Malware Analysis Report

2025-03-15 08:18

Sample ID 241016-gwbhssweqe
Target 4bb4385452699658f4576b4df4f498ec_JaffaCakes118
SHA256 ff61bf7f092da880bc01d6916c90163bfdd54d5de787d7995bd73034e471da4f
Tags
defense_evasion discovery evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff61bf7f092da880bc01d6916c90163bfdd54d5de787d7995bd73034e471da4f

Threat Level: Known bad

The file 4bb4385452699658f4576b4df4f498ec_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Deletes shadow copies

Renames multiple (882) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (421) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Deletes itself

Checks computer location settings

Indicator Removal: File Deletion

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

System policy modification

Enumerates system info in registry

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:08

Reported

2024-10-16 06:11

Platform

win7-20240903-en

Max time kernel

122s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (421) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\auipgacroic.exe" C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\es-ES\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\it-IT\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tk.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\how_recover+lni.txt C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\how_recover+lni.html C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000008d1341ae0fee37b970e1097644a92e44c7fcd70509d8740a50a1a07312e9fa47000000000e8000000002000020000000226adb02e45b8df9bb276ca99276bed99dd01f9a003a7a6ecb3e791695884143900000002a61deac4d56e2f4a24012e3a93e5b8960691709d43d8129701daffe3be1824929b8c04f6dd7b408997b725adfc98c2b97c6af3ce67de8f06eae66cad0f27d339dd20bc7617cd2217e11073f38bbb54383fcc31f2541a0383504ed7a8e675911a34ecd249d8936d79eabadb490d8feef0a935b5640b993273ed8a3e5246c1a89e66658f2b2aa969fae699282a007125040000000fedd200670db46d110a7262d34c2e8298c18a95e2a18b87322708e5ea7e789bf6f7f552e628c73a8b06f2e2bc9ec711ee9976de34f6c6088b1de9836b18a59c3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435220818" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{295D2481-8B85-11EF-AAF2-E67A421F41DB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000006adcb670c948f37fa26b421c17f48492ad47d42eb56eb7591ded63b35e124e0b000000000e80000000020000200000009983c21541787cd0b275662a988ba52c3e0e1dedbf0829ef5ecb6208300d19cc2000000040228b6301ad4ec52aaa5a28bb176cb5332168c367ed985ef7191930b4db36f640000000cc078281f46e6fb13a3d8bfe9a9a5d27cbe27337aa59136c77f43ea367eff2abd7a8bec1e23ab1ad6392d24fbe230abb9f1e6466bf2b4f0a7d88aca23bbeaee5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600cfdfd911fdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 1956 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 1956 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 1956 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 1956 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 1956 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2260 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Users\Admin\AppData\Roaming\auipgacroic.exe
PID 2760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\System32\vssadmin.exe
PID 2760 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\System32\vssadmin.exe
PID 2760 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\System32\vssadmin.exe
PID 2760 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\System32\vssadmin.exe
PID 2760 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\system32\bcdedit.exe
PID 2760 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2760 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2760 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2760 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\auipgacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 2976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2664 wrote to memory of 2976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\auipgacroic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\auipgacroic.exe

C:\Users\Admin\AppData\Roaming\auipgacroic.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4BB438~1.EXE

C:\Users\Admin\AppData\Roaming\auipgacroic.exe

C:\Users\Admin\AppData\Roaming\auipgacroic.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} bootems off

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} advancedoptions off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} optionsedit off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} recoveryenabled off

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\AUIPGA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 gjesdalbrass.no udp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 8.8.8.8:53 garrityasphalt.com udp
US 198.185.159.144:80 garrityasphalt.com tcp
US 8.8.8.8:53 www.garrityasphalt.com udp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 8.8.8.8:53 grassitup.com udp
US 15.197.225.128:80 grassitup.com tcp
US 8.8.8.8:53 grupograndes.com udp
US 35.212.37.35:80 grupograndes.com tcp
US 8.8.8.8:53 graysonacademy.com udp
SG 184.168.110.22:80 graysonacademy.com tcp
SG 184.168.110.22:443 graysonacademy.com tcp
US 8.8.8.8:53 crown.essaudio.pl udp
PL 89.161.139.233:80 crown.essaudio.pl tcp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 35.212.37.35:80 grupograndes.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
SG 184.168.110.22:80 graysonacademy.com tcp
SG 184.168.110.22:443 graysonacademy.com tcp

Files

memory/2684-0-0x0000000000230000-0x0000000000233000-memory.dmp

memory/1956-1-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1956-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1956-18-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1956-19-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2684-16-0x0000000000230000-0x0000000000233000-memory.dmp

memory/1956-11-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1956-9-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1956-7-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1956-5-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1956-3-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1956-15-0x0000000000400000-0x0000000000485000-memory.dmp

\Users\Admin\AppData\Roaming\auipgacroic.exe

MD5 4bb4385452699658f4576b4df4f498ec
SHA1 23ff564eb0a0c0a8c5113ebe2316c0f3780d6adb
SHA256 ff61bf7f092da880bc01d6916c90163bfdd54d5de787d7995bd73034e471da4f
SHA512 1407efce7fc1b0bc4e3e4586aeba21114aece9c58fbce2179a40fd043aedd50ce2fd2ca4c8233862041b443f984c41aa85ac8dda66d1029ad49c86268bd1977a

memory/1956-30-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2260-31-0x0000000000400000-0x000000000075C000-memory.dmp

memory/2760-51-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-52-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-53-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-56-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-57-0x0000000000400000-0x0000000000485000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+lni.html

MD5 612e85bcfe883db61d6bbb423e67f71e
SHA1 73552189715869e548f540d65e62cc97aedbec3c
SHA256 df8bc2f8e7caa61fa58e95666676e1a969528f920c7542b04dcffe9a9e605a9b
SHA512 e197c05b2651befb8e3aebb9d3c822a415a3268e8f3fd024a2a39aead7a02e4d36da8fadd5cc7e630870b8e4b84ca22597b521bc6865293bc37938ce4fec7cc8

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+lni.txt

MD5 65da46cf40082c0b382e6064308f92ba
SHA1 1cc1616b66844e574fb29e7c71e3706e3c6321be
SHA256 9037da1e0eb5c7246f0fc57854ac40ab2fbf6f1d8e8a82d60a5cf3027521b53f
SHA512 3148f53e24614fd7791e4e36a24db6c6c81a8636bc9a7242ce89dbf7d57709313de0aad77be0734eb84dcab5c920ea3300f34710a271abf2896d237ab924cc78

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 78f17f6f10492646afca10196593a755
SHA1 520e5b21b7b4f9738dbfd7c307c7b8ad0453d702
SHA256 62cd2740c202ac11427414c0d186f0a2d54f19bb9194d891cdcff965bd67184e
SHA512 2fb1ae71db66bf7ccc3cd2cb682862e8e7b9c11b1273d4ba696553410b0f392324ff0f0c73c2202db3dcfc989aa7c19db2b522d8e45ff89ce15d34e8355e7165

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 b1e9e2514809c9a80ee12d5da58c6d93
SHA1 e85a3a94515e022859000a4a776e41fa6cc22142
SHA256 67e37d38647a710eaa09114d6b3a6fbf43df301885b9e24c9928acf7f05cb21a
SHA512 6c042385f09b63daf91ab113eb05218bcbc99761f09b05546d2cabab7b60809e3c3c5549189c5d648b97cdddfeb28079eb65db90fe355978a051ac51587d756e

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 f0c7f6393779f2934ba44895a2c38a81
SHA1 a7a05012681316a35c7e2fecbcc59118dccd4657
SHA256 b24ccb62f541139f065d90b57d5d89eb040f5a3e0e50f2f85c0a0a4de9dba0cc
SHA512 7788d623b913966301c4c3148ff06dec11c78dcf98656eaaba225af3855b123b2557b26c79f2b7aac92394f99f67888485795ac3063393e34d98dff788c4f7ee

memory/2760-1366-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-1367-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-4379-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-4385-0x0000000003020000-0x0000000003022000-memory.dmp

memory/2920-4386-0x0000000000300000-0x0000000000302000-memory.dmp

C:\Users\Admin\Desktop\Howto_RESTORE_FILES.bmp

MD5 0b80db01c0b24953421ea1d3cc29f15b
SHA1 6f33fc8780d9617a93f05f4ae0cbb2f3a394981b
SHA256 22a3b5d9ecd0b9d7799f9fae997c91044aebaa010d57217d5e8eb63609047982
SHA512 33e3f1ba32e7644e3379cc33b81c0b4bd05474e2fcb0a70c98f4faafe2683efd7905e9b1f4269f6fa5407c911325042998c3988e184ec562031570e623678a07

C:\Users\Admin\AppData\Local\Temp\CabE86D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE8EE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48ffa9c2f46a72bbf5c6cd921cc4b57d
SHA1 88893130339b64ed28d61bc6e8f7daeebbccab5a
SHA256 fa2f1fbcc5cce4fd270edea0cc38fe23a54a85c6bcbe448519d94e7eab123280
SHA512 e6b459f64bd283cba91d3a15c871ee8c61cab7d588673fd2b139d0321a1397d24c4da849727df54a9b9d1296fcf80399aebc79fd7f9a28b814475489f44bda9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d9dc4f21f37d2fb25e2328b00c62544
SHA1 4c96a5d4ddb79db5c4082b4509784f6e319181c4
SHA256 635f8b4c4f0002fa636f60211a72b39918afe7e113ae3dd61fad9c888bb8d568
SHA512 343363f4880ffde0766ec1d0cf2fac84c2b861b7164157282513171d53f7fa8234f4db0d450b21164c93c699a2befdde3c0d229dec4c82e29ab123a7cca9bb8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef5f97aaff24f8a1a64d8c81aad8983b
SHA1 d673cf110b6a85e2b9220961b2dbccc44d0ece77
SHA256 3daec11b35e21af060f10d9f353e353b826e3c7cfd566460296fe9c9c32a85b2
SHA512 5ab600240a84d774b12c47becc3ef2bedc0ebb926bc2798b9f3ad00dcc4cf9b850cb38d6b5ce0a0e9681303878737bba2cb01e7c941808851b7d847b246572f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25b10667af983af19de573c032bc4912
SHA1 64b88cce30a65a9e48cf034a98ddac1712a1bbab
SHA256 73d833d5aac2d94fd66e1dc025dd242e1e41a5b724b3c4bca5d738341b4e031d
SHA512 f632d1f73ddeb71dbba8cecd1c526a9e74f5401678762c0365b818a7860d7babea4766e3c242193924890f3ad32a8a8d13bd430af45052b0df2051c16534ddb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4453f3808c7c6ec6081937a6a4f05592
SHA1 ae24966cdd93b62f336059b06ba040979fa7952d
SHA256 22159a183e3fac5112ce7013b8ca9e4463b81d7b2cf58c8585c9bd331f21094c
SHA512 dda6bf88aa5fd54b52940039a6671f1f11adc5fe2065c59cfc04438054819a6bc167eb27d6e70f578e37ab80f54b5d4884471def67a731c23f0b24f554445fe4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c25bd1528382c9d8f48bf0bb4e4fe04d
SHA1 c1c17ac52b9d9c062a89af10c337a8b428e6f901
SHA256 be5dbcdaf376874117fe34af46b93cef41ee5a6570252c3517d604e3c0014a75
SHA512 1f6ccbbb2b01576e164e9553f47bab5f802c94835d5122bead497a4e6e285de0252bed3bf99e2c1e3cf0e2db187ffa7bf630ae87352841781cb82ea18c51264e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2ae1a37472dd4d8f5445ee9c55d63c8
SHA1 9aa39d7e89d6a77595ab62e21d1665108835722b
SHA256 dd7a9151639af425243c3b73be583405206334a626d3494ed8692d271b232021
SHA512 674e2d6f63c37fa6b87a141e1f282e545b4878d2cc88a343de44c47a43b542f8896e7b32c04eaf0975630bb415bf3afd7341f13ca0ae4e458e6bbd903ce8380c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5772bd2149895632d69dfbfc7415c96e
SHA1 8f1ffe0d12f81d22c59fbb3b6331979e7b8464eb
SHA256 7773a3405f7543ecf63298b51c771ffdacad3c0dfd25585d3eb5745fd1e4d802
SHA512 ac7542cc43d880fbcb883caba4bb8d43b6512492555e04054c41df52c54ea26bd3b2712c6dbffe8ff4b15ea69dce5b21a72e7293a405d848c6774b7dbf4ba4dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9f96b375c22da044e0483545bb8e2d8
SHA1 c05de25d1db83e84d0b52b46d01e2da63271fc72
SHA256 9575f39cb90b4b4892329a91c1c91df36061fa548a9f4c19f796eb3e83f4c911
SHA512 dccf2c6bad6be9b47693d73c0c8da5f525513271f419b663af0ae6afb25fd5329fbd7e9f6ab165979f03f2610453e9da0a3200d46a98c64ea58ae391eee405bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee3b41d368fbc60b998c74ea437dd1ad
SHA1 e008dd1ef8e66d11439e8558b7124c78dee88064
SHA256 bce5fdbd8a3334a89fb71bd63265357dfcb767ac81a53eb4f33327886e8ba1fd
SHA512 c3673ef5c5c5bffe8d049d7ca06f172cbc80773c2c4db3a5415dbea8a5fc297b04618f36a8fa99d1d9494e040a0160a09464a9108ad9424e25bd757d346cf6f3

memory/2760-4865-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-4866-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2760-4871-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c9c29f0e4365fd8d32a48cebfe8f755
SHA1 604f9b4636342d9242819de492d0f58088ba952b
SHA256 79149af6d27b98b5db5d3234ecd48b59da4357c5e5696c68aff9b60eaa725526
SHA512 04ecdc17b40e74eb9951d61cf0ac12d4edea5dd4b012ada291131001cc80aa2a069d61395fc9e997889e73b62926761d35ec09ac8511c6324eb23ca9286eda22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02ac2f3515f622d3a95cf4a563d3592f
SHA1 4ca6a83d85bfcbb5af18ebfc639bf92cd9bdf3af
SHA256 d97db419ce62e5fb7b2d4feeb23c5b830c7f1149c24dc7e679701dab09edeecd
SHA512 850bdfcaa21bd1e8bf23697f8626c664f5498ea98e2db7e15395a0522a58685be4edc64f1a39c0e822b1fafb3bae78ffdb485789546b0b79caacca99b0feb4e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7110d5d12367bf72a3ccdfe08babf2e4
SHA1 70fbf854348d60f1b092220b0619f852e00d66ef
SHA256 fcd3dfa3ad8aa93de132ceab3948ce2a2e776500e8950acaa2b723e19d87c50e
SHA512 a264b6056474abfdfcd70dc7c27d923ad349790a67e26171a3ffee8a107eb2f4bc6297ffb4eb0d3caba3d9e32f5e6634ddf9ee8db01afe49e639d55791cd35eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7231676e5bdd9926497411e5a157df9
SHA1 75129a442d3264415f0fa33ae15b13dd9e43e6ed
SHA256 fc4afcf060866a65f531c5eae9bb7bbd03917c8016103537d66fd619d3288de6
SHA512 ceb70c7b9d934b5ec1372ee4e573ebd260807879017abfe57653dc6d130101965f291c56fb86d7501d09890cf49f1335a1295dcf237a4772d8cd21f6e9b7c18b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fea1e87d7df937d488ca3c6a76b95d2
SHA1 407c8420a69709dea4a998ffa3ca1e6acb1960d8
SHA256 f503ec8d9a9f029260ec60aab1777710e04707a82b62e52391dcc434c6a770a8
SHA512 87d1d548ff3f84c6f5a04b08d586ff50a1473a2f5cb2a92ea08f5180ffdad1f71efe03bb31e5fad424d84cb75e6df46684a1283e2ba8983a184e23f0244042cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 477f94c35a313c5228ad765b35b6a632
SHA1 7b7ac5879793bc5be29efb05138eadb10cf7e197
SHA256 8b27054951fb80613cbff2a51ac871c275a04eee6f35c13a37aeb5e53009c5a8
SHA512 46bc2a1b1cd36c882ebf620d6bf75dd25384abaa0b379bfa544034f1b404dec3792b405a5ae253c4c3b1860292de728353dffdffa76f864e54f4fde329966c6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0a442b3e9ebb5950b3c74ecfbe60a4a
SHA1 15f201ab1a25c6b69d565649a3cd87360e3c35c4
SHA256 370d6ad58d088228045d0bce0059b62f08605d22ab224de16dbc46b13e6d3755
SHA512 42e4b2f01b5daccfdae2ee73099a14344d82b26a9b594f811e36daa9521eedde68fbd3a2ff67f8b58150ab95a63869f680f5f7e01bc7793123fde52681689535

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ece6a87b99e08a9db3e444c143eb71eb
SHA1 098c3990be84fc604699791c82c5056a34ae2ffc
SHA256 4957832706b6a107c029acffd4282226003272476717d3eb679b26ba31d12875
SHA512 29fb15a467b541ba7ed6872c230e1084d25ec851c3bae9bd6c813f72794336692cebe0713cd298bb78342a2bc7e7b585d796521ed9ad8d8933566b97db5eeec9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3a95e20f0a5eb5346b72b1aaec219b4
SHA1 d11ef794af40f0cf6ecb54f8a97586842cbae828
SHA256 efe11904acee8b68c3071eced261d0feb5e55d9af7dfc6b0de527323c3ff6f66
SHA512 e32663f8a6cbf6c1debec7fa31a0f20bbac4952aec40edc8f79168aa1fc8142c9ee6822c4ed54e8787050b067de019976186b03068ce97dd6711dea6b2528d59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ac900b38d0ce436a93f29b82c9bbc9c
SHA1 d029490d9d0982ce57b86b99c7852b22722c8006
SHA256 2243691447a54f88a1e2b24e1048a145baac9aed0598333cf3bcf2c7c45d48da
SHA512 d44b724598fbd93f5b5ddfa81654e93b12d526ffb7a5adff84cc247c3d3ca7f0003193f000d10d4b182b6ac6ccbbea0fe6c96b38abb5a9c34e7b2be35b2257c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abd699c5fed755fc2ecacbd8f306b2e2
SHA1 fcab2549dcc16225c36a807e9c299050d6011f79
SHA256 63560d065a74c96f5144030cfe909031f3e06f8f30db1be0a790fb119ea39a61
SHA512 577dc92f0327a738b8e93450bccef9a4b6e66c83eb864aac6e6031dd6a3056cd6c59bd12b726bb858ec7c249f08b81b805546e0f2a7b91b631799f51bca8f84a

memory/2760-5341-0x0000000000400000-0x0000000000485000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 06:08

Reported

2024-10-16 06:11

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Renames multiple (882) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\agvslacroic.exe" C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\12.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileText32x32.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\firstrun\startup_background.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-100.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\31.jpg C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-high.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-300.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-100.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-125.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-200.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Preview.scale-100_layoutdir-LTR.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch-Dark.scale-150.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\how_recover+ikd.html C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-300.png C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\Resources\how_recover+ikd.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe
PID 4740 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 4740 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 4740 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 4740 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 3808 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Users\Admin\AppData\Roaming\agvslacroic.exe
PID 2160 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\System32\vssadmin.exe
PID 2160 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\System32\vssadmin.exe
PID 2160 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 2160 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2160 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2160 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2160 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2160 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2160 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\System32\vssadmin.exe
PID 2160 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Roaming\agvslacroic.exe C:\Windows\System32\vssadmin.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1424 wrote to memory of 2864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\agvslacroic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bb4385452699658f4576b4df4f498ec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\agvslacroic.exe

C:\Users\Admin\AppData\Roaming\agvslacroic.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4BB438~1.EXE

C:\Users\Admin\AppData\Roaming\agvslacroic.exe

C:\Users\Admin\AppData\Roaming\agvslacroic.exe

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} bootems off

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} advancedoptions off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} optionsedit off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} recoveryenabled off

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe387946f8,0x7ffe38794708,0x7ffe38794718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14817368602033617200,6013368732236763357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\AGVSLA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 gjesdalbrass.no udp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 garrityasphalt.com udp
US 198.185.159.144:80 garrityasphalt.com tcp
US 8.8.8.8:53 www.garrityasphalt.com udp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 144.159.185.198.in-addr.arpa udp
US 8.8.8.8:53 grassitup.com udp
US 15.197.225.128:80 grassitup.com tcp
US 8.8.8.8:53 grupograndes.com udp
US 35.212.37.35:80 grupograndes.com tcp
US 8.8.8.8:53 128.225.197.15.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 graysonacademy.com udp
SG 184.168.110.22:80 graysonacademy.com tcp
SG 184.168.110.22:443 graysonacademy.com tcp
US 8.8.8.8:53 22.110.168.184.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 www.graysonacademy.com udp
SG 184.168.110.22:443 www.graysonacademy.com tcp
US 8.8.8.8:53 crown.essaudio.pl udp
PL 89.161.139.233:80 crown.essaudio.pl tcp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 8.8.8.8:53 233.139.161.89.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 35.212.37.35:80 grupograndes.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
SG 184.168.110.22:80 www.graysonacademy.com tcp
SG 184.168.110.22:443 www.graysonacademy.com tcp
SG 184.168.110.22:443 www.graysonacademy.com tcp

Files

memory/4116-0-0x0000000000D00000-0x0000000000D03000-memory.dmp

memory/4740-1-0x0000000000400000-0x0000000000485000-memory.dmp

memory/4740-2-0x0000000000400000-0x0000000000485000-memory.dmp

memory/4740-4-0x0000000000400000-0x0000000000485000-memory.dmp

memory/4116-3-0x0000000000D00000-0x0000000000D03000-memory.dmp

memory/4740-5-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Roaming\agvslacroic.exe

MD5 4bb4385452699658f4576b4df4f498ec
SHA1 23ff564eb0a0c0a8c5113ebe2316c0f3780d6adb
SHA256 ff61bf7f092da880bc01d6916c90163bfdd54d5de787d7995bd73034e471da4f
SHA512 1407efce7fc1b0bc4e3e4586aeba21114aece9c58fbce2179a40fd043aedd50ce2fd2ca4c8233862041b443f984c41aa85ac8dda66d1029ad49c86268bd1977a

memory/3808-10-0x0000000000400000-0x000000000075C000-memory.dmp

memory/4740-11-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-15-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-16-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-17-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-18-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-22-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-21-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Program Files\7-Zip\Lang\how_recover+ikd.html

MD5 a2c81deb72dae25bb5c7e94e3a9dd36e
SHA1 dd24fcca4888e8aadcb8ce4190fec821fdeb3036
SHA256 0ab26122ce8a53c42146bf15655f43dbf15348139da0d0c9d4e13b9ffa03d143
SHA512 c5be8f09447762b0f961e9afd6f59d30a652d99dfdd106df21439c72960cae12b871940dbf7e3dda3f15108f9b4b0d63747132951970b27b9115c9ed44ce0acc

C:\Program Files\7-Zip\Lang\how_recover+ikd.txt

MD5 86df4d718b3efe6235232453ede6cb96
SHA1 0bc5259ffde0e3345891a19b96847a9e2509e4a0
SHA256 500a7a47da2241d50d4ca9a3b78e4ea3550aeef1ff79ac3560384ede79d4d5e2
SHA512 a900afad4e75f8fe04e43738fafc22ffeb7cefd5a7e527ae08e8a440a65d2ec40dbbe1fdb4aad4be83924ec0bbf24dc27c4f70e1804604ce1e334856fb6c2cf1

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 55a655c169701c75df2b6c4b8c61feb6
SHA1 26ffbb03b1666fef40c7557d8d9a0833e0f39120
SHA256 eb671d659e1ec95fda390ff442fcfe7311b1ca38178f26e4489cd37168bed69f
SHA512 1e8a3ada52c6f5537742d8c7ae3d66a27de986f2984c7a0dd32c1101fd8062697453faa9c98ddab822f6ec03fbf4daa067f27d387f6fbac5bd039f53b277121b

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 405d0d4266d11c3edd14b5d48b2cc08e
SHA1 8261d54b8142c13e70f2fb894f0b28883631afe2
SHA256 0456f275e3b4896d641cb1fb89d4ad8ad35cd0aad6d56fc71e78f4f5a9cb2023
SHA512 ec0bc98abf61b249d1b1f9c56d4f55ffaff8f8cd0705013c44c9d4470ead1d0f5b608a16d4e5bd770cc78f3eae944de0ebcde89476ae2838efa14ab57148d33a

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 2bc6bce8d2036bd94e864e2fa36b3ed8
SHA1 16cfd8b002091435fbfcc8dab7690fe3664b2dda
SHA256 d1b969b9cbfae55256505dad3cc6729c439738fe6343e34c0352db9e0b44ccbd
SHA512 e0fc02fa100dc0f9b0199b3cef2f7197fc491cd4300a71711b93a39216e086e892ee02d4dc731a219b1ee8f5e3e8465b8c524041d8f98a6ac1801c54a71b0065

memory/2160-2254-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-2259-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a1579298-6347-4521-b8f4-e09d525983e1}\0.1.filtertrie.intermediate.txt

MD5 0686344a834a30342236f0bbbfc0c4ab
SHA1 affc08cac51669f5b523108e75176ffc645b78cf
SHA256 ed6ce733599fbbc6682feac5d74d9abeffe0ca0ff95e7d4cd4c4315f5306208d
SHA512 cd57cc638972862e60f1a8bc63a7a886ab04892721414e7be7a266acdb26cad3c3fde92f357411eeb4c073e3656b2529d15861f315b05ed62f7cc0ee99c4f258

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a1579298-6347-4521-b8f4-e09d525983e1}\0.2.filtertrie.intermediate.txt

MD5 a3c99747cb916da6bc031f0381351b0a
SHA1 16da816218b32776498fbc41d14aa9dd6e205620
SHA256 eb5966b00c455e2437571e106b9cc43200cbf4edd7d4a10b2aa3d5c3715cb6e2
SHA512 025b27adf5a738868d9bb102669b9b6572d65acf5fd2878dc325a7bd2dc53a4e80c005dfc0211bdbaa6d82ef79ccbce549a3bf4c82b9b5bfe5742cb2fca61a6b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt

MD5 aba2d053caeb755badaf610e5399883a
SHA1 1ea32e8426bbc7868d0328652273a2b0b193ae8d
SHA256 cbd118eb37420a95041f85cc27bd13702196d5280f66d563fab257d49ac195f9
SHA512 94d9e181a7267945efe194173ecc5c227a64ff80bb3beb95fa1cd48d16c365d35a6ce6085dc5b924b6c9870a6a9035a93f8b498f69465df92eaf57b5e6be5e22

memory/2160-7784-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-7786-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 61cef8e38cd95bf003f5fdd1dc37dae1
SHA1 11f2f79ecb349344c143eea9a0fed41891a3467f
SHA256 ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA512 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

\??\pipe\LOCAL\crashpad_1424_UUVNDJSWPDFLAMFC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0a9dc42e4013fc47438e96d24beb8eff
SHA1 806ab26d7eae031a58484188a7eb1adab06457fc
SHA256 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fff0c99ec19f92b88e0ba9e04b6daed8
SHA1 f96974296fa2908441f4ad24de5f246b99e2a1e0
SHA256 af19a1eaf784d29caad9366093df8317d93223f9d428b94e39dbaab1c72471ba
SHA512 b300715c300d22dae30fd44089cbf36f748f34595ae5e5be27825323546b896c9a52cdea06f811ecfa266be97bd216746ca9f6200b466f65920287a15f4ca0e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ae7fcfb7fcc6f3a97aabaa86363e38fa
SHA1 afc7b77241377b8f96d2a932829aef7b9c45e632
SHA256 aa4ba921ebef7ac0059eb57d27647e9efb5474407192a753b64d19515bcff192
SHA512 3f30d5593dac9ad0e0300896cc2bd91e0b8fcf82270ff863a75b1d82d96b788bbf422d913fb76365751ed97cc4ea42f08839f7d0a35c11d1c10928bb4503b1c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d612b311ce51a5e2afdf7877a34d86ad
SHA1 940e4bff0ed9110c1bbe7ade8507874a87a373b2
SHA256 f4be6faca6c2ced7aa522dea8327ed5477eefb72dcde9fbb37b07d5394a00369
SHA512 88dfc85359c1e7ad72072db6f4b9f224d99a87a861c82a7cfb65e742d560cd1183534961d37976fac45eae7e5287340629b879b8d2c68f9bfe138c13e356b5b4

memory/2160-7884-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-7885-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-7888-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2160-7933-0x0000000000400000-0x0000000000485000-memory.dmp