Malware Analysis Report

2025-03-15 00:52

Sample ID 240626-v4knbsxenp
Target 12cf0e214c7667138f5368af7ab57b39_JaffaCakes118
SHA256 305046b15c369436269b20d3440895473af31983538473cf3a41c6e42b216634
Tags
defense_evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

305046b15c369436269b20d3440895473af31983538473cf3a41c6e42b216634

Threat Level: Known bad

The file 12cf0e214c7667138f5368af7ab57b39_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion execution impact persistence ransomware spyware stealer

Renames multiple (403) files with added filename extension

Deletes shadow copies

Renames multiple (870) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Drops startup file

Deletes itself

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

Modifies registry class

Interacts with shadow copies

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 17:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 17:32

Reported

2024-06-26 17:35

Platform

win7-20240611-en

Max time kernel

131s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (403) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Users\Admin\Documents\jiyes.exe N/A
N/A N/A C:\Users\Admin\Documents\vwsuy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\addon_v57 = "C:\\Windows\\fkvhvqwos.exe" C:\Windows\fkvhvqwos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Hearts\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Google\Chrome\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Common Files\System\ja-JP\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Mail\es-ES\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\DVD Maker\es-ES\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\it-IT\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\fr-FR\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\RECOVER+nrbqn.PNG C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\RECOVER+nrbqn.TXT C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\StepStart.cr2 C:\Windows\fkvhvqwos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\RECOVER+nrbqn.HTM C:\Windows\fkvhvqwos.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fkvhvqwos.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe N/A
File opened for modification C:\Windows\fkvhvqwos.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704bcd1fefc7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000000b65d1c9667f084c7d427f3d188cf52b06f0c2cd95e22014678ecc1623d3205b000000000e8000000002000020000000ea2abf73e3911f7a35d8b007c7634255536f9a6fd4c8bad112b87284df9e9fd990000000a51168e7eb3d11537986e4543cef54d14ed37de352565ada826322e795c063b553c3710e3fd866fb4183a95472ab44a40f9e20ae0b63a429b6e9e09fce3fca47cfaa8f993ff39cbd88eeffb230b64c0a529768344c860ebdb78c3b5d260eaea47db7de178ac7a2dbb7f30c6e28a8d0583f09e4ef7fd8be6adff99626de7467590589bf416cd74309f2c99f37ea9c17a340000000181104cbb1c42429f6f81f283d6948b59ad0384898b4c2298a0282f119eaf03dda23c73487fb4cd7255a2fff7212fca3970539a93305034c70a39e5ff611efb5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B5CFF11-33E2-11EF-B9E1-7E2A7D203091} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000dec3806275aa30897bbdcfe7f557df59cd2479f1fad3753fe3889365becb7037000000000e8000000002000020000000afd2188e664c41129b3f5b2b4041adcf3286fd61a9094e837ce747ead265881d200000002c54fccde24dffcc55c45e9615aacfb2d7715a5a569e93a47855ce02eb13d12e40000000ddf2e3775be35fafabfd6b0300ca99a09a6f87ef398875637edb47ef838cf9c6de9070a3d65ca687a377fef10ac73b73b3d42f6e2c41e1084193c8157024b6ec C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A
N/A N/A C:\Windows\fkvhvqwos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\fkvhvqwos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 2844 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\fkvhvqwos.exe
PID 2844 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\fkvhvqwos.exe
PID 2844 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\fkvhvqwos.exe
PID 2844 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\fkvhvqwos.exe
PID 2844 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 3016 wrote to memory of 2664 N/A C:\Windows\fkvhvqwos.exe C:\Windows\fkvhvqwos.exe
PID 2664 wrote to memory of 1252 N/A C:\Windows\fkvhvqwos.exe C:\Users\Admin\Documents\jiyes.exe
PID 2664 wrote to memory of 1252 N/A C:\Windows\fkvhvqwos.exe C:\Users\Admin\Documents\jiyes.exe
PID 2664 wrote to memory of 1252 N/A C:\Windows\fkvhvqwos.exe C:\Users\Admin\Documents\jiyes.exe
PID 2664 wrote to memory of 1252 N/A C:\Windows\fkvhvqwos.exe C:\Users\Admin\Documents\jiyes.exe
PID 1252 wrote to memory of 2420 N/A C:\Users\Admin\Documents\jiyes.exe C:\Windows\System32\vssadmin.exe
PID 1252 wrote to memory of 2420 N/A C:\Users\Admin\Documents\jiyes.exe C:\Windows\System32\vssadmin.exe
PID 1252 wrote to memory of 2420 N/A C:\Users\Admin\Documents\jiyes.exe C:\Windows\System32\vssadmin.exe
PID 1252 wrote to memory of 2420 N/A C:\Users\Admin\Documents\jiyes.exe C:\Windows\System32\vssadmin.exe
PID 2664 wrote to memory of 216 N/A C:\Windows\fkvhvqwos.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2664 wrote to memory of 216 N/A C:\Windows\fkvhvqwos.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2664 wrote to memory of 216 N/A C:\Windows\fkvhvqwos.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2664 wrote to memory of 216 N/A C:\Windows\fkvhvqwos.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2664 wrote to memory of 220 N/A C:\Windows\fkvhvqwos.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 220 N/A C:\Windows\fkvhvqwos.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 220 N/A C:\Windows\fkvhvqwos.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 220 N/A C:\Windows\fkvhvqwos.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 220 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 220 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 220 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 220 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2664 wrote to memory of 1508 N/A C:\Windows\fkvhvqwos.exe C:\Users\Admin\Documents\vwsuy.exe
PID 2664 wrote to memory of 1508 N/A C:\Windows\fkvhvqwos.exe C:\Users\Admin\Documents\vwsuy.exe
PID 2664 wrote to memory of 1508 N/A C:\Windows\fkvhvqwos.exe C:\Users\Admin\Documents\vwsuy.exe
PID 2664 wrote to memory of 1508 N/A C:\Windows\fkvhvqwos.exe C:\Users\Admin\Documents\vwsuy.exe
PID 1508 wrote to memory of 1312 N/A C:\Users\Admin\Documents\vwsuy.exe C:\Windows\System32\vssadmin.exe
PID 1508 wrote to memory of 1312 N/A C:\Users\Admin\Documents\vwsuy.exe C:\Windows\System32\vssadmin.exe
PID 1508 wrote to memory of 1312 N/A C:\Users\Admin\Documents\vwsuy.exe C:\Windows\System32\vssadmin.exe
PID 1508 wrote to memory of 1312 N/A C:\Users\Admin\Documents\vwsuy.exe C:\Windows\System32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe"

C:\Windows\fkvhvqwos.exe

C:\Windows\fkvhvqwos.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\12CF0E~1.EXE

C:\Windows\fkvhvqwos.exe

C:\Windows\fkvhvqwos.exe

C:\Users\Admin\Documents\jiyes.exe

C:\Users\Admin\Documents\jiyes.exe

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.HTM

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\Documents\vwsuy.exe

C:\Users\Admin\Documents\vwsuy.exe

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FKVHVQ~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 vostorgspa.kz udp
US 8.8.8.8:53 todayinbermuda.co udp
US 8.8.8.8:53 mosaudit.com udp
US 8.8.8.8:53 polyhedrusgroup.com udp
US 143.95.229.33:80 polyhedrusgroup.com tcp
US 8.8.8.8:53 bledisloeenergy.com.au udp
US 8.8.8.8:53 buildenergyefficienthomes.com udp
US 143.95.229.33:80 polyhedrusgroup.com tcp

Files

memory/2488-0-0x0000000000400000-0x00000000007A9000-memory.dmp

memory/2488-1-0x0000000000270000-0x0000000000273000-memory.dmp

memory/2488-2-0x0000000000270000-0x0000000000273000-memory.dmp

memory/2844-3-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2844-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2488-19-0x0000000000270000-0x0000000000273000-memory.dmp

memory/2488-18-0x0000000000400000-0x00000000007A9000-memory.dmp

memory/2844-17-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2844-13-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2844-11-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2844-9-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2844-7-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2844-5-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2844-21-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2844-22-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Windows\fkvhvqwos.exe

MD5 12cf0e214c7667138f5368af7ab57b39
SHA1 c5ee012ce627b12ed0c70371f7a6a97bee32dcaa
SHA256 305046b15c369436269b20d3440895473af31983538473cf3a41c6e42b216634
SHA512 4b4b39eaafe23c5f48dbec17991b5dd447b925f8ca9a11fda6c8b06cc5b4955f9ba5a774a0b93261340ddeb407cce798ba14fd00529025542288b6a5bed4416a

memory/2844-29-0x00000000027E0000-0x0000000002B89000-memory.dmp

memory/2844-28-0x00000000027E0000-0x0000000002B89000-memory.dmp

memory/3016-31-0x0000000000400000-0x00000000007A9000-memory.dmp

memory/2844-32-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2664-52-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2664-54-0x0000000000400000-0x0000000000485000-memory.dmp

memory/3016-53-0x0000000000400000-0x00000000007A9000-memory.dmp

\Users\Admin\Documents\jiyes.exe

MD5 9dfc75037c8deccc2f1840b249b17750
SHA1 ee37e409cfe2b124e63f98f1797aec0330204b82
SHA256 b5680fd682b7f64e577492c097c825e4a5a00baa82a8668f478640c5f8918da1
SHA512 25e9f3546af040f3cf782b4d6c511517ac0c95cfff8b3afec407c5917427f3129c92495f95873fb67ad928a9c7ef234508ecc9ffd8835da260d8fd1e64ead16e

memory/2664-60-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2664-62-0x0000000000400000-0x0000000000485000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+nrbqn.TXT

MD5 1407ed92466695db2be9431adb0bd854
SHA1 ef2110d063e2aecb43363597d3c199aed76730a9
SHA256 5334260ac4d00dde58c73d864ce71bcc23a9fd13fea5ec9898b03e0977e79a62
SHA512 d0f954c7e978bebfdea1937cf1675afd7b37c4aeebc331ab5aa181c85fa73743d2cecf3469baf74393ca60b2f1a1a1639e2459f055e7ecbc63e8a9e68849d098

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+nrbqn.PNG

MD5 a0eb41a6ef0ae0960399ae6eb89bef75
SHA1 2acef470543764f26f5beeb636c2d953d431d023
SHA256 5caf0cd1af19bad42c9f96606c9a9169a9cc29fe1a4779cf62e28c0009223f43
SHA512 4287e46681fbc8e38b22ec6f82232bb9bb8f446266039b646994d523ca8d40974c492cb93ee2fda1d96c72db362dc7a0dd1db14a0bda7b441551db9710d87154

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+nrbqn.HTM

MD5 e0ca680794b488b2530c5239c8bd4504
SHA1 87ac6caa67f141439e461b92a830ff6b30e4e64c
SHA256 e464b19174c6c56f296cc224a753067a470f7066786bcbf92e2983c1d1ab684b
SHA512 67a1b5503acff894c5cbdb0604bd808aef4391c5b62edc2b4506df72ef84894c8a8dec9814ce32553de823351754dff956e33caa96fb5d3dc12431f86b0c6079

memory/2664-788-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 090cdc332bf0484ffea8ab400fdae9aa
SHA1 64e5c41f002a87f48795dc21a1a12b4448454ab6
SHA256 bc68cfd71c95d2d42cfd77242064a1aeb316db8b94bdeecd4c71e4d967283f43
SHA512 a96fe3df5d1cfc6bfee2745a444904b23d0fffb00ffbb593f8b02dca5be69190432a2cd8d728f55c62a34a214921eb7218b4832fcb1e6421821c723134f69c6f

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 092532f7b16b580e6bdfb4b48c23c931
SHA1 e971b5211d7812c44c5c64ef51874a2b7163a7a2
SHA256 0adab6d4e0554b9efb667386e29d1018f959ac98fc98d3803b4e22460f9bbe00
SHA512 6084f80de4092ac13fce4400d47158c193f6bc2d71f79a53b83a726d7f9ce6a4b27d76990fccc825d0782cf19fe1d947fa83c430905a299554cae5f173ed3065

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 1f5b4ec39652d8a84e71d62e50f7cc81
SHA1 0496b9d37f196cd17d4fb06b975424b6aa5a7df2
SHA256 6d65110ed3a69ae8d94be9b286a08791b729152900186db03ca52e9211a134da
SHA512 eebcb4090ea37a21b28d14f9cabb7f92cc3221a30d5b64fd350a0ec45e4faf2fbdd340309cc815685328cda91ff20c831c0b5a00fe2c5df4b8fe9a0c4cd8343c

memory/2664-1993-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2664-4862-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2664-6005-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2664-6011-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/1076-6012-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2664-6020-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2664-6021-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab845D.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92921a0215038ff2cb0237871c2ba519
SHA1 35e8bf1fcd837420d602e037648aed378a3b7ac8
SHA256 76bad2afe007b9c214b42521dbca8aec7ac4e1b891c6dd176c9acde9de66fa6e
SHA512 38b5707a2dea2325641f55b44a95712f435267868ad15849e1aaf9cb67e688dc4f901607f37c64cea9f56aabc3b3b1a5787b5b8cb1e1e777374aee93315f8164

C:\Users\Admin\AppData\Local\Temp\Tar8512.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05a869dc24a27c4159e285683925bc50
SHA1 b98c81726a7941d35bed3a52b05cdce75a9ece01
SHA256 d248c3245ee1152123372dc5522d226691745a4b0eea4b6e66e44d211939f5b4
SHA512 fa9ed5ff382226cfa70c4146ba5a653ca5a7cc48df022e043e18d7a385ff934e7351e933dace8869b771e10b070ecb783b07b031e25f3e387fae3a18d4963abd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb40e399b29655b369242427dba78b6f
SHA1 20d95cdb6c36a180bdf92bbb331cc900b7c103e6
SHA256 aabff3eeeb06fce6ce99e0d23a867bcfdedda1c43d1fe52466d006b324ee687a
SHA512 a36d5767ce5b48bdd40733a6c7db40c3e9f8d3b26ffb7f7951b6cb88e9741292a5af35d8d58d86e73584de79562d589a259a03e39bf5dbb2212bc0637ab3f64f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 234965fe7eb2c6334b883a1e53783db8
SHA1 07fd954bf8933200d69b5937f0acfd11703ea1de
SHA256 1e8bfb37b6168eeab185c05a982c652e1d49617cb9c3b78c1e09a58ba149c165
SHA512 15a1cacc0df3789b74643fd12476148a6513e35c39d4573e3736173fc4c176000db8ad8fbb2b448ba189dee2668e1afe0f8cc78c6046d4dec3e842ca42c8e45c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac303a67748c8214dc49b2ace778bf1a
SHA1 95eadbbef59063b39b03a30b6adcb6f5a890636b
SHA256 1d747c66a52fa0df2c6587a420d437d716ba3bc4fbf189485b7059a62dae171b
SHA512 57c9e36ad305d4ed18b3c35191b6d17d769eafcb5b1f7ceab6ec6b5ee18c22e5942f2ffb5383c5f6fb3f7f6ebb47d46dbc5d716ef002da436ec8ea81c61d7353

memory/2664-6207-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2664-6204-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae2019e0a659d0158eded9089b11d10b
SHA1 51c7b6c17310d0fa6e76f4ef6157a110d3952f6a
SHA256 46c8355823da84592c21efc7ec1c7cf40e5a7526f35a23daf7f9d313984c1fa6
SHA512 ceb034e9cbf2885ae33419c32b72216fe917b23ed7962e6adc83919b4fb03e82898d4a44ceb3163b46299ae9ee875a63a39fdfe438ecf13f19c3b4a012204850

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fcd4553c14d8e7d9e53e03bbab69b34
SHA1 22ddc7b099eb0cd936dab74aa25520914764083f
SHA256 a0efd6473e0415852fdba7cc29b3d0b95c4e65f5d65327996cb45b38ad11488a
SHA512 7ead78f69335141d9fd2829adaf60d8c63621afef26dfb4704b29810cbb9f8bb771e91cd75faf40bbd23683b41614a7dd403253ee3b652e6e3a4af10323b839a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b840cf12040c58465d5a0d1cd39f0b4
SHA1 24896d0f1fc754e0de1f3b8d75b94af833af76ed
SHA256 b873a8e5f84a818ac4ab4192d2ba51d3d2b100bf4c0ed697febd33436d9f54f7
SHA512 7d6149830ec5dc1565e604e4da9d73646105643f08687bbeb5c7b3035e59b93cbf33c2f6cca6f931235c9a6263681f79a78b9ebd7873612ce939737d6201b1b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6945ab5f81ab7e21f16ce49a3a9bfe4e
SHA1 286ff815260bcfe9182c8222103413ba2aeee822
SHA256 b5b4ff353c4d4e08bd8b28245f0494fcd8a093a5713cc3c8ea38514fb79b641c
SHA512 db0820be8be11772826871a32b244e6e75b7790c6ca8c9fe62c32e74e7da696e0804c29812381e559ad4b243c8948e5d3224f95f646a9b43e325716d9b742ad2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7cd9eb16d0d40a5286de97928729ad2
SHA1 c6269c141c86b06c6287ed4098b013750cb5da50
SHA256 54eceda17eb6aa7a74c65bd1206f80a2daeab5e2dbb887f4fcc68fffa2d6e8c4
SHA512 197a281524a105f42f293f47a48be907239d0296c587990e2bfd9c7037e11fd41a127e8e875e5c3c7700d1dbc6f7527e5d2d2b54a3e3fc05792ed9188ee698ed

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 17:32

Reported

2024-06-26 17:35

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (870) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\hjmug.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\scvleslhw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\wpxmk.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Users\Admin\Documents\hjmug.exe N/A
N/A N/A C:\Users\Admin\Documents\wpxmk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\addon_v57 = "C:\\Windows\\scvleslhw.exe" C:\Windows\scvleslhw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-150.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-180.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-100.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-96.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-white.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-100.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\13.0.0.0__89845DCD8080CC91\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoDev.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-100.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-24.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-200.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\195.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-72.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-100.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200_contrast-white.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sk-SK\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.scale-125.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\RECOVER+ynveg.TXT C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-100.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Wide310x150Logo.scale-200.png C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\RECOVER+ynveg.PNG C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\RECOVER+ynveg.HTM C:\Windows\scvleslhw.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-48_altform-unplated_contrast-black.png C:\Windows\scvleslhw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\scvleslhw.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe N/A
File opened for modification C:\Windows\scvleslhw.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\scvleslhw.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvleslhw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe N/A
N/A N/A C:\Windows\scvleslhw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 3628 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe
PID 1088 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\scvleslhw.exe
PID 1088 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\scvleslhw.exe
PID 1088 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\scvleslhw.exe
PID 1088 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 2756 wrote to memory of 544 N/A C:\Windows\scvleslhw.exe C:\Windows\scvleslhw.exe
PID 544 wrote to memory of 976 N/A C:\Windows\scvleslhw.exe C:\Users\Admin\Documents\hjmug.exe
PID 544 wrote to memory of 976 N/A C:\Windows\scvleslhw.exe C:\Users\Admin\Documents\hjmug.exe
PID 544 wrote to memory of 976 N/A C:\Windows\scvleslhw.exe C:\Users\Admin\Documents\hjmug.exe
PID 976 wrote to memory of 1976 N/A C:\Users\Admin\Documents\hjmug.exe C:\Windows\System32\vssadmin.exe
PID 976 wrote to memory of 1976 N/A C:\Users\Admin\Documents\hjmug.exe C:\Windows\System32\vssadmin.exe
PID 544 wrote to memory of 4928 N/A C:\Windows\scvleslhw.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 544 wrote to memory of 4928 N/A C:\Windows\scvleslhw.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 544 wrote to memory of 4928 N/A C:\Windows\scvleslhw.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 544 wrote to memory of 3084 N/A C:\Windows\scvleslhw.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 544 wrote to memory of 3084 N/A C:\Windows\scvleslhw.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 3804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 3804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 544 wrote to memory of 3480 N/A C:\Windows\scvleslhw.exe C:\Users\Admin\Documents\wpxmk.exe
PID 544 wrote to memory of 3480 N/A C:\Windows\scvleslhw.exe C:\Users\Admin\Documents\wpxmk.exe
PID 544 wrote to memory of 3480 N/A C:\Windows\scvleslhw.exe C:\Users\Admin\Documents\wpxmk.exe
PID 3480 wrote to memory of 3124 N/A C:\Users\Admin\Documents\wpxmk.exe C:\Windows\System32\vssadmin.exe
PID 3480 wrote to memory of 3124 N/A C:\Users\Admin\Documents\wpxmk.exe C:\Windows\System32\vssadmin.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3084 wrote to memory of 1764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12cf0e214c7667138f5368af7ab57b39_JaffaCakes118.exe"

C:\Windows\scvleslhw.exe

C:\Windows\scvleslhw.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\12CF0E~1.EXE

C:\Windows\scvleslhw.exe

C:\Windows\scvleslhw.exe

C:\Users\Admin\Documents\hjmug.exe

C:\Users\Admin\Documents\hjmug.exe

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.HTM

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe92c146f8,0x7ffe92c14708,0x7ffe92c14718

C:\Users\Admin\Documents\wpxmk.exe

C:\Users\Admin\Documents\wpxmk.exe

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SCVLES~1.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13257131123093464691,12472332377434240786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 vostorgspa.kz udp
US 8.8.8.8:53 todayinbermuda.co udp
US 8.8.8.8:53 mosaudit.com udp
US 8.8.8.8:53 polyhedrusgroup.com udp
US 143.95.229.33:80 polyhedrusgroup.com tcp
US 8.8.8.8:53 33.229.95.143.in-addr.arpa udp
US 8.8.8.8:53 bledisloeenergy.com.au udp
US 8.8.8.8:53 buildenergyefficienthomes.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 vostorgspa.kz udp
US 8.8.8.8:53 todayinbermuda.co udp
US 8.8.8.8:53 mosaudit.com udp
US 143.95.229.33:80 polyhedrusgroup.com tcp
US 8.8.8.8:53 bledisloeenergy.com.au udp
US 8.8.8.8:53 buildenergyefficienthomes.com udp
N/A 224.0.0.251:5353 udp

Files

memory/3628-0-0x0000000000400000-0x00000000007A9000-memory.dmp

memory/3628-1-0x00000000025C0000-0x00000000025C3000-memory.dmp

memory/3628-2-0x00000000025C0000-0x00000000025C3000-memory.dmp

memory/1088-4-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1088-3-0x0000000000400000-0x0000000000485000-memory.dmp

memory/3628-5-0x0000000000400000-0x00000000007A9000-memory.dmp

memory/3628-6-0x00000000025C0000-0x00000000025C3000-memory.dmp

memory/1088-7-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1088-8-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Windows\scvleslhw.exe

MD5 12cf0e214c7667138f5368af7ab57b39
SHA1 c5ee012ce627b12ed0c70371f7a6a97bee32dcaa
SHA256 305046b15c369436269b20d3440895473af31983538473cf3a41c6e42b216634
SHA512 4b4b39eaafe23c5f48dbec17991b5dd447b925f8ca9a11fda6c8b06cc5b4955f9ba5a774a0b93261340ddeb407cce798ba14fd00529025542288b6a5bed4416a

memory/2756-13-0x0000000000400000-0x00000000007A9000-memory.dmp

memory/1088-14-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2756-16-0x0000000000400000-0x00000000007A9000-memory.dmp

memory/2756-20-0x0000000000400000-0x00000000007A9000-memory.dmp

memory/544-19-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\Documents\hjmug.exe

MD5 9dfc75037c8deccc2f1840b249b17750
SHA1 ee37e409cfe2b124e63f98f1797aec0330204b82
SHA256 b5680fd682b7f64e577492c097c825e4a5a00baa82a8668f478640c5f8918da1
SHA512 25e9f3546af040f3cf782b4d6c511517ac0c95cfff8b3afec407c5917427f3129c92495f95873fb67ad928a9c7ef234508ecc9ffd8835da260d8fd1e64ead16e

memory/544-25-0x0000000000400000-0x0000000000485000-memory.dmp

memory/544-27-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Program Files\7-Zip\Lang\RECOVER+ynveg.PNG

MD5 c4aa97987cf7f608857c265275376ae5
SHA1 07bee142c933fec17b974c09eb502f20c6f77a16
SHA256 5a146a6e808d07d104c2eff26daccf7be660d359bfa883dd14108e67efbce780
SHA512 38501bf6f79636da4b18591d1ef75e844a84a2acac906356a19f99dc4ec8ea830c5947ca1349631134d0538c317588bf9eed7e14e3e91fd3133908ff9cb38c55

C:\Program Files\7-Zip\Lang\RECOVER+ynveg.HTM

MD5 9979eb4c2f625afa88c32d678809fc78
SHA1 c50a62a4e65fa94b0e0091740248f3c00382d220
SHA256 e01fae2dfeb2910feef240bbec2ef71f9b7b3135f7898417b355ebc0739121bb
SHA512 b6266a9671ce24596a4d8153e865201e09f0948791891bcbdf9ce32a802060b3de3e0ee4cc561bade29812fc6275754dd6a69e9ebca13769dbcb33c7c5f0a64a

C:\Program Files\7-Zip\Lang\RECOVER+ynveg.TXT

MD5 33411cd491ade774c58be3b87a7b9f29
SHA1 a39f3bb975c2353f8235dbcc3af224292690a0e2
SHA256 82a7ffaf57e8a27310bf8fdb1d1a4284812dca0612c3222e5f5a4ef6914f5868
SHA512 63c9446625adedf2e72d468db629dbc6596668c6ef8050647942fe7482c3a8b155598480d98efe99b55de7fa2ee33b816eedd50a5138b3833a0d15b54120ab2c

memory/544-297-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 7535b99e6910b71f3b3c45b062d85f25
SHA1 beb7d59cbec2e15b727801a5c9774d316a0c5324
SHA256 a2f09606dc2c74acd89fcb6a2f05d9c324da8d67cb0837e9b981683f89b82f01
SHA512 637d0d9280508c34ec8da3ac103eea9c7f732482bf14e318d80df8d098f17fba30cacf7db14a0bd2ff22b7243b7e7041603bd80dbdba71de30229fb4d13b9cf1

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 cc014c80ed5b24079529e04088a7dc7e
SHA1 3a05284e6386545fde52cc16bef40232fc0b2ee5
SHA256 86a6292618c78a0f9a0fcce56824f84d76f17aa7140546da8e1faed2d6b4e810
SHA512 9c512a41713196fef7d715e1aa2868e5ac92f21e013783b0db558fff28c426713708dbae2dbbb1d5d4a95e273205375f65e51282f94cf908a346b1af0786feb5

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 f91c95ead6ada7f61b73beb13b52b9ec
SHA1 2105ca14b71c9da8b96b0f74bdb85daa60a2833b
SHA256 f3836f0cd50b16c1267eea29507658374ed66900c66b1ba821f43461aed61d19
SHA512 dcb823870a305ca28dd7196caa3b75d9dbb47809440e4fc3cf302f33ed9e1c4ce10042703cb6942fd1c30002b6ca4a48fa32af1902f47c6989b63269344a79c0

memory/544-2397-0x0000000000400000-0x0000000000485000-memory.dmp

memory/544-5116-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380890952339.txt

MD5 7700f00e231eb655fc677fb62d3e6786
SHA1 067af6f19b86ca8a1c92774630d0bbfcbb71a4a5
SHA256 3fcf849cfb269f341aed86d46751384926b33859467e5df5cecd2c23a17b876f
SHA512 fe2cf635937e5405dc0b424177353132af6663d39cca014377a891a34835536837133b02756323c071ea9cc4d7ab2ecaff3b1c21afbc2ebd63da8874c24d6820

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596405323842222.txt

MD5 d6158be757575310cef2053f6ea65155
SHA1 b8b03bb95f548301ca29837bbd0c136bba430062
SHA256 b99e88d3038d6d935a5bd786e94e648136b1332640ee60477f2a1837b93c551a
SHA512 923c2fad53be39529b0af5f84646f8fc8b0749cbef5d4e6282fe578e20c2a8fe9e74ebe952c5da14505c884ae642544b176ba6fd9f3e316b53575d962223c968

memory/544-8695-0x0000000000400000-0x0000000000485000-memory.dmp

memory/544-10449-0x0000000000400000-0x0000000000485000-memory.dmp

memory/544-10450-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eaa3db555ab5bc0cb364826204aad3f0
SHA1 a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256 ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512 e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4b4f91fa1b362ba5341ecb2836438dea
SHA1 9561f5aabed742404d455da735259a2c6781fa07
SHA256 d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512 fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

\??\pipe\LOCAL\crashpad_3084_TWIFTFHLAPBKZGIT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de8038ff3851dce0be373117f0ed89e7
SHA1 1eb36ef409beb6cbd6a948dae0dc43ac898eac02
SHA256 8cfa4a0e83f691efad6b0feb2f38584df63788f4971e1f7d1779ed0ce93b8b38
SHA512 c3ebd19e7534b02cf293885370835811f6d9e835f0f6541bab301a250ddca055524bc9113a11b18228e33305af27523204419d00a157ffbcbb1d67669c72b1fe

memory/544-10498-0x0000000000400000-0x0000000000485000-memory.dmp

memory/544-10502-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 039d1482469d7f828f561966513dac21
SHA1 e577354f127f431bf17b8856fbce8fd0d7b070b9
SHA256 5555f35d0adf3f964ec53ce27e29ca0893d7a3339ced1f4510cdebe235565e15
SHA512 e1bb4fc8b2aaba9ff868c1ef2659629e2f16c290d68df348a6d8e9b29fed68d88f1e1e9f78298fb345ba1b3181c8159bbea8725bfc893c1e164538315693f383

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4ee0a25812eeb6369de6caaef21fec24
SHA1 2c15f47cdbfdd00168917b13391cc58f6834eea3
SHA256 6bb5eff1ceee4369d2449090498e1d110968d7c87ffd9c9a1f98917842bdbac0
SHA512 9536eee5a6f444eeff8607b7fc6588c306a874b9e33f092f365fc79156adf4493db00ad655d0ad7e65d38c259bdb405ab044433d628dea84568457dcdd7d5391