1
f568b74b6f5c28455ebfa80859f22b2c104e9161

SHA256
a73d972bbb74c1064eea1b7acf5f9aac5d6fecdcb379dfcb003f399cabc6c7d0

SHA512
7c290d271b00b235f5949dfc88e17f56e5e58ea96e6ce351f7f7500dee39bae0954ea0e974963c93cb59b584cf02cf2d4fc65a1671449e3ddebb844960adac2e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
1543f22c9059cd0cdd37f15adfa67056

SHA1
8eddf494226b3f148d04147e7199a996db6f7598

SHA256
64896e381f85e37dcbb82f6ddea93a21ad96944f15c6fdcd7b22866b0200c1bd

SHA512
e6d12cddcebbb0c494ee0de87acb0f55b8ccbd583b059f6efdd6a74d12c6ddb362523abf2449a66d16f63856525fff6c61d4b9ddd2d609a78a9b8d176eeddfe6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
3509e7c40dc24a44ddc2804698a8f44a

SHA1
7c3c9fac018522603a3842fb559446e1bd8c48e3

SHA256
96ee0bb6f9069363c1e6c9c10081c0c7044415e7d199d35798eddd76f4a56a15

SHA512
605d6d99bfc2317d21dd463ffcf35a71f1cbf42bddabf9d8770e8c7b5f41140c4b8cbb25ddd35f011522554492a4bb02ab6c0d557dd9af2ccc9518ac8b48a73a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
60ff3f956b23903a206f6d6011b841dc

SHA1
bc584b022be7fcc9127df7ea4028f07b250cecf0

SHA256
116d0912c981ac53f565dd1d5c14bdc315011dd38f6301f7c8402fa196768137

SHA512
a57f431463e8eb8e28650bf3439a2481aff3e66f6a6cdaff64fecd093c5acd4dee2738508e958e108d74f75b769a49a858491494f3b16b29a169321c19d6ae46

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
eab29e27c79cfeb853d8715f740de296

SHA1
c38faa446fd263c7603b59090535d5d00e271f6c

SHA256
6034a9ecbbd77e05563cc31afa6ad0626701b5f74e56f483133a870a8c09e0ea

SHA512
9c7ea6f30a3b6ca8cf4f978d35329e208a156c46f4b10a870d65d274bd287853bd8ed53569490f7c25312b9edf31b7496225c62efa9f3d305f8b99ddc56cdb83

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
30c4ee824f8f547b50bdc031b8db04db

SHA1
7954414ab7697db7430c81bf9ab89dc5b869b1dc

SHA256
aeed791efd56424f56cf5aae2a43e57a0288e0943d7ea633390e7369f0f3fe73

SHA512
ba867078130ca8e5611ee77aec0f790cff16801871a31c43ab2c05a16ccc58e090b3125a9a4b57d03b8a642f9f7222ade5f517a8d0e286a8651c07bd83038b5d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
b693e1168a0f06e357d1fdb851db4a89

SHA1
4650e144616b4582be9d68e195adda8ca6b18fab

SHA256
2609ba6a12e01edcffa0f43f992cfe8212054340605cd480117e262eb59852e1

SHA512
29784b077007d5a17b7dc8cad3c2f00a68fb328b9038cf7e14a9b4099568cc1680522c855c54572160418d055f07c8f7e9b825b4f75bae398ca634a679f5f8ad

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
9f391f6b4ef24df1c2af4da56e6c23d1

SHA1
5c4b8bba288f8b4ee4dc12d7234470c743e834b2

SHA256
20149227c1b288b60f74eef3b462d5d174b60a0c0e11e5f1fc7955d558aa2405

SHA512
3752d837132d26744f89ccee652f0064661c0b8297c46405cc4510acfc0864478ffaa616a5ebaa66644f66feaa269ea0e21f13241fb286790605192855f59055

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
e74d2772a833a24c000d2130b383de27

SHA1
b81358edf04b446433625165c63c7d0caf58f7f3

SHA256
4235f44f93c9a8027d3ec342f56bc297e56027b60591f9276f912d2d8ef6fbbc

SHA512
3f5a148c50ac7e0b57194c6ef6ba8b6fea92bc01225403d682509a448f8a9eb1f9cd02a0093efa113644a38689a4bf2a10cbf62fc0631477670768f3d724e9e6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.crypto

Filesize
1KB

MD5
0b59d8f53896cb640acebf78b4b5aa5b

SHA1
67ae5c08c9242cd1f74e09dd07d16516a3c74547

SHA256
417ae4155f7a2c5794f458a433d1347c68a73f307f9b2b682c92c84ae0b393da

SHA512
bb96909488dc11e92614359acd5af41ea73a1da4b20e01930a5c8fb712092a690e9259ece6f8dc4965a8930c18f18513b09677866200c68cad1f126ac91538e6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
48b9daa52b02b6ba41a8a1e03a4b3054

SHA1
f7683a615411767e87ad21e3bb0e10e557caf9de

SHA256
8e3f6d1b750e0c6e4a02511e7edb0bf9feda15bc7ec228b3ea302842a58d445a

SHA512
5b32596a5b1d7c54642d4b5e73cac7ab6e95b422f6a9863730a994c6104a8ffecf6dfcbf4e83b45393791ca61a572e1e90667eb15eba3ef3a7b94a7479404d68

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
49cfec4e85fa0fc99d718bf24fc4ecd2

SHA1
b1f2c87f4ce714f4571caa17e6321237d4d36c4c

SHA256
ed2b9b76153fa0b1a2888f56d70808f83314b920f1df83c5224ffb392d69d720

SHA512
8a92d0b98869d1d3d92ea5956237a008689f16bf992976b4634f8db919e20b5dc0e341b5898f0f4d1e9cbe21448df0c9d42ded81209b39eb94190826a556a349

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
c87e618a1a15a104a149884f0c79d1bb

SHA1
025f41f9ec25e1e7d2bc3e6e3183d2de6cda0cfa

SHA256
07653b6b60c24032fb65bb7d606850386336acbba847a994914e54cc9706a66b

SHA512
7b0a23a1c1c9d0bb4659e2148bfcd758887835e5016049ead48c1db09fb814581128a087d75adefbec67e571c5dcd792b6941001c2dd06da828f1b8a25227476

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
24fcb74d86cf168cce3f5e9d6b596e7e

SHA1
272d70a808b2ac7507e68201ba7665467d480eab

SHA256
c150f74442b57b064a6fe637588f4dc6bb6508daff6a7e6a57ee7080041e4fc0

SHA512
9ddf73c6f2b9c819c9426a849ad6073bbe912fcbc30cd7fa0ee50a5a3af2dc62af0e138864101953054d8da30fb59890595f8b5f5a2ab219170a0f244fe2e35f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
5KB

MD5
73b45d2cc44bbc1a762be726f44659cb

SHA1
344dc4403011d2c74232b42ecebaf1c19231c159

SHA256
aba922bf2045166efdf3d0faf06f084252e43dea7dd6582d72f494f52ab7eb9b

SHA512
f9530a7b1cbbee5e6e7b6db7bf78dc7455729e973468313adea4ca26729eb534739a2398d888f8a595e42821f4b9d22831752f6d89c9194bd648408ed3b64fa1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
61b32824dd6ddf920921a2cf04abc14d

SHA1
4e8e6d15f095298de7bff7039d99c9cff33a2b3a

SHA256
e11c9dac0242e85492c1c8672b3824b0910fb1814d2d3ad91d713c65201bdd68

SHA512
a0fbe00a6122a5049f5307b6712aad0f014ce8631f7e7a8f37e9ac80165d0f6af67f57a1517e3d88685c0d2da8d9dc78e88be14ed22054292386f9e05cdd356a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
806e40a6ecc6ed7c4f9c1a38273b1c15

SHA1
8c655f9093f74cc505590eae8aa354a927939c29

SHA256
56475cf9c977efdfbe5ca9068f5bd45ed70e03491e2cb22ee6634a37abcc5a84

SHA512
cd812172b82934a8ab49d1bd2eb2a907d949c2f14f0cf29ae834fea23eea2ebd8601cb0a727b12f33d531bd48fa74cf0aff7b1bff06cebe02353864db85a8ac2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
46bb8fe95d4a35cd72b3f9757953d10b

SHA1
a01b8fa13a1cc0f23a13be0a2be4d05af90345ac

SHA256
b3bfd69aca6390bcbc03e266158fefd8951848bccda63703ec17a407e95a8100

SHA512
d351b5d4d0b9fa4f8c53ebdf696ab345ea2f870e32ef080423f6ae44424f658343598c63211b38519928ffae965c6e2d27f4e376167d92aed8417978c9d7ffd6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
d3d42a439fc1c2bb70e876047df2f6b2

SHA1
68f35611a5d1081920e1b89519406d643fed5a63

SHA256
4c7360ca78883afe42db62906a2135026e53aa2a5cd8bfda0ffa27690130258a

SHA512
b0ef17d39247a5aebb32d3ff824d1ee1aed10f0f6b1138e1e65ae68f1ab73cace7936c5a55a02ca18aa2a8b832a3dadd4daee63f8bae6ae3257c606fa2dc9d01

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
c3387798344a23d9b377c42a5d9d2c39

SHA1
7629ae2b4c3bfb3ccfc05ea57e16386f35c8558b

SHA256
93af6e8d7927355988454112a28658d6c00394f6cc9da19c11c5c2abb1df2247

SHA512
f1eb0e7d717c81e44afaf1fa3592a8d4925fadfaefd19d4f70979b5fe087bd9e3051b77404fc9387100e7867c00dcdfa28dff500b013add4243e17c69394db7d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
275765d6ec9050f4e5350678a390d9bb

SHA1
f88b9c2fb0ba4cdf75d9f9b2ae8023671bfc895f

SHA256
1c4054ac13e8d7679347ff56c36f4ceb5e8990e0ac38c05597f92f85b9b67b16

SHA512
6265bc0ab5f29967a2f647a9004fd1f9d5aea60e5864b17f268de232464268a269e3588416e7c94376837265c132ec85c6d7820f74133b0e66e08d0b0e23fc18

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
d4d12392ee1f8beccd70dc09f5eb9cc2

SHA1
caf4a4cab004b8eeb3b2962a638bd5697525f0e0

SHA256
dcaf3f9dc06e03dfabe096d45d24a229b7fabeacf9e0d2a8d097eff68b4b3a36

SHA512
328751f55d593795db1243400ce425ef65c877409ebd96d4b63571526c5e183748de566b20fef2fff04101affcf21198aadafb3831a27b3304d846b13b3b9f20

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
cfbb4cd39c8dfb59ade047a36cd414a3

SHA1
d04343835ab33df64e2e0619b68fa278a639da84

SHA256
621898792fd3cf441ab6944edfe335109471936b9d9e9ce871bcf9bffd0af0a1

SHA512
1fc3d6665756f2100f3fb6aff1fd367a5a8313fee75ae7fb0753783ade3b09f72527e1abbcd24420dd0136a2be16d25a0d76840ea27a944884167c459dab627e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
107695a89003d8b62557069420bc7d24

SHA1
411be7fd990e319218329e31153828f3d658253a

SHA256
bdabfeac614bfe0538d2d49a5c29279b4c86e3671fedf5ad2b63f2756d61a6c8

SHA512
60fdfe46c9c5cc1ceeb7e4cc37d01a23a6c9b47c8972936cd09b74986d3e8575d5c3674ee6d13fdf3ef78d6bdc7f7501dec5ca5162b0d05c33a903209bd9416e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
27edc7bdc292525b0704eed6f6aabd5c

SHA1
2967bb793937bd6a5840651803c8b7e0b419b72c

SHA256
7a2da2f29e10662baa4903077133960ded11b0eea8eba52771561d72c6b59219

SHA512
27f607f6aef00d13b963687df24b32d5f708f2e35689ab32f8227ecb90efe3e8ed43c2f603d32e1d909cffee9175efd715bdf5680efacfb0055af95e45dac697

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
a502562d308fa01c204a2e32f949b7f8

SHA1
e09cb31fef0ed67b1902228a9163805e0aec06b4

SHA256
f7d2209fbfaa7aa9b7038b5fb5f24a2c0ebfc9775aed6fe7acdf54419c0befde

SHA512
694e3714407c47ab045f376e770ffb14c231a5fb20c8176b8dfae264c1ced2b4ec62fb2f0ade3751d9ed42c1981110a551725ef7936710641feb90c93091cad3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1011B

MD5
5df39251e798f7952baf496d75e25455

SHA1
f50e1847a5feb6016a08b074057400a0dd9fef98

SHA256
b49aa7839809f72144061f07c1767c89d34bc8abb10356d71cbed0966475c6b1

SHA512
07074457049f1abb71a6fbacc9d784035a1c23723b05ce49d4fc704cb12aaeed2504a772a64296e516919d1ee68ecb610e37e99fb3c5b2c3af68aa0d39a79705

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670753844819229.txt

Filesize
77KB

MD5
a4fb5c4207e62d0bc877d0301be7e9d6

SHA1
6fefb8bed55d12cde5ad8c92071a34c427ea0de1

SHA256
d56efe59541cebb0fa0abdfddced0e6eeb868b7dca17a43669b49ddd97aede85

SHA512
63933cdc45a1f322deec779186b2302a84e08135af4a7e40487b9d7d8e7ab3ecf0fed66fb5bb71cb97f81083a693e093365e704d24bb2f6e17ff95b520895347

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754404913880.txt

Filesize
47KB

MD5
1532aba4d89a92db7b69f2cfeed319ff

SHA1
9b5eadaaf4123c02c3bfd3c262903240471166bc

SHA256
b62d6cb7d0e75f562b8d685618c942230f40196cec9a82053c166cc8a201d50d

SHA512
ae7c03b460fb500bf14021a833a4bf763c466df12e9e6c652e3b41beb6519a86ef157a964c20e18eafcf9dbfcb641f9928d4738ac7e3e904a3059033e732d198

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670761474704088.txt

Filesize
63KB

MD5
087a856ebab7cd1b9ca567b30fb73f36

SHA1
1cf3ba92ef5b03a014620a2a41137067261658f0

SHA256
f281d16e483dbe06b714e5e888b4215abfa1254e3b1500d56aeb53990b43c9b6

SHA512
bf7621550aa61daae980a4a89e70599d74d6e6ee9fed8338f1d0753f0ea76edb661a760bde8e8f064435ac0a5cbbe6250b792fce0cc8efdf9e49ad604b4ac2ce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764101374726.txt

Filesize
74KB

MD5
76c3dd60af00f1863b12cecf962dcd26

SHA1
bcf98aa9880d62d63b35903bc5204e13725d5cce

SHA256
416d86bc8434f00c041f3f0f786e64608277ecc773a000274a922e7e5de8388c

SHA512
4670d21b96768c8f6122a171b27032281d4820c62a100966ff5708af770a6e5a06a7ecd0fb786a4e1de45f65a231b91b16dd5e71848c16faf2d34929e07fe266

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
422b1410796993a0761f3b0481d695a1

SHA1
3d693d2cd9a1c5252e0f711ed2f6c778c12e343e

SHA256
56056c06ef720ede6b2d32170d106c47a89df363311023355abe73a03c4ac70c

SHA512
97f61439522d406f84b6945398393145628540408f49276c713f1883df56498102a727305cf0d7c4d93c4372d9de5ea72236910d3d9a3c48b629d7751c2d3760

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
922e50651c24f3424e2e2bd773663180

SHA1
1ae11c8456026eb38b8f8bcf17cdee2f5d22c1e5

SHA256
80f7be09e6bb92995f232a1fe6cb917ffa5b8ab8f43761888511b7f80a3d81da

SHA512
c2ec52cad05705cab95b3305017ff028127e7f3e63828b6df63f1ab3ec9b7d402e21bbb44ddd7ef6584fcfb0c746fe6fb1b55c8817635e0b4d2ab7b871e87397

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
12c869d37530a531ca957bfa86cc1bf4

SHA1
4bec4091f1237320d66a0ef028a137ace96d90fe

SHA256
c66c900f25a1e8fa2f4d95d3eb40a1e77844d10856f708cc5d4b65434d7437ff

SHA512
4e61c33bc14539e09f98e6cec8a1d05ec6aca8e78c0f48917572352f8501a0ba316299788eb72c08e0c9d93cab291355cdc0bf2e12f769edeaae7f8539460114

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
72be38ccc391bda4c5288e5d6b6242cc

SHA1
49ccfb4921d4b7bf39ff80e7fc6f4af4cdef187f

SHA256
9b68a0dbdb29d47039f7498f20f7863f8623b7aa87b53b40304fed2dafd46801

SHA512
8a26dd418767f50af2c937a60c9f27b9dbb647d65e2ec90cd5292131c24609f38b277ff4ea23ce342f751bff3c19c52a1daadbe815e963fb51e1a9d7ac64b4d9

Download Submit
memory/1240-0-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1240-4977-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1240-4978-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1240-7964-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1240-7965-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1240-7970-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1240-7971-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1240-7973-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads