xorist | 01ff93c24ee23fd5842e7fb3890edc8684aa91d241b3deaa9f6aa3cc316a3888

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Size

74KB
MD5

f9b35851b1df0d9c5dd5c0538b983265
SHA1

ce61134ea776e13ad003ea110ea2da513a241833
SHA256

01ff93c24ee23fd5842e7fb3890edc8684aa91d241b3deaa9f6aa3cc316a3888
SHA512

412469517e411288e10df11d5171cffd3cdbf468aff95bfbb208734c758fc1875c18030ad505b51eb2ae75dec0af52d2c344703f1aab4aeb75b4751c3bae18a8
SSDEEP

1536:yr4ljTjLvEhAmusWU4YF59sNQTUbNrLuX:yrszLvEh1WU59sNQTUbRq

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral2/memory/3472-3099-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral2/memory/3472-3100-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral2/memory/3472-3101-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral2/memory/3472-3352-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral2/memory/3472-3354-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (1690) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DefaultAccountTile.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\@WirelessDisplayToast.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\@AppHelpToast.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\@VpnToastIcon.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\@AudioToastIcon.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\@EnrollmentToastIcon.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3472-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3472-3099-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3472-3100-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3472-3101-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3472-3352-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3472-3354-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NewNotePlaceholder-dark.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-400.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-unplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Silhouette.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_32x32x32.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a_thumb.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-400_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-lightunplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_connect.targetsize-48.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-fullcolor.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlbumMediumTile.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-125.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-125_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_play_prs.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-200_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-100_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons_retina.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListSettings.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-400.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-300.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-125.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd2.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-48_altform-lightunplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-24.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-300.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Ring09.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\Lock.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.targetsize-20_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\StoreLogo.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\cookies.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Wide310x150Logo.contrast-black_scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\tsfileicon.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars44.contrast-white_scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\SplashScreen.scale-400.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.746_none_e6778e5b0114e5b0\PhoneSystemToastIcon.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square44x44logo.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile310x150.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\4K\Wallpaper\Windows\img0_1600x2560.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appresolverux.appxmain_31bf3856ad364e35_10.0.19041.1_none_b719750f25d4cc37\SquareTile310x150.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square44x44logo.scale-100_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-36_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-72_altform-unplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\Assets\StoreLogo.scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.Shell\Images\LocationIcon.scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars30.scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-40_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.1266_none_e8d910c7c702b558\X_80.contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\PasswordExpiry.contrast-black_scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-24_altform-unplated_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-white.searchapp_31bf3856ad364e35_10.0.19041.1_none_2f147508fcb33106\AppListIcon.targetsize-16.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.19041.1_none_484e61e96e69ac70\Digimarc-Logo.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\i_next.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ets.icons.searchapp_31bf3856ad364e35_10.0.19041.1_none_ceba36fd1b479c4c\AppListIcon.targetsize-24_altform-unplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\logo.scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-40_altform-unplated_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\logo.contrast-white_scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\RequestedDownloadsLargeCloudIcon.contrast-black_scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\Assets\SmallLogo.Theme-Light_Scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\openlink.white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\dockV.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-40_altform-unplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\img13.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\RequestedDownloadsLargeCloudIcon.contrast-black_scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\folder.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Ring10.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-96_contrast-black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.746_none_e6778e5b0114e5b0\PhoneSystemToastIcon.contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\SquareTile44x44.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\SquareTile44x44.scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\eventBreakpointUnbound.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\SplashScreen.contrast-white_scale-140.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Wide310x150Logo.contrast-white_scale-100.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-e..llment-winrt-client_31bf3856ad364e35_10.0.19041.1151_none_d9a2ec0457c331cc\@EnrollmentToastIcon.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_theme-light.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\i_show_layout.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_10.0.19041.964_none_d1ce1ea46e50a943\MicrosoftFamily.scale-150_contrast-white.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\Icon_MMXresume.contrast-black_scale-200.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\eventBreakpointConditional.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TileSmall.contrast-black_scale-125.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\KbdKeyTap.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\Square44x44Logo.targetsize-64_altform-unplated.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.19041.1_none_e479c512c8bfeb66\AppListIcon.targetsize-40.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.19041.1_none_e479c512c8bfeb66\AppListIcon.targetsize-96.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Windows Balloon.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-150.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_f89a6b0476f024dd\verisign.bmp	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe,0"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open\command	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KXTPCQKJWIKVFRE"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\ = "CRYPTED!"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\DefaultIcon	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
50KB

MD5
e59a9058740966de7392143bca08dffe

SHA1
71f762bc9e627bfd62c28042aee1c46418b580b8

SHA256
228c95bf3e10dd72d79725c425e0e7a5d9fa3272ff384bdd7a807f9b009d51aa

SHA512
287cfa306182c73dbdf2da90830f0e5ca65359ed29495d37ee1bc5b09e0d5f3a362508a13abb93ee7641cf9a0f1001e4f00cdf992dc72d8b80e1e774c4545194

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png

Filesize
1KB

MD5
6e708f0a9c4a53ed94e4673b63e253f6

SHA1
c188fde23887fc1ac49db09a5488c843e30d55a1

SHA256
0f2f8fb2db77736695f3b73bb61df8d3fe7b24f099fdd0ffb4d5e9ce164f589e

SHA512
3bfe5b69a0a08f3ae56a8b189f69dacbecfa2cf6088e32b91015a93f426ee717e3054915eb0f330cda93078cc3bbe4dd0ac3e7137bce6e0bcca16c5cfba9faf4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png

Filesize
3KB

MD5
d13d4dfe617a18c1e85a3bc71184c658

SHA1
801f184424073737552bcbf41162785cac48851e

SHA256
736f467c51742478f3409159e8a43c95ddabda49ba68dd43bcb469e551a6de19

SHA512
46f82de00571bf640e652767a7baa83efd3dc5bc7b7d0fb56c76198493890faa7a80cb07d054fa64e21748ed9c3f6f56360662734cb52ef37389210a660389c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
683B

MD5
7741c570fd832372a79a4850a3d762b5

SHA1
a6f656e3e5776e302b961cca06a82508b323102a

SHA256
2d8ca9b60c0fcce4e7a04c80b58497e8e5be229e0931662ab8bb318fa83f89f8

SHA512
d84ec619b55eeeba10ba44f97c28f8b7218e919122d62eda620dfd22f53419a52e3836467bf1920dfbc83bc340bc1e5113736a8e270d77784b22728f0f038929

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
1KB

MD5
3326ddea6d40269ad4059328ddb2ca9a

SHA1
be87cbab2ce4e4cb89c066a3a2a427880258f885

SHA256
2c8a1bf9a07ce61a014689dd54226198835ae22bf4fd2973f5fdde301eb9624b

SHA512
8c588f3b0658f89d030048610edc7ef3c25a63a20d35d281712b224df431256e6a0e7c6da15556c389b51ce36c7dc4466408b99b322eed55ff4e5f0e96e76d4d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

Filesize
445B

MD5
327be750b05f6d78329153865dc39905

SHA1
d8c9e1817cd8132a867ba4d7302ee93f38d4237e

SHA256
4db2a358933369d76566fc5bfe223c0f7b64c3b2e76b767344bac7436084c081

SHA512
a8159f2841eba8fcff12a25581f010d1ec18b665fb5afa785513e3ce9e902392af650065cb851cf9823e62a1e87d88d1afec49fd37878708ac23786c08b71c75

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
611B

MD5
eeb20c2c8c1997af2acc72d1bfd7166f

SHA1
6664ee719dcff8a7c8497685723c5f059db2d212

SHA256
19aa0bac66e9f1a21e48b7ed02957740a2befccbe773355f173c16a085510110

SHA512
cfff9d68cd4037bc2d309b1b984fac20dd08acf1d61cbc2cfb7f2b0331e232a4f80a4a8de1a64d585f261d9cd661eab876e9dc527301a4ec904f7c3aab187a83

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

Filesize
388B

MD5
c55e469b2e444fd31902568e4bb8736e

SHA1
57fb44ade0eadc0d9520b8bf8febbe4a6640a2ea

SHA256
b0508405792d79696216f05b1052f08e791ef0f5d175156dfab8566953d37dfe

SHA512
77abbd698d203927cd11a49083049d0edddd20e363f0bebf01085caf8c389edf5d3010344dfec805f400acf7400a0c6b5b22dc1b5950c0b8170cfd96217fa0aa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

Filesize
552B

MD5
343dbf60fa785ef832207e890f830b09

SHA1
3d3afb6988d2973ae38e3b866d141efe77fc7148

SHA256
41346bcaed0b43c923fec7d1c1f0db94314e6f17a2d40f313a4cff52ce6ca05f

SHA512
e68c3398ff18dab1a5ca73d8f83cbb64776e28943c501038e9488c23046bcdd2153d778691773467436bdd850c9b2917e2ec60afad3140bb719c7cb54df6d351

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

Filesize
388B

MD5
1e83368195d82be31d62c65292efe470

SHA1
892ab57fbde814a07eda6ff67d8e390da34885c8

SHA256
913f9940a397a5cbfefa59ffb28c8baf92cfa176e45ec2d0d7b77fa70779d0ef

SHA512
b02ede8534a0457d12956b413d5bc7b5ec8766ea8879dbda4532b1a7a57c6faac2a4aa56ae6dcf2ca8757162f3eed2b1e15e59ab36ec0034d6c5d00271e7d244

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

Filesize
552B

MD5
e0d235d37183f730c04af4d18e0387b6

SHA1
7cc3a36f38d1799133460bf4179395752e588c06

SHA256
d9028ea3523277000cebb91e5fb3a43d8ffd84564ab4f99796032ac25951be49

SHA512
6913c6f32d6de6882309621a270d26239fc064883b9c333071af82ab5da6530fe7fc0c721e6571a0057f6026aa1069151889bb0aa733e3b1fdf14a1128997a5b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

Filesize
388B

MD5
5b54d4bc74917c920162ec6ddb1fea7f

SHA1
437aa8c76283ced7404d3c1382f4a2383c6b0721

SHA256
6b98f802f1db60aa2c69ed8fb5a37f2654632b635202fab55926083f17c7d5c8

SHA512
2518ee6aafb7b98c7cc076785e2ec990be5456c34146459f2ec24a34c97c7399d6d21f39f22ace0b30da74a5c6dcde7f9ac4c5c708ba168dc70ebcc16cfdd56f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

Filesize
552B

MD5
bcbc8af32d3e1c745b0f026afeb3230b

SHA1
ef8857ed4fd4926246410db68f1438a531c0d3c0

SHA256
7533fdab26fa3cee6ee1112f4f5dc940eb46fb1b09d73a0f8d3176120c6d434b

SHA512
0647119932e7b76c296079e995ab6b78a90cf24896111e34c092cd35263cc11f4bd43c12f3bd8a56ce8b4324766e4a6c7c3849863dfa914fab48f2859c4da7de

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

Filesize
7KB

MD5
513689c98256d630bc1e3dac180a798e

SHA1
246987f434390cbc8ae9c4ba09de33d3e24ec59d

SHA256
77f41334c2c49f942948cb015672209e6f12aa5dd63d9d02584238d8cfb66603

SHA512
ef5f58a261d00dd1b852355d3a8e1402a2250a9adeec75e8f4ea30fcdca69d6897a0bd56216f529ac39ff7d891bb3ce3a5d20dcfa1a7e3b51ec5a9b7fe17c032

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

Filesize
7KB

MD5
a451feef7be0f7790680b6a02a374652

SHA1
43a13ac41111ab7d6eae4f8a39cc7a5a781b0947

SHA256
baf3718424827e1d85835a176fc3d4507180d7d72f5df728a1b1f8ed2f3a0f4f

SHA512
02ab2a33850e1456bbf37cfe1eb69c316ac895975f9f430f4b651a500ef6a1d9a282897880c9ac3a2cc457f0c12aaca644a90bdfc3231983a1c9aea966dd89b6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png

Filesize
15KB

MD5
18563b703b21c11ecc03f6ff8f5d78f2

SHA1
cd9b39c64ba4cb8df9fa5bbfb59490a782dcefe5

SHA256
59c2a3f79fca5c94d2d32ed14fb99cb7f280ad8aba837923ee4c18f54f31d716

SHA512
62a626d28e922255732ccfc755ff0a0e4cd8019b05275cec2d9b01340070a81097d83bcfc11879d1abe356993402b4be3c196729e50eb0f2069a91cfc882ab70

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png

Filesize
8KB

MD5
52616a779318f46d676a1e811acb2d7a

SHA1
261f837d2ada7b6dddcecf6e37e294a3bc409437

SHA256
1f97b6c517cca601c618dff0d7e7eb4dda11f2be4f4d0d5c0b66a2840d42572d

SHA512
fef7d3064f386ffdf7fecba833c45786622ca7b01a9d366b781cf92d3946774561560638c90793c3557ecbcb30730829e514945a77e7d7e67f9578f1f4e8c4a2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png

Filesize
17KB

MD5
7fc422bc1922b049afbd0436b11fa9d9

SHA1
007014d6e71691a30c69dce944c5e28f7fabf51a

SHA256
26f129fbd38c6cc7b2a51541b6933fdad899ab23833c8c57c07d78587bd1ff3e

SHA512
dfb4878bc7f2031f40421a9682d7a8a56f27b77ee419fba741082b1d6339adc7a29f173115a43f60fed21593663282ffec45f0a5a64dd7e7ed5e7437958040cf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png

Filesize
179B

MD5
7ee4f891d04feac843c638030a78ff13

SHA1
6afa670ff162cf8ed922af35af1103834582e3e8

SHA256
bc4e964f0c22f760ee8710e81676e764857f85aeb67df8c53b70cf890fda2dd2

SHA512
e84e9fc90f109961fef501a0d8576e726e679c365eb51875a2d5ed0188330868fce4a4aeebd410542cfe2f9c7adc988056796028d9a658a4c22fc3add981b56e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

Filesize
703B

MD5
079b4ca159dfd50ab794cf6aa756fc2c

SHA1
93890bcb01d193bacceca1b737a4e55cc6bcf6aa

SHA256
18ffb322835b5194726d0944b4f89654a78c66f28405060410b243dcd07e652f

SHA512
26463c41f26eabc38a5e38d0b4f0b9b50fe90fcd3e80a3adb939d2633c5d1824208be53f84f39094ca4f016b98cb49e58a6d11976cdb0e857b39a3649c1e8062

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png

Filesize
8KB

MD5
6bfca0eb96a2a25b88fa6b4beff5a3e6

SHA1
e3531737d5e489446ef69684e8f07ee2c916199a

SHA256
27918f0303abc073fce48a752df39c478eb37b7550f5dad9fba589800b84accc

SHA512
81387cbdfa4bb80e621b53c3cfe5f542e6c7d622ac9d39a2de88b162f27a4afe792f633570b2a212fe277eb26d999e5bf22238a58098e90cbd17ae6cc289c9e0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png

Filesize
19KB

MD5
c24b070f2e8ff9472855033fc677cd63

SHA1
6bfe0a7e72902b912480720c9f5819052fca1848

SHA256
5d96c684141ab4b706a194a6874ffda8f714f326d7d55434459d73af7d65ae6c

SHA512
dd475d838dadabe3c03f7c4b056ca288338898f58a44a5c50e0da79e5d3a086e5dd8c9436e8e6590942483a36a40fb7bdc083e2e1c62afe81335ae627e9cec6b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

Filesize
6KB

MD5
81a705a24ca2fb4c53a917c1e44cd338

SHA1
38005b7d80ce19c7613b3468e5194fafae7612d1

SHA256
9c204fd009f67d82a3ac10fd5f144ed1215938373a4f7bba8436adb82399492f

SHA512
a6a991e5cf13a45fc1d04b2909580af9a646af77bab0496780db08464692c98efea52fd72fd0d58cf52cb8ae1646cec1d8519878402ae1d381b1ecf9f188b83e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

Filesize
2KB

MD5
7f696956c06580670f81a73c718944bc

SHA1
5e37bf987df328e37508ea215d14b74be481c9a8

SHA256
bcc261373d0441dcb964d7757125dfa1046c86c2b80f743206223680738b7296

SHA512
9cedb8a2b125ed05f952523c8a5719c948a1ef2e8acbdb154b4e3685938951444e9a7a9d0e99d8b5c26f0d85d80d547fd8506c072c4b30535c439a4fca97db70

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

Filesize
2KB

MD5
90465269634407bf41ee4f291ee95e50

SHA1
b0eb3044298e2e6545437555b25b809452acf86c

SHA256
cd7596b047da30d4655b61cb2728a1f92226bc195289f31d536655fc614feba6

SHA512
0a8a2dc025583e4a94277669339d3e7337b9e65048fbdf89b7453a8cefc2c586c0e6a50ad028823e1b4087ba0ccd303ac3bb8382fc1c23d7743b5472b78283fc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

Filesize
4KB

MD5
2e4e7a064e48ec892ba54e2221aa5165

SHA1
ff6d7c0d4f2afff5b8306b1c40e3780a75ffac62

SHA256
3dab1f8b6debdbdd6a4711839b622713da74d515179c19d312a0bc78b88ce0ce

SHA512
90d762f8482a166bc885b6cf72b3404c55f305e490399b6c507f6ebddae6521df20f2993b5908af94b1316316bab661face9b0a4d2146ee3fddbde3a29d05d5e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

Filesize
289B

MD5
3a6bc3ecba7250a7145b09472975b1fc

SHA1
c0ef18b8a176bec66dd5d34a12da5d42432155da

SHA256
211bee04b7b8aae3d75d5841d01dc44011afe20c82986cdfac2f9f59df29168e

SHA512
0b72bca9b1c87789af86ec5a42170a4f83e483856cfbc6ef55f5560a8fe654ee1d8233ff0e3eca517146fe1a24441899ca5939e96f0262375cfda4ca8233a726

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

Filesize
385B

MD5
be681afd4a9a65d5a248cce11fbb7922

SHA1
f6bfd19c2451264f7b722cd6c7a5e124f5d5dd64

SHA256
9001f34d4cecf28bf792470c4e07e141bd8ac214aa53dd2ad2f3993abd0a3fa2

SHA512
68131d013579515437699f4c2af6f7e52309c05526c65d9c45025863dbe1c5fc0de017da908d0950551541a2393eb2f41b177501c64e33026d6ff05cbe27a4d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

Filesize
4KB

MD5
59e18abfb9c27e9c4f24364afbc8125e

SHA1
492f4818d78f048904a13a9bc6601bb9abf20b93

SHA256
d1edc009570e2f4bdb286d4ee76d60853dd191c78d3171e41afe103dcd6bb704

SHA512
ce42ad7d4206e70a6f73b699fb2ebc98ad58a9b39b8ff7639da3d7a2430b15a5fe0dd777a7a8257dbe42606346722008dd96c0e124fff76f83dea754d29f627b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

Filesize
1003B

MD5
9845e9ee25be27f11644097245f51659

SHA1
76f646bddf5e6000f430e907c4a249d60149b5a2

SHA256
323966cdcb5efba317c25d4e6444080e1d2f3f12583d61d4493032453cda8fd6

SHA512
5079972f780506e9902ba2a5219d80da2e2cc6a7d3c48fe1ac225a34b871f63b8543b7df07c1709c8b86dd975a87a28b86f6111b14b14da44c3129b81e4266c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

Filesize
1KB

MD5
e426b76671435c82f93d608826883076

SHA1
2ed638f1543ec51f777e9d68b6cfc4d3cd8f25db

SHA256
a5acf15bc276db4f351aa3a7e35fc555523155b2120cdfb06180c1b2306a0f3c

SHA512
6a54ca5d537301ead0727af8f007999ec4500a9dbb1cf07d82079d3d0373fecbc6745fd32913a6024ef1132e4b781a3ba05396feaf338f957e9511881463c036

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

Filesize
2KB

MD5
448ed427cb0914eba970370004d3f991

SHA1
3b5001df8c604e60edbf8c496cfa43627d80635e

SHA256
c8c091d902925f289e2f2abb1c1f0edd74702e2ffda51dd28685b11951d90cbc

SHA512
084f2e4e0b361eb00f27dde027bc14679be2d83de9dc163f565689f0324ea0883d993a52559fe703b64880bdc1e498532a8538286991fe7648f4aacfe510b51a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png

Filesize
3KB

MD5
fe30708f0f2204b10a9203d0bc9afbc2

SHA1
79fc9f6f83aca7e843ff24bf929ee93d783abf51

SHA256
c594b048776a67fa7fe8103d8037a49eab606b626b05918c71324086c90912dc

SHA512
7d85f8cc9917f1f8a9aae5334e9629060f2449c803f5c40747e3b35c4d3d2e915881bcca6eb4bb2f31435a3e97f8d3f3f39e0779c1aa70552eedda428ca4d1a4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif

Filesize
556B

MD5
00e1f3715a1305eeabe727b4e1d51a58

SHA1
c2f142baa98e06314862c7d72c3419ae90f57c1a

SHA256
d0dc74664c5531c71924720aff508b0456f6e5580e85a8374cc9e3b8c1ac25ba

SHA512
87edafdda9e143516ec80a145f94b497f7b86d60be5be4f46e03bb10e6013bd66776560a7d88a66064acc450c727632a3dbb8f701731a977e20f966fabcb3a25

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

Filesize
6KB

MD5
22e04ff9debb50bbe85c56e9d94a6f3a

SHA1
517b2370d6f77b653857abd351e8f2fcea5713a7

SHA256
79afdf4baba288ce915db7c2beafea9cb19ae9da966d3701a6af95427a1705d7

SHA512
3c5e84e03f74e8808a43f109f018fa1e066bbdec8b1d432694218b1cad4df65b8fdd5cdd740ed90da499b41cf7f8dcd2d4aaaaf5e79e5488805d1efcb4548826

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

Filesize
826B

MD5
d0eb2c308ecafb2140c5e448576fa930

SHA1
2f372c36f6f5c452ac4ca718c4d7dcd9e062306f

SHA256
e707405c2ef2245da7edc93414f683744a2e4b9a8b8866ad7dc17a3e6b8c8e40

SHA512
071e8210a7d73727e49be31ca2eedd4b88b3c9fe59219534c39e7a9ce0a7f43bb4d9ab8e0d0bd85c73972028157b38cb684431edded7234a27fad81d52f67e00

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

Filesize
1KB

MD5
cc16a67275c01af431d5d707820c42c4

SHA1
f6f4be094d4f15cc5761660adc09c5bd413b0a52

SHA256
92384766633debd494ca44e95ef52b8ee57d5ee3c0eaf16950cf0864e4f9b42d

SHA512
a4a17b163fe97bead1aa8beb705e5ed9702d410875bbf31f208491f823515faa8f19129e8b06542e0a4b7ab51ca320e5b3f6d5e130307b8e646a01c9e73647ca

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
32KB

MD5
02b35fffbe23fc337cf1d016bc29c122

SHA1
015da3452bb586baba0e3c8ca5b45608e2581725

SHA256
1fb27b41524def2df2b0b665f3bd284c1c471b7060f557e3fd8d354db016f014

SHA512
12ec6e4a9c8005de3570440a9e77fd39804df8d52e560e54e6128aac0cc889fdd5f9648fac169bb3fd85314b952da990770af2389c3ed58489a9eaf64b27316a

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
02fef62ad3481696efe34e6d9bb8b370

SHA1
4907f17ab4077ff3b76919026dc53f0a89796222

SHA256
39efa0d0d116538de4f1dc36fce2b8af6b82b6984694889ba7048de9daa5ad3d

SHA512
f2c0152db123bd66f6362e1fa56aea0fc319d2c5fd774d8e9a428ed1e2932ed7bf8bf388e2ff0fbfd173906a9fb38655bc2b9c50a679968bd3697c33caa034c1

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
190B

MD5
22a0043b4bc7d0ea285b89d79f6944a8

SHA1
658b6eae5f9be7c195acd18174e0c39c87551be0

SHA256
3f794e7e5825ca680288bf99a01707f69efb9e5b62c5ef7d42ebb8dee615f1d2

SHA512
f2638a1bb96a4a665a16676100fb3fe1b5ebe1b99e0962959376f1d69e9995638e1cfec0b3b12f998eac48244f5310cdbe74e26084eb3602a4b03eb46e6a9da4

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
190B

MD5
a45b780e428eb5e9d3b76b2d7dd54057

SHA1
4d91dbff6fada78beae16b644729a17d8a5dbb42

SHA256
d2cd0a128890724b53987c3464b6de7e0e3197b8c02a0b9be2c609aef04e06a6

SHA512
91311500544c82268091ce34862ed446d6f7edbff2df9875e0f1ec8fea9447c6087b8a62317a4dba7caf16957f4ce74f11de6275303ab3e202bedf6bb169066a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662721799026.txt

Filesize
77KB

MD5
a7d0f258beedaee9aa33137b70a4dee5

SHA1
1b742adbd0f916b6fc01ea7dd8ecd4fd32d63ec4

SHA256
b85e0219bf3208fe76e96895c331f28c7c01fac2d282be8fe42db9215ef73372

SHA512
37aa51098da8cd38f598086a95261e07cb1e3198937b097f5957c19fb30424d552391f662d66a0c9365db9b32d00b5b3f2455be4b7d16043926555f2a096932e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663191189319.txt

Filesize
47KB

MD5
c96c3a00dd065dda2a4c0c4a5a1f7fe0

SHA1
ab5db0e8ebcc8093d9ba7c1bb75d1be7a1abb0be

SHA256
02c1c2cd31fefebdacc7a717a7af3e000ecf18f64c4b86aad5e9e89af8f02155

SHA512
158483f5211c11cba9cdf85ec73f124182613af7b9b4dc9ba3ed553fb684c7438f1d90dbaf4203fcfa7ba3b2baa7c487cf6f4778b9eb52600298eb61406a3793

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670188807600.txt

Filesize
63KB

MD5
5f44563dfd4bbbd2f92f16b0e14843bb

SHA1
0a6d892cda1651c9cb5dbd215b7d962aba44b7f5

SHA256
07d03533ebe67ca2d7cdbc061f132f694eee7ac5ae0fbdc22e6edd74502489c5

SHA512
687ca9acfb51986fd9d49edb1363da90656f113c99010f2ece32d7912f431c51a594365db88b8759501d6f0fe9264afac96a19b71db9d54ee711df5f6a31503d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672984949051.txt

Filesize
74KB

MD5
9cd3265f60d7b90125e89ce555f3f8d2

SHA1
49fb26332550f0859cd2c69f902c6a37570db58a

SHA256
5362273359b5f0165e1e66f57defc6dd4a2553906cfda4ff76c4135498f8c804

SHA512
2707e6a567e9eebc4e7a7dedb29b1ddd0eced60c0a0f228f61fd1a2f7d13b0e7b9b96b78609ba4c2b8a6c70c8dde3841033952572b17349525e737f2cc34f59e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
a8a7da26fa1f0bc45a3079204dfde344

SHA1
3a303eadac01d909c64be7ff85fdeb6ffb437175

SHA256
a1bd6e1ac8920726196d08bdf2f06a751513806b28454fdbb2377b56ca7a4213

SHA512
471283539a4a9e478f2f554d1a6797661737a284294c58df232f406a64e136f0211d0b62baa89c0d1cfd8b59696b5e7109344f83de38c78626a39e201b6935e6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
7ac7e5e540c27b7dff0751a22302973f

SHA1
e1d25781b0b2cb05e91527f9a1b82dacd2fc6bd0

SHA256
c49deb1ce40c27909eeac1b81c1f6ebe7ab0305e03add1ef5436a0e1eaf541d4

SHA512
277bb042db81a1a7b710701bb495ef8681d9f195f47b5c2804da687971fa9108e9a2abad11f9feb0c771012bb4a419c3fb137245b722b788acfdbc1467723e69

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
94d127cc4f6f7e54c253660a179adfaf

SHA1
7af16a31f64a3fb6cc502895dbb9cfcbc877d95d

SHA256
a9fba161052312ab5bfb533afbfbed38fe17446f4e6a058b6714afb695a6a4b5

SHA512
9b60601d34560660bbf67560f8df7711f436dde28ac41c43c33adb057db78e0044f3391fc869585f4077d2721b93e7338d1326fac8ffb2a43aa59035669800f4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
692ae26c42436198cad6454eaae80fdc

SHA1
5c77ece4b45ec8a01f2cff0fd9c507f2ca45b838

SHA256
d676e80242774e53eb98d3bb63a1e8b17a01d09f6a178412f2a76345df2310f0

SHA512
ad3d9549e0b86d024fa029aa0d6f621e73c875bf822c17e54ab3e5a74a519b66f081aa6a6719c49d1391de3c5a5e2dbbd7b5c28184898cfa3423815c11623dac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
a6eeb971a28dfd6797907f4d4aaa5127

SHA1
e722d698750314a8434e248a78b44a4961c0a6dd

SHA256
aa3514ad53472b4d0e61f6679cbb70e44deea29dd85edb658cfec26a3a2c7ddd

SHA512
74cd05a2882ddf26003448ffe106abe38826d22b0daf37fb88e666c3a387f26ea0224e2f487334679332732692e1085307bbc76db1e1fdc3d795cae4d38723c4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
77d23f931d97d9fa42116a882359d526

SHA1
f2f9948501bff3840d09d5ee47dc3d07971a0e15

SHA256
0cbd137b2197b29de14170c24af767f44c1ee64a27fdd1645426078bc8ef2991

SHA512
4f43439e936e6da499777d1132e1b527516bf03be0f4d1f183e810500a8f6357529c01cc1438dcc271dd86b127b69557180fbbf7adf3bb149ed2db73b2ed5190

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
72046d9ce2b319185af8e439624582f6

SHA1
46fbb2926f66469ae85f39082fb46dc868dbedfb

SHA256
fb5859c33f7084e9209e94206f2a1354c4c466e56b9c8bdca668229b2fc713dd

SHA512
17724e6706666ff62dbe233e05b299e52e96ee83685934702204a80c582df11fd18857adb2621f6933104c791450348d358b77150ce739cdd3010f0a4017585d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
260d37d22255554e0519fea070c929e6

SHA1
44f6923c2d798587b2861a1857e620ffd287d3cc

SHA256
a3efc5ce41ce5a4a3d17a868f9c5f45a1839c355d1ea9ec064d6651ea8afb87f

SHA512
c73e0162d5b601b67465af295aa8ec7bcea1a0947c404e079ea7c635e0291919bc97e12b1332c7cabee15949fcbb362c03c6e928bfabae11a9223bf6e4123384

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
b6ae0514b9869c5264cb814d14cf81a5

SHA1
bffbc4925cfb4a9fcf203b8b7f92337f0e4628be

SHA256
d0f7d2d739bf7ad0b261085bd5ba95ca0e2c93b88323a08f1ba6f0d53667ab55

SHA512
d1f2c13f4413d0a546ea00ba27a93af7149bd9120637538459c738b81573f946143efbe3cc9d7d7c44164b5c85e41297ce9f5c400a65f7fd8507de02efac3645

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
9938c4009be9b47584e1159b830184d8

SHA1
067900881552fc20df4295a0c2250222de591f05

SHA256
d997a762db4a3738a6372013eb3cf1aed882e40a6b0a3ed15b511eacc58a8f8d

SHA512
22b378c05c42deb626a8dd849ed7f5277bb8ce6ada42c45b783a72432ddf133fd70522ba47e9fb5c55328e5cdcc2e8c8d2b738ab5bcf7edfbf0de90a2978686c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
56eb668315e65c8f725457431bd6e357

SHA1
3347fe1e0309bc49bb0035ff2829eeee2b1d46e7

SHA256
914c842bf18e6e1cb4ec704c20c4ec5193d9479251ef9e592d9a2e3afac9967e

SHA512
f7d5ad6c638284dc4af5706b3781316b29bd964e5c8b091effd713d2541767c39bc2bc0e89c813d0ca09f44324feb0c819dd2724374f0921977e3abb12c738e9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
ce25d8215346bea8042b02cf05844482

SHA1
dfadb5392cb6552ed748b653cd1d55a4dd350f4c

SHA256
8efe3a57a3db1b591bd7a8e9e2c668d01e7b8e4a17c9dd3c2fb55d80118c0ae7

SHA512
c639bdd3bea3faa1c75892e38012f20c459cd81795e7f1d9de4107f1855659e4558922a216820a701e4ee773b128c7b9d1586a94889935d7bd1486af4e7fdeeb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
22b6fdd6b60a87c956d2ecf75acba170

SHA1
931d6dc3cece85ccc95dd3acfd4a6495b0c3c49f

SHA256
c9bc43f67f8e987a09b95f803c143678c41cef8b51c82a5a7fbd790c44f3c28e

SHA512
c75225133770ebd3903712e323ee77cd202481c9ecee5d8fd25d8699de46f4fbabde5b9cee84871ba32b609c7ba9497542d7ed136fa9ef8764056e4016e20904

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
bf7f10874675d4a600ccf6f46d72326a

SHA1
500c45d51068dc938aebc405a07f6c86c3aae0cd

SHA256
347b483e34e975231741aa2018bdc55bd7471c10ce3aee795b9c82f512257e60

SHA512
836aad6ee49ee19f7a3f8db0f5fd676850f6c2866d90d66fdc29a9798e4983535ac199473cfb3a9363484cd0c55b886256b0145caea4733414b8de548bc914ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
47361ef7742f17dfe8eee15a8c1e9386

SHA1
07a96e432d36fe9e1c80f7df2e3aa1347f4f2036

SHA256
0482b39af79795f12f1e3610f261423900c63501ff2668481360079b70ad8c2c

SHA512
91fedb9d7c521913e68abc7ee23777fef1d4949e5b866af9c26c46d0c695f405ee1ad354fd980bf7e78cc803a1259b4dc5a7c5c5aa0ad84456c6034d6e84edc8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
278fa77a21ba3404103d52ea1c441bc7

SHA1
54e7f44f9d3005c035b66e615f686cc76025e0dc

SHA256
6af5dbffc43cac4b6f059213ccb69482be1a545ab3814710695b0328737e8833

SHA512
9925a5e4e15a9e13ccb1da4a64d70b4d36a23499b11bbdb82ca927c11a5b92a1f9a285f06a0138fd55ff78b71737eb896aba5a3854688ebce3bd5ad6ee1ebfe6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
725f8d222b747209c56b6e871d806e36

SHA1
bb47a4137ff9c11dfddffb27312c2050cf5dac03

SHA256
c0d260b1769d558f84f04f8ab0aa884e90e9dd456ec052460ead7d91af35f583

SHA512
b2618b27624a869748eddcd2465cd58f73d9aec1a5f18d2ae437ad92fab5548175039408dc0cdb1efc33c3d5fc27b9c964b14d429dd69f6edf89f7ba92b45f96

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
1a33c03f12a0407f05537d1d3081e41e

SHA1
00402da2515adbb80bb613c83417b6feb2ef4c78

SHA256
0596cd6ab0305a5e38c51e4a0dfd70d1317255489a2819799b551dd4cd744d47

SHA512
a7b12c61233f4a1297fe3765ca822e8f7b8f6d18453394a0e20359d3ca7bfe7396f6fd43a4689b63790b3d24397767fcca9a163907ade3ea973925090905a22d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
d375c679def93db979ce1307830dbf5a

SHA1
5bc836709102c44a8b9923cd902dc165d2589368

SHA256
ca2af55d5bace7b77767cce9fbf4589111f67c978b3abdb053b2262c95f114ee

SHA512
e99c0380ef006222bb6afc3d9bf4114cefc61108b5aa4179a3db6135bc377e89299124cc503750f37caa111cacb39b1de07dc8c8e8ae8d5c8cbd8c30dfb0e59e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
8d8d95e40029e92c8038ba48aad0ce66

SHA1
84d86f871118e6281de83df0ca8ef946e3fbf11e

SHA256
edb597578c0ae00a81a12c4bccb1f80ca824d69d8badb9abae698fc0cf996db9

SHA512
3d9e0d880ffef8d1b29aafb39dee0802288875762f0f49a655eabea523abf3ad96189854f3323e727190dd1c2ce96442024e2b5407e01307b9325d890bdee23d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
eb0c3fe954a5d84d385484a9989ccf14

SHA1
2e65947644b25212646dd5d13c3160f3af100e3e

SHA256
b959e6717ebcebda6e91d33cf653af3a33cc01b30541d8e79f571afb1d9fb4c5

SHA512
fe8ab3f57f8a2985e32e1acfdb5ab19397127e3ecbdacec10f38fc5588d59cf823679e61e9fd2d5623d444f6fae5ee4fd8f17c79263ad8416d8a2ba036fe1ab6

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

Filesize
296B

MD5
bb827970262e5586a020ac87c25ad51d

SHA1
3f443c1ad7fdf485d3ade2f02d41fa587f06849b

SHA256
b768f90cd939bd0c934b0885f9d45662e771be1f8840e38d304839961eda1941

SHA512
7a05ce46667ac207eab690700eab7985b842e4e9253c574d636efbf599d47b1057a5bf65871d38655c315735a64b1744494400c1adee228797fb32e0bd564d56

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_contrast-white.png

Filesize
276B

MD5
00758620e18a2e962ad1bb0cd9bf9397

SHA1
e545872d387287dbcd12b699363bd3ccbb984ee5

SHA256
e95bd695b82e7acbe3b6cd1f9ffcffb9c3d60bb3ecc0f8423d4e478fa71aa725

SHA512
fe991d19b6b81bb2a748c14dac228ff45eb19bc1fae1f099a6b35cd33ee0b23f506e3edead3ce093f6cc0960ee70ad0ea42994b0f731cef1b6d5acf8cbbe3f5e

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_altform-unplated_contrast-black.png

Filesize
296B

MD5
a76b42596f45ae36bdef10a45ded791d

SHA1
cb3626c8fe6ac065325c2b0ab291e9de00ac724f

SHA256
9154e477aabad7b0080f85f8097d0a9278060aec304899be86921960f72c185b

SHA512
cf1a525c30af77971bb60e601e912c96ed219e53f51f1d68f51f7f2626c2ba34da4f83f21674d004ed61f13f28927142dcf2718b49328832d8656b5ce588ed1e

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square44x44Logo.targetsize-44_contrast-white.png

Filesize
276B

MD5
7427ec8e4e93059a79d770e2b456bc37

SHA1
4287548501532cdca588be5ba172f1432616a0be

SHA256
c51d57af72111e5d14ef97d257c70665dfebd9860f3706f5fa938a1d341e02e3

SHA512
65d8dee63567b7309eee8f1218eafde425ba5d28a121ed176a05a95838e67bd54959a5ab40fbbd3daeeaae2b8cb5583be11f562b9fabbb7453d340749ef624de

Download Submit
memory/3472-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3472-3101-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3472-3100-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3472-3099-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3472-3352-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3472-3354-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads