Malware Analysis Report

2024-11-13 13:57

Sample ID 240407-ztscmseg22
Target e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118
SHA256 e528a7df88f2edb9a6b9d125fcf360ec4232de036f2ce9ef40c6183b957371e5
Tags
spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e528a7df88f2edb9a6b9d125fcf360ec4232de036f2ce9ef40c6183b957371e5

Threat Level: Likely malicious

The file e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer

Drops file in Drivers directory

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 21:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 21:00

Reported

2024-04-07 21:03

Platform

win7-20240221-en

Max time kernel

123s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\gmreadme.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\drivers\gmreadme.txt C:\Windows\system32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_objects.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_preference_variables.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_escape_characters.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_type_operators.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scripts.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Return.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_Language_Keywords.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_eventlogs.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_locations.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Throw.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_preference_variables.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scripts.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Special_Characters.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Ref.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_escape_characters.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Ref.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_command_precedence.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_do.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Line_Editing.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Continue.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_jobs.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_format.ps1xml.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_split.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_try_catch_finally.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Ref.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_regular_expressions.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\it-IT\erofflps.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_Path_Syntax.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_Reserved_Words.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_arrays.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_execution_policies.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_cmdletbindingattribute.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_jobs.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_While.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_profiles.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_2.0.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_Signing.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_try_catch_finally.help.txt C:\Windows\system32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\12.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_gray_hail.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_While.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8dbf2e4c46ccd2f2\about_BITS_Cmdlets.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_functions_advanced_methods.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\hint_up.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_cloudy.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Assignment_Operators.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_debuggers.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Parsing.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\16_9-frame-background.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_functions_advanced_parameters.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Signing.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Windows_PowerShell_2.0.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_format.ps1xml.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_For.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\calendar_single_bkg_orange.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\btn_close_over.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\divider-vertical.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_CommonParameters.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_profiles.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_pssessions.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\cronometer_h.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCellMCE.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_cloudy.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_jobs.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_scopes.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_remote.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_aliases.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_corner_top_left.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\add_over.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_escape_characters.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_remote_troubleshooting.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bg-dock.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\daisies.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_escape_characters.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_split.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_transactions.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\base-undocked-3.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\28.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\15x15dot.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-printing-fdprint_31bf3856ad364e35_6.1.7600.16385_none_b425025e9ef3d84c\device.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Continue.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\buttonUp_On.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_gray_snow.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Automatic_Variables.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Reserved_Words.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_format.ps1xml.help.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\info.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..c-mceburnengineicon_31bf3856ad364e35_6.1.7600.16385_none_0a0899f37b2bab4d\SonicMCEBurnEngineIcon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ehome\en-US\playready_eula.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_black_few-showers.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_While.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\16_9-frame-highlight.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-flippage_31bf3856ad364e35_6.1.7600.16385_none_0f19716417635239\pagecurl.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\content-background.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\timer_down.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_command_precedence.help.txt C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\next_rest.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-desk.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner_settings.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad_h.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\btn_close_down_BIDI.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_remote.help.txt C:\Windows\system32\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "batfile" C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "batfile" C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "batfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "batfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3 C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "batfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4 C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.png C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B36.tmp\9B37.tmp\9B38.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\my documents"

C:\Windows\system32\tskill.exe

tskill WINWORD

C:\Windows\system32\tskill.exe

tskill excel

C:\Windows\system32\tskill.exe

tskill msaccess

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K crash.bat

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8FC1.tmp\8FC2.tmp\8FC3.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8FD1.tmp\8FD2.tmp\8FD3.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9231.tmp\9232.tmp\9233.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\952E.tmp\952F.tmp\9530.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9897.tmp\9898.tmp\9899.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\98A7.tmp\98A8.tmp\98A9.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\98C6.tmp\98C7.tmp\98C8.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\98C7.tmp\98C7.tmp\98D8.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\98E5.tmp\98E6.tmp\98E7.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A9A.tmp\9A9B.tmp\9A9C.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A9B.tmp\9AAB.tmp\9AAC.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B07.tmp\9B08.tmp\9B09.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B17.tmp\9B18.tmp\9B29.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\9D3A.tmp\9D3B.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9CCC.tmp\9D3A.tmp\9D3B.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9CCD.tmp\9D3A.tmp\9D3B.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9CCE.tmp\9D3A.tmp\9D3B.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9E04.tmp\9E05.tmp\9E06.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\9B36.tmp\9B37.tmp\9B38.bat

MD5 90ff70f2778f116069b3d3a6cc0ab36e
SHA1 02a2f1a86ebb33a06f0392c365bea6e283e65ea0
SHA256 24581f8d20043f2cfc2ca639054813a59181cb284af37872dc9578b837ec4b24
SHA512 bcecb81121f8f7f29a50c79b01718bd92dda6054a55ab5ef440181b24352c973355d3bf4f0a780dc8fa5b22798dbe35b789933062dfa6385d8fc22721b36b725

C:\Users\Admin\AppData\Local\Temp\InfList_mp3.txt

MD5 94c867dd980e74cd1ef3647dfdea5197
SHA1 2da42c0e5cf71e64a4584a4658f8f5805d87e8f7
SHA256 61acd282298d14dc3c669bb84ee2c979d4f10bb18aab2a7bc4560a04e89e6955
SHA512 309ffa70e59173f961c9a035c9e5156f4d6c674a4d7bb8b08c406a4a1aab5ad0022784c5777c4885320d1d56ee1cbad0b1f568a2e06ed412eb96751ccf74e0ce

C:\Users\Public\Music\Sample Music\Kalimba.mp3

MD5 e5d8fd3aeb2df221386026d477c9a29f
SHA1 b0282c62eb15642255d4dcf7709a5480ba49c04c
SHA256 e528a7df88f2edb9a6b9d125fcf360ec4232de036f2ce9ef40c6183b957371e5
SHA512 e5ba2b989683672dfd02cfddf685dca91964c0a4cc89a9b398090485cc47e67a6df585c1f4e0a1c3b77b62ce65deb7122b71309226589a586167464b3967f638

C:\Users\Admin\AppData\Local\Temp\InfList_mp4.txt

MD5 2ca936d467fc31fa35d9bb9b8ca18e1e
SHA1 f3bd37d01e249cfeecd218794398c13c9579760c
SHA256 88bf98e5a44cdc740ff6a1ada71ec356184d85f5f953b0b1b94ec514456a11a2
SHA512 498ef89cec5ebd9d80f03b4977d4c624e7741f7d638cd95f3a9a91ae84058fcc9001b4d42ed38d616580730a4d95d8dd832c1bc83b3751c758aabab52961b8ff

C:\Users\Admin\AppData\Local\Temp\InfList_png.txt

MD5 b75a38704e0d721296204659559bdcd0
SHA1 17de9a7aec8a9f96e425c51079a0f95456cf4757
SHA256 18ba5e292803a61b5d9137b696f7e3396ee3f233aa72b7f05fa30e3b36c4b612
SHA512 22ff082aadb54949904cc88904be2398b8914f45d60e44d46db67b3ef37c6859741fdb6f418381ade9723ff0d7eb79fdb8ca9d3998b74a4ea6944f2eac454843

C:\Users\Admin\AppData\Local\Temp\InfList_txt.txt

MD5 ee05552702792e7fa38befe5b6c768e5
SHA1 206595102fdd042aacc8266a2765dd60bf5bc5a8
SHA256 7e12b0748478abc06e68a95da4b7c6979ff3ade5f70682ab9a405a5a8bb00bc2
SHA512 0f2566a74633465cbd3125327904361170ca029dd46413a59452d47fbfa8a2c8f77d280c866112ca0a23ae696ae26af0910d0bb8fbc3cb4dd373bb73b0789862

C:\Users\Admin\AppData\Local\Temp\InfList_pdf.txt

MD5 c2208d675e7a7259fe1fd6abc5d7d5da
SHA1 a7fced8df2ca662452c5a119962376e67ad4daf7
SHA256 6600c8d3eb9b6af013830c9093ef653bf18d506876a2a6f345a907db51c59f25
SHA512 a4271041b047825f63c91b177d931a8e8714ce6ad27c800c1a82f621666199e496d8ee897ebbdb82c28eb8788b984dac5dd86b742b2a93fbc909cb9f7b03e29d

C:\Users\Admin\AppData\Local\Temp\crash.bat

MD5 f36af8d6619b227a9f45e488c89d9f94
SHA1 9f948b6330b9484094b0844ab97b5b57b6ea908f
SHA256 8802385d9da5ccb6f3e85b4d1a96ec319b2a64243f39add263b955862198c662
SHA512 4eeb68da0c458cdeb78d24dea11d21de438ad3f8b368f609fef5adb48b7da9629cabc2990e9be5e678fccb622641f9faac0491b6475466310244b926250c9580

C:\Users\Admin\Start Menu\Programs\Startup\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

MD5 a6e3a62cb30ad13a91adac893b028a3c
SHA1 b7612e776b1182defec734db98799e114d8b68a3
SHA256 9a6f2a74b45b212ca6aa4b5a98a9341f33add5ae11242bd8787eb5f2eecf91f3
SHA512 46717739da5ed20f504376baa6cfa3d58596252612e832cc9dac50e5e4b939104197c0afe3499720ee608d2741f4f428ef66c52b9df8221d9844f021b88b4588

C:\Users\Admin\Start Menu\Programs\Startup\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

MD5 024098091943a6fe05be94f83215575b
SHA1 07fb7c9714829a66a5db2b44a7cf61f9652bef1c
SHA256 5e71b82d767f0e562b3129136ccd5cb47c856e6fd9c4e2f1b4ebf2203f8c63d3
SHA512 f5d27ff55abd3198fff0d2761796abd453a3211ee8278db91417041650108326f501139256c1a548a489837204f59d2910935899576ffb29fd8d273a043e056d

C:\Users\Admin\AppData\Local\Temp\InfList_mp3.txt

MD5 7a12bca81dc4f15d15f3c2b678ea2f56
SHA1 c14221d78f6355389ce368ecbce118abd8e69242
SHA256 43c89d7cf5da562459e64624b16165ea6c54a012ef8c1dc7fe827f6b79d0efad
SHA512 aed9c5c804e4f379886054879207bbee11446a6044953ddd09b082c21d46a3ebe8b9b1bf5b8fcb3bb5ea5a76a92e1de9f912ebc77324b815b51df8067b067789

C:\Users\Admin\AppData\Local\Temp\InfList_mp4.txt

MD5 d800e2b4dcf36e361ba0f904941ba3c2
SHA1 2424a79f8d17e8e63b807dc890fc6afbda63ca93
SHA256 dc993d35632ddb022f501f9200c0c0a44eeb78fb7883b9333505cd862cb9041a
SHA512 4cf7a8c60e4c34e8201cf276b2149461b99dc59a3d4c159213156f90afe269ef3a7b254a3feb05f63189d54a88666970e4b5f1bae202ef08fcff4c6c111c2234

C:\Users\Admin\Start Menu\Programs\Startup\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

MD5 442f0b43fa5834e2c9f67963988ba2d2
SHA1 1042b955b26cb6a4bd29ffaa8306f80760f2a690
SHA256 edc95be193831e4128ca9bb04e091e18912cef5b26a58849ef6b0b3a4a7f5647
SHA512 cfb543d2ade97325cdb6b4dd68d7bf12d978346fb6eff63beedd202fbc2e157918ee5d0eec1d1eea2d0e556ef5ff23abd1bc131a5e15bdb705a387b7cc980810

C:\Users\Admin\Start Menu\Programs\Startup\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

MD5 381dacd4e8b80b52d8098afd23717a25
SHA1 332e922130a32c9f7fce35370d1ea061580ed90c
SHA256 2d5b5473fa1ce6fa01b06684bdacdc3487ab83174be5baa800ddd363432a0b76
SHA512 95ade8a61b4b309bf496e0f4b4e52b181c737dbf302d367c7af69db08ca7452f118796d4371414061012e92e5643daab57968433d5ff28cbe272146a2535c587

C:\Users\Admin\Start Menu\Programs\Startup\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Start Menu\Programs\Startup\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

MD5 10939704f3194f2d5752e1f733bdabfa
SHA1 e362d67322f37307d4c10dbb37371253c2284667
SHA256 f2a8aecbc91df88c9e50ba09049e5eb94478277e93d0c9dba41a02c76ca2b091
SHA512 55e1fdc9b2427b9a61bd9bf6fe08d642b1cb04f1560067e688dee05b8af06adda9a1c02945e0bee3cfa4654964b5fe6037793749f95e067af7bf70412e9949d2

C:\Users\Admin\AppData\Local\Temp\InfList_png.txt

MD5 06346a23b034e63e24db9c0ff8727a29
SHA1 936490e5aac34865ce87ba0a9467195518b66401
SHA256 2e93f59b4a70b104ff4176cae6c8643f36dee9618c350f0a9881622154ff7564
SHA512 da46ca58c6d69794d2d62e4258738fd0bbecceca4dbb9a80cc8f2bd326493532724a497639c1b64b5923d4b20383ec88fc9fe95c7bf1bbd05d05313860bbd467

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 21:00

Reported

2024-04-07 21:03

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\ComputerToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\PhoneSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\RestartNowPower_80.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\X_80.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\@EnrollmentToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\ActiveHours.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-high.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\BluetoothSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\@WirelessDisplayToast.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\PerceptionSimulation\Assets\ClosedHand.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\Speech_OneCore\common\toast-hero-image.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\@WirelessDisplayToast.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\OkDone_80.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\RemoteSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\Snooze_80.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\KeyboardSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\OkDone_80.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\PhoneSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\RestartNowPower_80.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\SvBannerBackground.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\@EnrollmentToastIcon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\@WindowsUpdateToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\BluetoothSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\RestartNowPower_80.contrast-black.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\SpeakersSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\SvBannerBackground.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\DefaultAccountTile.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\HealthSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\MediaSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\HeadphoneSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\HeadsetSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\InputSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\GameSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\HeadphoneSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\OkDone_80.contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\PerceptionSimulation\Assets\OpenHand.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\@bitlockertoastimage.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\@StorageSenseToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\@WindowsUpdateToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\BluetoothPairingSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\MediaSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\RestartTonight_80_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\@EnrollmentToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\@VpnToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\@WirelessDisplayToast.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\@optionalfeatures.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\RemoteSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\Bthprops\@BthpropsNotificationLogo.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\HeadphoneSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\SecurityAndMaintenance_Alert.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\wpcatltoast.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\PhoneSystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\ScheduleTime_80.contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\SecurityAndMaintenance_Alert.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\@AppHelpToast.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\@AdvancedKeySettingsNotification.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\BluetoothSystemToastIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\OkDone_80.contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\RestartTonight_80.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\DefaultAccountTile.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\DisplaySystemToastIcon.contrast-white.png C:\Windows\system32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-64.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-400.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-150.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-125_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_altform-unplated_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-200_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\Square71x71Logo.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-400.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-150.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-150.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\fb_blank_profile_portrait.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\SmallTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-256.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-36_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-right.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-lightunplated.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-100_contrast-black.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\1x1transparent.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_altform-unplated_contrast-black.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-200.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-black_scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-150_contrast-black.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-200_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Medium.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-125_contrast-black.png C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\SmallTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-200.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Generic.Theme-Dark_Scale-300.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_edda8130b19d4286\Splashscreen.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square150x150logo.scale-150_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPStoreLogo.scale-150_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-white.searchapp_31bf3856ad364e35_10.0.19041.1_none_2f147508fcb33106\AppListIcon.targetsize-16.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-white.searchapp_31bf3856ad364e35_10.0.19041.1_none_2f147508fcb33106\MediumTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_120.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\findResults.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\functionIcon.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\Assets\SquareLogo310x310.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.scale-125_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\TinyTile.scale-150.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\selectAllBreakpoints.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\NewWindowIcon.scale-125.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\YourPhoneCallingToast.scale-150.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\CellularToast.scale-200_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.targetsize-80.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-24.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square310x310Logo.contrast-white_scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.ParentalControlsSettings\Images\MicrosoftFamily.scale-100_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\TileSmall.contrast-white_scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\minimize.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare310x310.scale-100_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-16_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\WebNotifications.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-16_contrast-white.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..tmenuexperiencehost_31bf3856ad364e35_10.0.19041.423_none_62aeb4079e61ade0\officehub71x71.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.264_none_a61d15efb6291d40\SendPhone.scale-300.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\StoreLogo.scale-400.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\forceStorageCapState.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\BreadcrumbScrollLeft.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\Assets\SplashScreen.scale-100.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Exchange.Theme-Dark_Scale-250.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\Square44x44Logo.targetsize-64.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\wide.Apps.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square150x150Logo.contrast-black_scale-100.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..rarydialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_83b794e5516730a0\SplashScreen.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\Folder_Small.scale-100.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\checkered_background.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-100.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square44x44Logo.scale-200.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\tree_icons.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.264_none_a61d15efb6291d40\Placeholder_buddy.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\WiFiNetworkManagerWarningToast.scale-200.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Outlook.Theme-Dark_Scale-250.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSplashScreen.scale-100.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\LocationIcon.contrast-black_scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\Assets\Square44x44Logo.scale-200.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-150_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square44x44Logo.targetsize-44_theme-light.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-72_altform-unplated_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\MediumTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\Splashscreen.scale-100_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1_none_7862ca1f7379fdcf\SquareTile150x150.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\i_table_options.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.153_none_51feabe070ab84f6\OkDone_80.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\i_checkered_background.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\Icon_MMXresume.contrast-black_scale-200.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appresolverux.appxmain_31bf3856ad364e35_10.0.19041.1_none_b719750f25d4cc37\SquareTile310x150.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square310x310Logo.contrast-white_scale-100.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\i_next.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\WiFiNetworkManagerToast.scale-100.png C:\Windows\system32\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "batfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4 C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "batfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.png C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "batfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "batfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3 C:\Windows\system32\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5488.tmp\5489.tmp\548A.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\5488.tmp\5489.tmp\548A.bat

MD5 90ff70f2778f116069b3d3a6cc0ab36e
SHA1 02a2f1a86ebb33a06f0392c365bea6e283e65ea0
SHA256 24581f8d20043f2cfc2ca639054813a59181cb284af37872dc9578b837ec4b24
SHA512 bcecb81121f8f7f29a50c79b01718bd92dda6054a55ab5ef440181b24352c973355d3bf4f0a780dc8fa5b22798dbe35b789933062dfa6385d8fc22721b36b725

C:\Users\Admin\AppData\Local\Temp\InfList_mp3.txt

MD5 a7056e4034a1ab2e5c702872777b53d4
SHA1 2f9c08eb41c885a1bd5792fee317143eefb84b87
SHA256 876f208b4ba4caac32e17b70bb08a4205a50806898b9c18ac2d6ac2ae7d18bff
SHA512 406581d1d7b3b9e025d574ca37e495fb3f4db589e2def7ab835a6a5592e233dd56c721e4c2f8a6e880def433abd95dbd6494c71e6ebd222614b7d57ffd1edc4c

C:\Users\Admin\AppData\Local\Temp\InfList_mp4.txt

MD5 6dbf4182cb7bb750dcf0dcb011580b85
SHA1 b3e448cf78c4645c001931748c0567fd23efcee5
SHA256 6cd2086d84385e9cfec76572888edb6b535e97f4175d66455269de9686742851
SHA512 456de0f9461a32a5143ea38b88e61a825a9ecdb041f86bb57a48f340104f7d8c94baf89f4358090772436dcf19b4935fccd7e055751f180a93c233a27465237e

C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4

MD5 e5d8fd3aeb2df221386026d477c9a29f
SHA1 b0282c62eb15642255d4dcf7709a5480ba49c04c
SHA256 e528a7df88f2edb9a6b9d125fcf360ec4232de036f2ce9ef40c6183b957371e5
SHA512 e5ba2b989683672dfd02cfddf685dca91964c0a4cc89a9b398090485cc47e67a6df585c1f4e0a1c3b77b62ce65deb7122b71309226589a586167464b3967f638

C:\Users\Admin\AppData\Local\Temp\InfList_png.txt

MD5 d9e55a59d2fef4c320dda108699a31db
SHA1 2be85caab1f4b004861912129ae90ec19b4534b4
SHA256 19d27701ecc18710de79eb0eb7bf8e5eaf0d3b15a08010db20f0db592f76a4a5
SHA512 3f2751ad610993e30884a22c52b25006f8af6fc0114bf6158d8312cbd3ce5013258e8ec65fdc7d763a1e4a1031abaf0b4fdedd6d632fa862689d5d52618c7f61