Malware Analysis Report

2025-08-05 21:56

Sample ID 241006-lwgr2asbke
Target 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118
SHA256 332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58
Tags
defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58

Threat Level: Known bad

The file 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware spyware stealer

Renames multiple (387) files with added filename extension

Deletes shadow copies

Renames multiple (892) files with added filename extension

Checks computer location settings

Executes dropped EXE

Drops startup file

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Indicator Removal: File Deletion

Looks up external IP address via web service

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

System policy modification

Enumerates system info in registry

Interacts with shadow copies

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies system certificate store

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 09:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 09:52

Reported

2024-10-06 09:55

Platform

win7-20240708-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (387) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C" C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C:\\Users\\Admin\\AppData\\Roaming\\vcwmid.exe" C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Mail\de-DE\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\restore_files_lotja.txt C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\restore_files_lotja.html C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70191e9dd517db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000a40d1ad96c2b5de8ff841a9378a9a97e6012ed78e728c1191dcd2e39e0bb527a000000000e800000000200002000000047913647b25f32bd566b3ee12240ddde6e2da6efa2327be47aef399f1e36b6449000000025b77ba018a2751e19d47668dacce898724cdc509703d27b650bc62463feb7f6bb9e067d70d9a4d5dbe39d5ab5acaf3609ed8c9127876625e5ad6c122c46ac584091c28c95a362491369131fa0ae47dada032a5f48a1fe51626420b209bac5afbc4f5ce0cabb2b213e169443865d5dfefd0578b33d8859602108bd94dc2e3e64b52328ee858aed9329f6b05b8436b7c4400000004b1a79cc5ef7450da007115688caf0830dcf7a0e0edd6f291bb5c19e70c0ef44cd36a21326ac5659ce2375dcd3e205c36a7d1f746f65e192f1a3242a41bda74e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000006faa5a6ccb8aacb8ffa708f093643ec56ecb96f14b3663ef65c8600cf3cf1d34000000000e8000000002000020000000914978981042aa85d269908eeccf843c66b342519dade0cbd72d85e35cc8a10520000000545aba55a3228da694f2d5e2f36d100f1c40f5a21372d6d678a5e380c210e2ab40000000d453d92b241fd850cd741dff042eb4074d9aa2ad589e9d4bac8d2f53488640f275e3548476609a9ac3b7499b15d2dc9f909f28196f98fbb62bf4be27c4f78cdb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8A69181-83C8-11EF-9BF6-6AE4CEDF004B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434370253" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwmid.exe
PID 2080 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwmid.exe
PID 2080 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwmid.exe
PID 2080 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwmid.exe
PID 2080 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\System32\vssadmin.exe
PID 2652 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\System32\vssadmin.exe
PID 2652 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\System32\vssadmin.exe
PID 2652 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\System32\vssadmin.exe
PID 2652 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2652 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2652 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2652 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2652 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1632 wrote to memory of 2328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1632 wrote to memory of 2328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1632 wrote to memory of 2328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1632 wrote to memory of 2328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\System32\vssadmin.exe
PID 2652 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\System32\vssadmin.exe
PID 2652 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\System32\vssadmin.exe
PID 2652 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\System32\vssadmin.exe
PID 2652 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\vcwmid.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwmid.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwmid.exe

C:\Users\Admin\AppData\Roaming\vcwmid.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\179A81~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwmid.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 flagman-gpm.com udp
RU 77.221.130.1:80 flagman-gpm.com tcp
US 8.8.8.8:53 cssforwordpress.com udp
US 8.8.8.8:53 splitarcondicionado.net udp
US 8.8.8.8:53 fgainterests.com udp
US 199.116.254.169:80 fgainterests.com tcp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 serenitynowbooksandgifts.com udp
US 185.230.63.171:80 serenitynowbooksandgifts.com tcp
US 185.230.63.171:443 serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.serenitynowbooksandgifts.com udp
US 34.149.87.45:443 www.serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 wls3uapur3zjm5gm.onion.to udp
US 8.8.8.8:53 wls3uapur3zjm5gm.tor2web.org udp
AU 103.198.0.111:443 wls3uapur3zjm5gm.tor2web.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 77.221.130.1:80 flagman-gpm.com tcp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 199.116.254.169:80 fgainterests.com tcp
US 185.230.63.171:80 serenitynowbooksandgifts.com tcp
US 185.230.63.171:443 serenitynowbooksandgifts.com tcp
US 34.149.87.45:443 www.serenitynowbooksandgifts.com tcp
AU 103.198.0.111:443 wls3uapur3zjm5gm.tor2web.org tcp

Files

memory/2080-0-0x0000000000230000-0x0000000000233000-memory.dmp

memory/2080-1-0x0000000000400000-0x0000000000521000-memory.dmp

memory/2080-5-0x00000000002C0000-0x00000000002C4000-memory.dmp

\Users\Admin\AppData\Roaming\vcwmid.exe

MD5 179a81e1174983c3e0daa57cb85d745d
SHA1 656b2b7cb178f2cef1ada8dc2197587e680740af
SHA256 332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58
SHA512 2f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59

memory/2652-13-0x0000000000400000-0x0000000000521000-memory.dmp

memory/2080-11-0x0000000000400000-0x0000000000521000-memory.dmp

memory/2652-17-0x0000000000240000-0x0000000000244000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lotja.txt

MD5 b5fdf2d579d45f12248d4a8fdcf2a86e
SHA1 72c901eb8fa27c1e0d8f7ed4344ea74203bead9e
SHA256 5ad2df968aa1dd0dd7fb56c2e43c70d45beaa143045a5e61591cb9bfb1c923ed
SHA512 7a58db682938e1971358defcc80882ebd0e1fde115f718ab3b02dcc83906ce76805f2f88ef20473855f6ae781a87a6b534405d26ec47a4f7709a086543142051

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lotja.html

MD5 852d7d4451cfdc5286a2a93946e77858
SHA1 db217aa1c7314fff02558b456c4657f8fe2529f2
SHA256 ecb048544abe6fca12acd5ac0e85ea62c90c3554a782dbbf2635fb556f2b2143
SHA512 05fd1aecd09340fdd093b9a6f744844ccc074a9c182741bd063fde81d210f5f0a26bf5eb76d9a50ad200989eaf0962343e1de4e7083838725d2f29ec0e193e30

memory/2652-3507-0x0000000000400000-0x0000000000521000-memory.dmp

memory/2516-4242-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2652-4241-0x0000000003820000-0x0000000003822000-memory.dmp

C:\Users\Admin\Desktop\RESTORE_FILES.BMP

MD5 fca3287478e487981e201c3984386d8e
SHA1 c75954a0ac279a7a752e4bea41b35739793ee561
SHA256 6c839b4f1ceb90834cd6d1272568693b0d61c619942897c6104ed5ac4fceebb1
SHA512 f709e8a57b24c7550431fc4fbff8d01c085576680d16334644ff625cd73b3719f4f54481d9061b6a0e62ab9e5a6c2a8ef7eadfba6a9f43cd755bb19dc0717cb8

C:\Users\Admin\AppData\Local\Temp\Cab5083.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2652-4265-0x0000000000400000-0x0000000000521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar7FC2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d170394c5aa7be6304e7c6bc39849c02
SHA1 7c6fe3fe15d4fbf99179841706e29519a82f4f95
SHA256 5c0b80d2e83a41e39a8e094a5187e9dcbce46f157410504a4fd0ac8b0792031b
SHA512 e0ffa7c3ab95d53f036d7af2611ad79d7e05c470e99098e9b630a6c148f5d461c6a00e37df690d43ac58b4ed2b3d0c4e0916992cc2fcec8bd6124ee7035dc820

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cddd25cc9c4a1221f1d51b9b3742819d
SHA1 4a0199deb90e2aaf3c9243289699e0266df7f80e
SHA256 194e5ed77bcf0c0312a8736936b2ead194fb014d3427ba2c8a6eb470ae65a91b
SHA512 aed3efaee5a4824ab31844a3a5f12c9a2fb89b8daa46bd7121fdcd6235f18c6647d1e8cd83dc8499bc2d9062994139202787063384558040359f2dcffe3e2a91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c751c3701b44449323663b89f0e8455b
SHA1 d4d91e507cea5aa5256117e83822c83b944f0509
SHA256 1d05b5e36977b8d4d1aeec4fef0c067cf3e2e1be6ca24cd66f3366e33510a0c5
SHA512 eac5799a4f7f2e698fe8159408aeb6b7ad31a6a7e5543f96cc8bcc1bd36e03c253c5d3a74f6f6ac2f1049022670eb0628cdd307086eb70db094c7abdfe7382c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e48af88b0965e3314895bb4dbfe44b92
SHA1 df734ba140afc64bb2e720e035fe97052fc534b0
SHA256 104c6ed27d9c661cabab98a928916451cbbdfdcfaaee15f49cd2ead457ea9e7e
SHA512 f1ea5e37120b1fbe1e4cc2d033473304c0ab628dd75d59528d9e6ccd5b78d718f98715484dee3bf5cdfe3c801ff970f009549fee01df52618c2e9e92e70965ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da8c9b96c7965401b1bddf3333226c4f
SHA1 6d405f1fc978623231318857747f035d0895d34c
SHA256 665aa9b7a9a7c964b5d5852ff01fc8d56d7bf444ceab6679d948b298c5264b86
SHA512 5a888cef96e52414eb169084ecaa0d54d14f57799411dbaa8770a78b170fe23ca5bca33784f1284669077ef10cc3b50532b84c9f456665ec49af6a32195f5ebf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cddcc1608e648d947efacbc115caaef
SHA1 87431bce0a3d7b7b592d8d705e9ffc42d1a4ec2a
SHA256 cb605dce95a5da619c69490d798dfaeeaa01303f81ae772b74777a2b2c4ab3a9
SHA512 1496e9e9347ae0794f19c3a9e2285cf7e9fa83c5681ced1763f6fbacf94a90a37c47d11744ea6909de4ed3d80a00718e580b4a74357b8b69cf8630c12d9de150

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46edbad0f561b0053dbcd148458aec46
SHA1 76cd81fc19300b8a1c8e9eb4d12a4a9123b61601
SHA256 e87ced27f29c8e793c6e1ce3745c3b442479267df1beb0212b8eeff1fe51436c
SHA512 96621ade5654d873d828fb543497e232e7c9cc79a7f0033ab3950c62042ec7ac2aa6e11a35b3c715155dbf6fe7c6a3b5e1ae2dcd97b019ae3ccddad0d16e36e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f07cca52929ff762bc95b2e82899296
SHA1 e43f9eb804b6d31f2b85cef4d2ea87d83003bdc1
SHA256 300b6ccd4eee50f435a728a3d8cf0845ed6f694446c55f9fc5b4c5d4bd9c915b
SHA512 3acdfa212fedde12686800abdcb45a6224d4d9e33cefdf90b44d7da1f412a4206ffec422fb23167db9f79df977f43a463a9b715b056c52aebf5298a5b9718d69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 157ab78d0f1fc22b24a2024bba8a15d2
SHA1 634dd7aa99ffa8fc4330f252ca4eecc62fe62f9b
SHA256 f1a25d65353808f81b72635d1eb7e0be48a16d145f905fdfc42bc3a39578c0d0
SHA512 7af7e9b3433c0023e106029de02c456df496b1cc6a1041a8490c0086d285225bf3160aa28223a0a7510d38f5ab5f68236f0ea234750a311a07035cba5ab5584c

memory/2652-4871-0x0000000000400000-0x0000000000521000-memory.dmp

memory/2652-4877-0x0000000000400000-0x0000000000521000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 09:52

Reported

2024-10-06 09:55

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (892) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C" C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C:\\Users\\Admin\\AppData\\Roaming\\vcwqkn.exe" C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_scale-125.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p2.mp4 C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-150.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-129.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\ErrorDot.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_whats_new_v1.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-400.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\bulletin_board_construction.js C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-150.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.js C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppUpdate.svg C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-125.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-150.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\ormma.js C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\restore_files_gmnoc.txt C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\restore_files_gmnoc.html C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3828 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwqkn.exe
PID 3828 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwqkn.exe
PID 3828 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwqkn.exe
PID 3828 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Windows\System32\vssadmin.exe
PID 1064 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Windows\System32\vssadmin.exe
PID 1064 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1064 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1064 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1064 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1064 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1064 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Windows\System32\vssadmin.exe
PID 1064 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\vcwqkn.exe C:\Windows\System32\vssadmin.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 1708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwqkn.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwqkn.exe

C:\Users\Admin\AppData\Roaming\vcwqkn.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\179A81~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0b1c46f8,0x7ffc0b1c4708,0x7ffc0b1c4718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwqkn.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 flagman-gpm.com udp
RU 77.221.130.1:80 flagman-gpm.com tcp
US 8.8.8.8:53 1.130.221.77.in-addr.arpa udp
US 8.8.8.8:53 cssforwordpress.com udp
US 8.8.8.8:53 splitarcondicionado.net udp
US 8.8.8.8:53 fgainterests.com udp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 serenitynowbooksandgifts.com udp
US 185.230.63.171:80 serenitynowbooksandgifts.com tcp
US 185.230.63.171:443 serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.serenitynowbooksandgifts.com udp
US 34.149.87.45:443 www.serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 171.63.230.185.in-addr.arpa udp
US 8.8.8.8:53 wls3uapur3zjm5gm.onion.to udp
US 8.8.8.8:53 wls3uapur3zjm5gm.tor2web.org udp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
AU 103.198.0.111:443 wls3uapur3zjm5gm.tor2web.org tcp
RU 77.221.130.1:80 flagman-gpm.com tcp
US 8.8.8.8:53 cssforwordpress.com udp
US 8.8.8.8:53 splitarcondicionado.net udp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 199.116.254.169:80 fgainterests.com tcp
US 185.230.63.171:80 serenitynowbooksandgifts.com tcp
US 185.230.63.171:443 serenitynowbooksandgifts.com tcp
US 34.149.87.45:443 www.serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 wls3uapur3zjm5gm.onion.to udp
AU 103.198.0.111:443 wls3uapur3zjm5gm.tor2web.org tcp

Files

memory/3828-0-0x00000000006D0000-0x00000000006D3000-memory.dmp

memory/3828-1-0x0000000000400000-0x0000000000521000-memory.dmp

memory/3828-5-0x00000000006E0000-0x00000000006E4000-memory.dmp

memory/3828-6-0x0000000074CD0000-0x0000000074D09000-memory.dmp

C:\Users\Admin\AppData\Roaming\vcwqkn.exe

MD5 179a81e1174983c3e0daa57cb85d745d
SHA1 656b2b7cb178f2cef1ada8dc2197587e680740af
SHA256 332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58
SHA512 2f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59

memory/1064-12-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1064-15-0x00000000006A0000-0x00000000006A4000-memory.dmp

memory/3828-17-0x0000000074CD0000-0x0000000074D09000-memory.dmp

memory/3828-16-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1064-18-0x0000000074CD0000-0x0000000074D09000-memory.dmp

C:\Program Files\7-Zip\Lang\restore_files_gmnoc.txt

MD5 c6e20fdbbb08c3dc0dfc9c69d375a166
SHA1 8e1e64d05fefeb2b2936bf2abd14177635011a6a
SHA256 f60d89b34517db789186e9531293f75667820da2d13d7114c97adb1491569b9f
SHA512 681d886bfba05025e7132cbcc95f5da08c68bc4b342e829b0aace30f62d6b839c0844170b21d67240f5716ddbf07300a197edd9211ddae27fcc53e2f56fb3684

C:\Program Files\7-Zip\Lang\restore_files_gmnoc.html

MD5 4041998a77d16cc643ef1674f66cac2e
SHA1 2f95ef2609c297e1e6c9fb33849a9605eb81ed7a
SHA256 a1cb1978742bebe88a7cc9e1aebfb54fb630daf6fa90723d7233caea85d6721b
SHA512 2df14aa66ca270009d7ded7085ddcecb37ac4aa39390fcaea0e2c2c7119eaf75ab6a8e3d1b56f2183c63db3e9b4ad6d432c6185741cc7b8f047c6527ba6fca24

memory/1064-3090-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1064-7859-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1064-7863-0x0000000000400000-0x0000000000521000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 719923124ee00fb57378e0ebcbe894f7
SHA1 cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256 aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512 a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

\??\pipe\LOCAL\crashpad_1228_SAQDMBCGAKRQFCFH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7114a6cd851f9bf56cf771c37d664a2
SHA1 769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256 d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA512 33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 829693059107f935f965ac5a633c095a
SHA1 566b9c9104d9569f4c9b32698d9a0b2fc4bec918
SHA256 8291f3bc4cf0e65d30e5cfa6ae72aa6ce1dbe096876f35d23ca3f87e2a6c3161
SHA512 5035ee7c57887c7b6f842a46e6e878c57a29cfb0f751189bc49ad8f5754af8a83f239e7c1902b7183c2ce597602541b3b50107c3bd582fb08a9af4a86ca156f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d466b245071318f6ecfe052443f0dc84
SHA1 3c2f9930d02c2a0356f23501affcd92e3a9ee14d
SHA256 3696cd88cdbd860d05380cf52663935ad01b5d394106d6f751c11fc5e8772651
SHA512 56f84481f2fafd0df705c0b7914432f4f7331497c2f0232ffbf8c70a6fc5decc495d5b3edfc85b8443fe7e4cbc5f9abbc0c613d1db0035136132f4126b0ac246

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1c7b0440625c223d8c37f16a98b7c761
SHA1 cf7d919f3d1b8620bd6056d094233f7fc157d300
SHA256 51147714a3a14bb35121bc831aacbf08ac02421e855fcdd571ccd9e7420b7f25
SHA512 ecc987afd80c34e15a851c9b19698eaf9eac65c417d6907367b4186a198ce77d6f5973c181bff636cc15ca35a9624daff368fddcb7bd2f86f5b108628f8d62a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

memory/1064-7961-0x0000000000400000-0x0000000000521000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/1064-8011-0x0000000000400000-0x0000000000521000-memory.dmp

memory/1064-8012-0x0000000074CD0000-0x0000000074D09000-memory.dmp