5dd845c0861818ed3aa58f35ce4d3d011321d55416760164a92b130a491ccbdb

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Size

12KB
MD5

f7b6f1df60e645ba475349da94127061
SHA1

23ee2a41565755d11f817ff78f36c15484cd39ed
SHA256

5dd845c0861818ed3aa58f35ce4d3d011321d55416760164a92b130a491ccbdb
SHA512

c3e1563ec243e4e338e49236451eb5cde5547b0a6fe667a7b78394576ddb01b7024d93e697c51b2a6b50e792cbbb61612b5fb6d2aa14d8a5998edf1375004157
SSDEEP

192:y/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMhN:yebFNw4Pk1itKkpAjjI2Ypdmh

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IhZKoaBO46k4cxD.exe"	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_06bc8afcd2617abf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Configuration\BaseRegistration\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_modem.inf_amd64_8cddb75e34142905\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_2afbe7d3ad20f42a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DriverStore\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_processor.inf_amd64_4431cc603de6e020\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgatew.inf_amd64_7e6c377859cfcb7c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lv-LV\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas2i.inf_amd64_b4e933c4540ad3cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msclmd.inf_amd64_d677afecc5e43162\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_0c5757ecd1574b3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Com\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_28c103304ddff3c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsFeatureSet\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdcm5.inf_amd64_a432be022b5f8139\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ucmucsiacpiclient.inf_amd64_a233292790c69f03\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bda.inf_amd64_d32fe6b1c2b7b2a5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_apo.inf_amd64_a261b6effa32e5a2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ialpssi_i2c.inf_amd64_8e00e1aed7fbdf70\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rspndr.inf_amd64_4e80c2bb5314f071\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\virtualdisplayadapter.inf_amd64_bcc7550a6e285f92\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Com\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_8a98af5011ee4dc6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DriverStore\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa3.inf_amd64_ff37da248ddd748a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_07bca0bfd5173050\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmkortx.inf_amd64_93b84ecb5fd1cc85\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xboxgip.inf_amd64_90ed6b3fdc759a5b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0009\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_05ca2a1836c16cab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sisraid2.inf_amd64_845e008c32615283\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC\applets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\heat.inf_amd64_b73306c081719f1f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp_hf.inf_amd64_0c00f8f3a465c9a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\View3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\Pages\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-light\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1_lt-lt_ded3696e39f9ab69\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-xbox-auth..component.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8118032491d56e24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-c..-migregdb.resources_31bf3856ad364e35_10.0.19041.1_en-us_80f7d3fdf5734f5e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mmdeviceapi_31bf3856ad364e35_10.0.19041.1023_none_d430a477a2e7088d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ddoiproxy_31bf3856ad364e35_10.0.19041.1_none_ffaeaf8ad1d2f8bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_c_fsactivitymonitor.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4942b4ae1c2b2856\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1266_none_ab5bdb26141e0be5\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_10.0.19041.1_en-us_02abb9877c778368\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netl1c63x64.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4f95c99cad03b11d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ja-jp_d7c2226e3af6bdfe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..e-apphelp.resources_31bf3856ad364e35_10.0.19041.1_es-es_3bda9dd0315f7507\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..wslconfig.resources_31bf3856ad364e35_10.0.19041.1151_en-us_e99391a00c2f22e4\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mystify.resources_31bf3856ad364e35_10.0.19041.1_de-de_5ae93ed997321526\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nlasvc.resources_31bf3856ad364e35_10.0.19041.1_es-es_2530b174f29f449c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_10.0.19041.746_none_d5e636c38e22b9d4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netnvma.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_2a25d156d7c8926f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_networking-mpssvc-p..l-windows.resources_31bf3856ad364e35_10.0.19041.1_es-es_da884694ac317ab9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-r..ne-editor.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_16652bf4c60b7ed7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..w-capture.resources_31bf3856ad364e35_10.0.19041.1_it-it_ba4b5689caf3954a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mlang_31bf3856ad364e35_10.0.19041.746_none_34d8964542cd9304\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..ce_iassdo.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cd57804f958f6821\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..chine-dui.resources_31bf3856ad364e35_10.0.19041.1_en-us_e986b544794bc612\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..clientext.resources_31bf3856ad364e35_10.0.19041.1_en-us_1c3443458d3a902d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.19041.1_none_ba8dded92a4f6992\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..-provider.resources_31bf3856ad364e35_10.0.19041.1_it-it_42d7bde3d856d1d6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-msvideodsp_31bf3856ad364e35_10.0.19041.746_none_b7de238f30df0c06\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_2a387aad30183628\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1f5866fbea0202f7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wlan-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3edd4a5c6bc689ce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wlanconnectionflow_31bf3856ad364e35_10.0.19041.746_none_682e205fc6a0eac3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_msmouse.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_140b8b90ffa02a68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_mdmsettingsprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_7d9448bdc3bc97bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..s-service.resources_31bf3856ad364e35_10.0.19041.789_en-us_a5aadd9a922e768e\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_product-onecore__btampm.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_758b3150cb920fc3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..worker-v2.resources_31bf3856ad364e35_10.0.19041.1_es-es_48d51fa06b37b7e7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winlogon-mof.resources_31bf3856ad364e35_10.0.19041.1_es-es_de774dbdbed343ef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-bcp47languages_31bf3856ad364e35_10.0.19041.1266_none_1984cb98c065cb99\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_10.0.19041.1202_none_1fd41533d2b067a4\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-diagcpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_151a8d724feb8d89\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..ap-rastls.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_544d7ac51bb5d6d6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..seraccountshandlers_31bf3856ad364e35_10.0.19041.746_none_71518e1c3be7c131\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tunnel.resources_31bf3856ad364e35_10.0.19041.1_de-de_83b59cb41949fd21\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-installutillib_dll_b03f5f7f11d50a3a_4.0.15805.0_none_4e21a5685361a7d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..xperfcore.resources_31bf3856ad364e35_10.0.19041.1_es-es_fc3287825d14c3cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..yer-wmasf.resources_31bf3856ad364e35_10.0.19041.1_de-de_67f257fde4907f1d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rdbss.resources_31bf3856ad364e35_10.0.19041.1_es-es_dab374ee06ed7caf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..holographicruntimes_31bf3856ad364e35_10.0.19041.153_none_d3b31db7b7c73bc0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_msclmd.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_b34f49c11e1c36c7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\enterpriseNgcEnrollment\views\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\SystemResources\Windows.UI.PCShell\pris\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ineconfig.resources_31bf3856ad364e35_10.0.19041.1_it-it_5195fed03a154911\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cryptsvc-dll.resources_31bf3856ad364e35_10.0.19041.1_es-es_5a833e6a9610bb60\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-networkicon.resources_31bf3856ad364e35_10.0.19041.1_en-us_a0b1c6fbb50cacfd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_ae5ec9e59abc05e6\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Resources\3.5.0.0_ja_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-client_31bf3856ad364e35_10.0.19041.264_none_93c3704f3937c819\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ie-f12script.resources_31bf3856ad364e35_11.0.19041.1_en-us_0c9d3f1b1383083c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-msmq-http-files_31bf3856ad364e35_10.0.19041.1_none_4ad2339ccc4f12b6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-choice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_55d55c766614b9d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZEDXTPPUGUDHYFG"	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZEDXTPPUGUDHYFG	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZEDXTPPUGUDHYFG\ = "CRYPTED!"	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZEDXTPPUGUDHYFG\DefaultIcon	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZEDXTPPUGUDHYFG\shell\open\command	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZEDXTPPUGUDHYFG\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IhZKoaBO46k4cxD.exe,0"	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZEDXTPPUGUDHYFG\shell	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZEDXTPPUGUDHYFG\shell\open	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZEDXTPPUGUDHYFG\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IhZKoaBO46k4cxD.exe"	f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7b6f1df60e645ba475349da94127061_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
280B

MD5
0f8f1bcb3bc186c96cc2650fe18652cc

SHA1
390735204b42718da68e76c38716d76ac5fc64af

SHA256
b6f08bae98a0d74b6fc972b3a646c444aeda602b48bc67aa83f048784e76b6f8

SHA512
f150a2ac8ee1cd7f9d23d7ca68adc4478824691363e86a4a37e60156ebfee7b629ec5d0df454a1ae16cc788bcd0f1eb2d056a8afa8f5b018164b1b8f2bebccfe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads