Malware Analysis Report

2025-03-15 04:37

Sample ID 241027-2f1szathkg
Target 7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118
SHA256 90a2b693c05d9aecaa42e3e75ef8028bcc8dd7c55e476fbf8dbdfbe4b3b07030
Tags
ransomware spyware stealer discovery
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

90a2b693c05d9aecaa42e3e75ef8028bcc8dd7c55e476fbf8dbdfbe4b3b07030

Threat Level: Likely malicious

The file 7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

ransomware spyware stealer discovery

Renames multiple (519) files with added filename extension

Renames multiple (1110) files with added filename extension

Drops file in Drivers directory

Drops startup file

Reads user/profile data of web browsers

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:32

Reported

2024-10-27 22:35

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe"

Signatures

Renames multiple (1110) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_neutral_47406488f9e8d5b8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DHCPServerMigPlugin-DL\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-GameUXMig\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4680t.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.ConsoleHost.dll-Help.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sffdisk.inf_amd64_neutral_d2425e60845d17d3\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0012\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DirectoryServices-ADAM-DL\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmod.inf_amd64_neutral_5766736c47b90fff\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wialx004.inf_amd64_neutral_0a3a62ae6ed43127\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremium\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\UltimateE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremium\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_neutral_1c5bc8e71eb90127\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicE\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vsmraid.inf_amd64_neutral_be11b7aaa746e92d\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Sxs\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\oobe\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_neutral_30b367f92ca46598\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\Professional\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\Enterprise\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiabr005.inf_amd64_neutral_e14a0514f37611d8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\migration\en-US\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.Commands.Utility.dll-Help.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa.inf_amd64_neutral_560c956da9bcd8f5\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msclmd.inf_amd64_neutral_413d17c790177eef\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterE\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\IME\imekr8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc8100t.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\eval\StarterN\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseN\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\Amd64\KYW7QUR6.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmbug3.inf_amd64_neutral_7617862a9cc286da\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_neutral_45152a8a9362fb82\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_neutral_0383c5de75359695\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\ja-JP\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateN\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumE\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jmobddgjjlobbdgg.bmp" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Games\Chess\es-ES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Windows NT\TableTextService\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Skins\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL010.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\keystore\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Windows Mail\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\de-DE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_e662f6f8b87f49c0\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-windowsfirewall-adm_31bf3856ad364e35_6.1.7600.16385_none_e6508032a8d2c091\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpl7400t.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-deskmon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_154a2a1e5da92fd8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\7600f870ebcc661f412ab16465a64647\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Performance.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a4edd7cbf6df1658\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..trols-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1bd0fedc558adab0\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_bd28e772321016e1\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-scrnsave.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d598d3cd12fb8c9e\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-alg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_df6e5718e33fb3ee\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc6e4eb2f75bef81\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-powercpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_89feb5e516623aa7\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_msdv.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_54597187aba44419\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_714c27547a5743d8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6782f91fb8e619ab\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.resources\2.0.0.0_it_b03f5f7f11d50a3a\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_multiprt.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_321f07583d5d02b1\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\1031\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-dskquoui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d877930ae4f915da\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-28599_31bf3856ad364e35_6.1.7600.16385_none_551e35354591cbf8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..up-prompt.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e6bfaf39ccd1f2e7\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..sframework-inputdll_31bf3856ad364e35_6.1.7600.16385_none_b88be45adf067b29\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.17514_none_bac5319939f7951a\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7ba1225e43947422\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-autofmt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_87dfc08290500927\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1543c3c503d80bbc\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\Speech\Engines\SR\es-ES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..nmove-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ff4e4eb0a98b94e1\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d411ac56d039353c\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0a02574e799f5bf\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_prnep004.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_70dc8bec5fab3095\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_devicepairingproxy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dccc313b2f493e49\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-a..xtensions.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bec88761433f76d6\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-autoconv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05418eada7acee76\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-fax-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d963b11c024eb424\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_811b377c89d18189\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_prnrc004.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1922a3d439d9ff8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_91dad42d6dd1ea26\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_mdmlasno.inf_31bf3856ad364e35_6.1.7600.16385_none_dea8b5e2e5831811\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_76c538b8c1054321\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d0d72f2fd04aa217\Report.System.NetTrace.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sud_31bf3856ad364e35_6.1.7601.17514_none_05cbfa317289b4af\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsrom.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_netfx-ngen_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_046c078df2caf5d8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnkm003.inf_31bf3856ad364e35_6.1.7600.16385_none_50766fcc42797a9b\Amd64\kom4650X.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ba2335c8bba30fbf\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-where.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b00593198fcde668\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_591723b1077e8ad5\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_47f32bdf2bab3be3\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-o..sc-wizard.resources_31bf3856ad364e35_6.1.7600.16385_en-us_102a16b698e56faf\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..tymanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a72ced2c5e567955\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-regsvr32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a40ab2ab37f0dc92\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..atibility.resources_31bf3856ad364e35_6.1.7600.16385_es-es_55c9a92765e4c2e2\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_fdproxy_31bf3856ad364e35_6.1.7600.16385_none_7b3ca813cfe4f480\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_71755af76007c973\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_prnnr004.inf_31bf3856ad364e35_6.1.7600.16385_none_ba2d2131f8a32d84\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..serverapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f13915ba69521161\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-print.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6a78ab990b8a97c9\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_prngt003.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4e7c585ff6bf2b39\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-scheduleui_31bf3856ad364e35_6.1.7600.16385_none_d0b7a7aa2b6c0a20\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d068185288626a2\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..p-ui-libs.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ce5db44c767b79e3\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\DefaultIcon C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\shell C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\shell\open C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5043 C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5043\ = "AUBYUGMEGMROSLL" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0wi87Y962nNss4s.exe,0" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\shell\open\command C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0wi87Y962nNss4s.exe" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

MD5 4f96659ec995be3d93c06fe39c89e3df
SHA1 1f7357fc113e519f6547f5e7742583426ee89c81
SHA256 882ac9bf649bee58fe58513e5a91fc301c08a988df83baeee56968538848e1fd
SHA512 4cd5e53044785973d2ebc54ae49a1e101fa42198cbaba1c9eb7d30e7787b06ccec690f068d598aa0a4a1244d1cb8b036e75534c7764d911212039fbe71d7c3db

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML

MD5 3d092a28bb781e04a18725245ccf70cf
SHA1 720b8f2bb75159adef44dd037f6affd1e6e30529
SHA256 f4f98667ccd177161dd61d2a8f86e670e335ab0a7cdc101df4df23903bbd1780
SHA512 af3e890029e751a874ba7425bd22aa4193544c431e2c91b3a8bde61bf09cbb2f6b382609621b58ccf8fdcab0da6a567ad4540c5938d5cb21df1980de42370a41

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 6b0a643f7a962c8b87a025b991afd1d9
SHA1 5fec7e23ed218bfe59d2595d2dea485baebfa188
SHA256 e219d9ed12fed8a2d1a4f06fdfbde68ad1ba8d1affd83cacf73c78885f986482
SHA512 8b3f753788a7e85b0d63b6a7d7cf0f1900ca68de12b8466bc25fc5565addcccda22e66c442fe9ef3d04c105bcd0a819247bb16c7b0506cdc762fc43ed2a64626

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 6e785c3e3feddf613aad94a571eb70c1
SHA1 aae74e752fc9211cc69b42040718f0adb237013d
SHA256 707287a675a38a306b811870549940bf483d952f74edac2dfa5e69edbdd903ac
SHA512 1ca744f7222ed18d1f31d9d79ce0ecdd6a0208a2fcf422ac504f41c1793e6294a6a7c2d568bb4b39cd1aa21326ecf27b33b1f9df5e2d3cf98275e656379e2422

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 48e0392bbbfbaca4fca83ee2b91b05c0
SHA1 b735cc0685daa6821b03ebb64992e15c62310951
SHA256 c9405746f7522f7bc375f15a10de569c878132c7f004b5150c709a3d110bd5a6
SHA512 154e3b80a05bc1f7c6777f535d75d69950aaebfdb4ba79ab449c58a95fead685b56d859eacd15ffa10be8f29b1221e13c2aaf2e7a0ee600c56eea66ed254ab6d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 972380fdc707fd0ca23b4ed737dd8156
SHA1 d019b2639af6987cdf41db1c528e67a7a80b7cdf
SHA256 09acf8188f5c9121339dbe1a8386aaa79f18b1c0e0a9ebf93f27c1cdcb03863d
SHA512 b9845270c586dccd2aa37ae43a7524985025d4056c93779f9e60254903772387c757b7b303ecba702da29a6e79456c4db3876ea529fdd290bbb9f414c9fc09bc

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 ea24349de7dd6d7c0a61ef2f4fa291f8
SHA1 d203d1ce2fd50d46da56a13c8f6a1dbacdfa7253
SHA256 d1cbed4dc15b4294158a0e4d91de820287f9945512883edfef4d4ab9a3b711e7
SHA512 b3df736e4f940637895657a14c310638d66fb679c9f8eeb2d2664b80be719135af4c1217ebc9b1b32b7147d530b325dc93fb10db9a65d5e3a3cc18cbd978ef5e

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

MD5 32426febd3c0f282c93b96cbed6d1a7f
SHA1 e767b75d6d842d82ac9f78aee9d8d931456b9ec7
SHA256 6e9c748b6662d8e46dd5ea14592f81dc09a779402d41e76adcec81d22552b953
SHA512 77fb825ac88dc4149e559dbd277a72291548e52979ca0fcaf33935a0178e68e6dbdfaba9c62e1fb2cbb0d9945417a33cce3ebdc2d4bbf9536cc4d03e1507dda4

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

MD5 312f1301e7579b1d45dc222b55fe9767
SHA1 acdc7447d023c7cb15b61c43da2003734781cfd6
SHA256 97b57596bbdf18d0c2cfe5f3a2e1b9e817ab67d661cad10f58aa582cc828570f
SHA512 d46ae4636b4b0f301cee834f6ba835ba1d1d61f707360f7034ddbb5775a609ff67c9d82ab7cd3f0a78c4be34906b1622fe7caf1b3635580eb73a6803ee8dcbc0

C:\Users\Admin\Documents\CompareSwitch.xlsx

MD5 ce370643d73f9dc1e5252de21ae927f7
SHA1 8652b7e97263730cffebdc7c59072a90c7e566e8
SHA256 fcb7e66e3f6d6f4122880251aa9afecc20d7034753720ace24a39c7dbc227e07
SHA512 a3b1d8c8b696320ce4214b91af1a901deb0a999104ae63dbd823bc4b06bf7178dcaa20a63eaa8576d6fa668f035310ac31d41e68e4e92c2776d926819e913321

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

MD5 d41600f7da09bfc791dbc77409a22588
SHA1 9f89a9acab5ea66d9bfeda64432f146d8e0bc7ce
SHA256 dc61d1875ef28521d0f9ae33fd5e6e0c8699f26e556a65832ec3f2364f2d51f6
SHA512 7a91a8f9a595537d992fec9210d5b4985ff8d246e86d5a37d9e5511cbf447681c07451911469bd1b8011d47f5eb202004f763311c22f776aa29a7090f78f16a1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 173276c633dd374114b638ebaa100415
SHA1 07b79ecf7aa8f9661dc60d006ce3c60d72cf11a8
SHA256 7b546c76bcd4070cfc3279e4f2459b761643f5f64cb663f3004a33dd22e764cf
SHA512 ac9a0b1031cdf0dc8cfcfd11618de4dcdb1d1f6dad811cd3bb5a75848245c4a5cefd7ac5aec8715c884f0411a4befc124a28f4fc464d8c51f1964a2138c34792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 c63e3cb361b7501d24a671130a7b481c
SHA1 0aa25458ae39266f4c3dd32fd2f51b9b64bf3f88
SHA256 2ac09223e2bfa9abd6d1f975cd3dac383a02710ee8184b084b0c4d57d054d2a0
SHA512 28e069714630dee8ce2f34c4cafc980933f6f218c94b8b5724dac0cd5bbce76292821250a43f54152b8e3103f87683ffa5c6fe84cc72df89780ce4fc9547f437

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 b504273d017233f4b151846505f30e50
SHA1 dc474e86c5316a4e76e50bc617c55c007a9048ca
SHA256 df364d483baba875558703f8cd24952da1c619397b036d216283dfc8f862f3c0
SHA512 836d43442622d748e5457a6c9df45828b3c144eda6728f4996c8a257293731ac4f736261037cfd67d58aeda9471c4c3d917a98069ed291c412359acdfe71fa11

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 db9f1a58559f143c4a907a344b9ec6e5
SHA1 59ada49413804a765de81c073ee279c4e8645dd1
SHA256 b866fac08c049d398b54f2e191eee3534169c49bb30894b7b9e8dd8c89ea0055
SHA512 0b76a2ca4e469d10616ad1560cf0a240c534c145e423e642c792a5c1599d14afcfb9b5c93f519c7e3911dbe4f5ff792ca3564d64d4d19a39c1e79ac97e966b2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:32

Reported

2024-10-27 22:35

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe"

Signatures

Renames multiple (519) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa5.inf_amd64_8416dd97e1ecb6dc\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbhub3.inf_amd64_6a68abcc31aaa333\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\uk-UA\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthoob.inf_amd64_c6923052f60677d9\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_pcmcia.inf_amd64_92be188847324ddb\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Speech\SpeechUX\ja-JP\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_2afbe7d3ad20f42a\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmtdk.inf_amd64_9e49da794995b361\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rdpidd.inf_amd64_ce12c614d182f4f9\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\btampm.inf_amd64_445ffdc4132cbc59\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_mediumchanger.inf_amd64_69ea0d8614286224\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_f1a7a2fbd6554d60\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\it\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_a6fa9bcee39a694f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0404\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationheadset.inf_amd64_47c7e539c0156424\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_2176cc45624119a9\Amd64\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\F12\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Speech\SpeechUX\de-DE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sr-Latn-RS\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_camera.inf_amd64_7b52a9607d24ece6\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fshsm.inf_amd64_48c6ccb73844d3bb\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\pcmcia.inf_amd64_cb18bba4788e47f7\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\DriverStore\en-US\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\F12\de-DE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_0eaf27d749819837\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netmscli.inf_amd64_b39ea5f4658998de\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_b401376fd0a39c95\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_a084e687a06b255f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_310dc613a7e31ec8\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_d9886a7bbe9e55ca\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_e87e378eb673af65\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\winrm\0411\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Com\de-DE\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_61883.inf_amd64_2c1769df23d261a5\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\oobe\es-ES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zh-TW\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_055d85baabbda8f6\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\spp\tokens\pkeyconfig\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Kds\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\fr-FR\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\lpeula.rtf C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hu-HU\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Speech\Common\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_74bb5e3e01cfd526\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_07bca0bfd5173050\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Nui\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\fr-FR\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjmobddgjknaacfh.bmp" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\3082\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxMetadata\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\System\ado\it-IT\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Crashpad\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxMetadata\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Fur.jpg C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\msil_microsoft.powershel..s.utility.resources_31bf3856ad364e35_1.0.0.0_es-es_255ec101005b0aff\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-autoplay_31bf3856ad364e35_10.0.19041.1_none_66e83389c17b2091\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_5b834788c0d17953\f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\r\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..peech-fr-fr-onecore_31bf3856ad364e35_10.0.19041.1_none_926835e1ef93be8b\tokens_TTS_fr-FR_hortense.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_netvg63a.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_09e9eabea4a97b11\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wwanapi_31bf3856ad364e35_10.0.19041.746_none_81ff90487c3f8018\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_wvms_vsft.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_aa7b128d6a2acc7f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.virtualiz..vmbrowser.resources_31bf3856ad364e35_10.0.19041.1_es-es_f287c4684874aa25\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_10.0.19041.1202_none_1fd41533d2b067a4\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Resources\8.0.0.0_es_b03f5f7f11d50a3a\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..entsnapin.resources_31bf3856ad364e35_10.0.19041.1_it-it_b9dfe4fd58a7240a\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_d4df49dad566c931\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..spaces-spacemanager_31bf3856ad364e35_10.0.19041.1266_none_bee3df875f7e71bb\f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-integrity-policy_31bf3856ad364e35_10.0.19041.746_none_8a20106aa387072c\r\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ytools-ex.resources_31bf3856ad364e35_10.0.19041.1_en-us_bba552432658873d\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\r\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b601ab5ba6c0c87\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\INF\MSDTC\0C0A\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-graphics-wdi.resources_31bf3856ad364e35_10.0.19041.1_es-es_e0d5286d9617c423\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ndis_31bf3856ad364e35_10.0.19041.746_none_85c076937ade51dd\r\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_netelx.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_a61626d78ff2fe3b\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-themecpl.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_7914b51c4f8f2e00\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.423_en-us_c99b855b8edbac2b\f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wfpipsechelperclasses_31bf3856ad364e35_10.0.19041.964_none_507f3b8f5adc2210\f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wmpdmc-ux_31bf3856ad364e35_10.0.19041.746_none_cc5cbb9556301da3\f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\r\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..r-library.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5295409ec6f0a2ab\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5fdd841c6398619a\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-dv_aspnetmmc_chm_b03f5f7f11d50a3a_4.0.15805.0_none_903145418de7e82f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_10.0.19041.1_none_ef230558c150a821\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-spb-classextension_31bf3856ad364e35_10.0.19041.1_none_6fe049417df680da\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-bth-cpl_31bf3856ad364e35_10.0.19041.388_none_3f3e847bf35a0410\r\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_wsdapi.resources_31bf3856ad364e35_10.0.19041.1_it-it_5dd5975bcef2f854\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_10.0.19041.1266_en-us_2d9ea7f6426cfa21\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\servicing\Sessions\31135901_1001110385.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-networkicon_31bf3856ad364e35_10.0.19041.1_none_0544c644a157f1c6\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipscat.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1031\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_dual_storfwupdate.inf_31bf3856ad364e35_10.0.19041.1_none_f9ee98fddb5b4229\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_lv-lv_9c193dc75ecc0b4e\f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-aspnet_perf_ini_b03f5f7f11d50a3a_4.0.15805.0_none_207fddeead1ca79d\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_windows-defender-branding.resources_31bf3856ad364e35_10.0.19041.1_de-de_c34d7c8fb9de763d\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.virtualiz..vmbrowser.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f6813f37a7774b6\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-a..cationmodel-daxexec_31bf3856ad364e35_10.0.19041.1288_none_3488a3ed0a497e26\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..anup-task.resources_31bf3856ad364e35_10.0.19041.1_en-us_22af5b26af954aa7\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..es-ntdsai.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0e0137fc170149b3\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ngshandlers-flights_31bf3856ad364e35_10.0.19041.746_none_1c4fa74bb06cbe36\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-inkfree_31bf3856ad364e35_10.0.19041.1081_none_87beae98bb645f2f\f\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..lders-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b92fb725e0abdb11\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sysdm.resources_31bf3856ad364e35_10.0.19041.1_it-it_832a8a2b836c46d6\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-tapi3_31bf3856ad364e35_10.0.19041.1_none_218e69a0634eb631\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Diagnostics.xml C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-forwardplugin_31bf3856ad364e35_10.0.19041.1_none_2b5b36de8d376f2c\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-f..overy-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_036fec1172c7e855\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..xecserver.resources_31bf3856ad364e35_10.0.19041.1_en-us_cc7def7e14ad13f3\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..atecontract-desktop_31bf3856ad364e35_10.0.19041.746_none_692666eeada9435b\r\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-bootmenuux_31bf3856ad364e35_10.0.19041.1266_none_69a7682dca8f3b65\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-network-setup_31bf3856ad364e35_10.0.19041.1_none_5dd26c4f87bf6b87\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..gement-vdsinterface_31bf3856ad364e35_10.0.19041.1_none_659dbe30f2c106b5\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\x86_netfx35linq-microso..uild.utilities.v3.5_31bf3856ad364e35_10.0.19041.1_none_d9377eac1a538bd0\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
File created C:\Windows\Boot\PCAT\hr-HR\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5043 C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0wi87Y962nNss4s.exe,0" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\shell\open\command C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\shell C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0wi87Y962nNss4s.exe" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5043\ = "AUBYUGMEGMROSLL" C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\DefaultIcon C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AUBYUGMEGMROSLL\shell\open C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7646a52f439e5f5a9bed9eb26b0f27c2_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Program Files\7-Zip\Lang\ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

MD5 4f96659ec995be3d93c06fe39c89e3df
SHA1 1f7357fc113e519f6547f5e7742583426ee89c81
SHA256 882ac9bf649bee58fe58513e5a91fc301c08a988df83baeee56968538848e1fd
SHA512 4cd5e53044785973d2ebc54ae49a1e101fa42198cbaba1c9eb7d30e7787b06ccec690f068d598aa0a4a1244d1cb8b036e75534c7764d911212039fbe71d7c3db

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 7b299dc9615a04baddda789c23badcbf
SHA1 f6df70c56fffc524697dbda261b4988e7582c1dc
SHA256 0b1dbae4c3ef76e85e174c7a63a253e3ae8c9d084f84cac9b520791a258c5b9c
SHA512 97e4f7427114c7e21987f921e29eca36933b5eb798c38626c766c11a47632228c85a86f69cf13aa8d361d50017f970ea6489e64d538626be65aa4fcadb08bf45

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

MD5 d41600f7da09bfc791dbc77409a22588
SHA1 9f89a9acab5ea66d9bfeda64432f146d8e0bc7ce
SHA256 dc61d1875ef28521d0f9ae33fd5e6e0c8699f26e556a65832ec3f2364f2d51f6
SHA512 7a91a8f9a595537d992fec9210d5b4985ff8d246e86d5a37d9e5511cbf447681c07451911469bd1b8011d47f5eb202004f763311c22f776aa29a7090f78f16a1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 db9f1a58559f143c4a907a344b9ec6e5
SHA1 59ada49413804a765de81c073ee279c4e8645dd1
SHA256 b866fac08c049d398b54f2e191eee3534169c49bb30894b7b9e8dd8c89ea0055
SHA512 0b76a2ca4e469d10616ad1560cf0a240c534c145e423e642c792a5c1599d14afcfb9b5c93f519c7e3911dbe4f5ff792ca3564d64d4d19a39c1e79ac97e966b2d

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 b504273d017233f4b151846505f30e50
SHA1 dc474e86c5316a4e76e50bc617c55c007a9048ca
SHA256 df364d483baba875558703f8cd24952da1c619397b036d216283dfc8f862f3c0
SHA512 836d43442622d748e5457a6c9df45828b3c144eda6728f4996c8a257293731ac4f736261037cfd67d58aeda9471c4c3d917a98069ed291c412359acdfe71fa11

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

MD5 c63e3cb361b7501d24a671130a7b481c
SHA1 0aa25458ae39266f4c3dd32fd2f51b9b64bf3f88
SHA256 2ac09223e2bfa9abd6d1f975cd3dac383a02710ee8184b084b0c4d57d054d2a0
SHA512 28e069714630dee8ce2f34c4cafc980933f6f218c94b8b5724dac0cd5bbce76292821250a43f54152b8e3103f87683ffa5c6fe84cc72df89780ce4fc9547f437

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 173276c633dd374114b638ebaa100415
SHA1 07b79ecf7aa8f9661dc60d006ce3c60d72cf11a8
SHA256 7b546c76bcd4070cfc3279e4f2459b761643f5f64cb663f3004a33dd22e764cf
SHA512 ac9a0b1031cdf0dc8cfcfd11618de4dcdb1d1f6dad811cd3bb5a75848245c4a5cefd7ac5aec8715c884f0411a4befc124a28f4fc464d8c51f1964a2138c34792

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml

MD5 fc89d79ccf040539651f5cdd1f9bab15
SHA1 e2eb11dbf785ede2a7e182f1f5558acf2992269d
SHA256 28e6416e94160ea4970dc749b071667e1e9c7ce34f3e19189ea248c98634b474
SHA512 9a92e32d0c1fac9d4ab636b87dfa092f3d54ccda759dc6271d7a8c283d50c555a323f4c25fb6857974fe5489eef3517a3feb9ad297194ae7a14bedc6bafaa712