Malware Analysis Report

2025-03-15 08:13

Sample ID 241016-jchh4stejk
Target 4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118
SHA256 06bf9d4210eef0d389d0683a94c26c3158f5e381b33e83737cecd2bfca6301e7
Tags
defense_evasion discovery evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06bf9d4210eef0d389d0683a94c26c3158f5e381b33e83737cecd2bfca6301e7

Threat Level: Known bad

The file 4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (912) files with added filename extension

Renames multiple (371) files with added filename extension

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops startup file

Indicator Removal: File Deletion

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Opens file in notepad (likely ransom note)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 07:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 07:31

Reported

2024-10-16 07:33

Platform

win7-20241010-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (371) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\mojdvacroic.exe" C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\es-ES\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\fr-FR\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_over.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\how_recover+vmx.txt C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\how_recover+vmx.html C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF2D9C71-8B90-11EF-BA45-72BC2935A1B8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3012 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 2852 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2852 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2852 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2852 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2852 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2936 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Users\Admin\AppData\Roaming\mojdvacroic.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\System32\vssadmin.exe
PID 2824 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\System32\vssadmin.exe
PID 2824 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\System32\vssadmin.exe
PID 2824 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\System32\vssadmin.exe
PID 2824 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\system32\bcdedit.exe
PID 2824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\mojdvacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1560 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1560 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\mojdvacroic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\mojdvacroic.exe

C:\Users\Admin\AppData\Roaming\mojdvacroic.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4BEC5D~1.EXE

C:\Users\Admin\AppData\Roaming\mojdvacroic.exe

C:\Users\Admin\AppData\Roaming\mojdvacroic.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} bootems off

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} advancedoptions off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} optionsedit off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} recoveryenabled off

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_Restore_FILES.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_Restore_FILES.HTM

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\MOJDVA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 kochstudiomaashof.de udp
US 8.8.8.8:53 testadiseno.com udp
US 8.8.8.8:53 diskeeper-asia.com udp
US 8.8.8.8:53 gjesdalbrass.no udp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 8.8.8.8:53 garrityasphalt.com udp
US 198.185.159.144:80 garrityasphalt.com tcp
US 8.8.8.8:53 www.garrityasphalt.com udp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 8.8.8.8:53 grassitup.com udp
US 3.33.251.168:80 grassitup.com tcp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 198.185.159.144:80 www.garrityasphalt.com tcp

Files

memory/3012-0-0x0000000000250000-0x0000000000253000-memory.dmp

memory/2852-9-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2852-18-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2852-19-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3012-16-0x0000000000250000-0x0000000000253000-memory.dmp

memory/2852-15-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2852-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2852-11-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2852-7-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2852-5-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2852-3-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2852-1-0x0000000000400000-0x0000000000489000-memory.dmp

\Users\Admin\AppData\Roaming\mojdvacroic.exe

MD5 4bec5de5a8cdec61767031eda2dd4358
SHA1 6a48b4e4538a0cb0df0724115e66d37d3fb0e283
SHA256 06bf9d4210eef0d389d0683a94c26c3158f5e381b33e83737cecd2bfca6301e7
SHA512 05f02e6f22af70dd2a4b2219b6b14f813b4dbf5410947851bd001bfa4f3410a5844683fc86905164d1505f522f5ff61bc30aebae82497121c376f827bad6cd71

memory/2852-26-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2936-25-0x0000000000400000-0x000000000076F000-memory.dmp

memory/2824-46-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-48-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2936-47-0x0000000000400000-0x000000000076F000-memory.dmp

memory/2824-49-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-52-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-54-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-53-0x0000000000400000-0x0000000000489000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+vmx.html

MD5 8adaf470db774e1f5c0c4e55dc4ce3f5
SHA1 a024ac6ed7a53e654a952ecafa0c7bcb83b0e8e9
SHA256 861b85fec72cfa5584b86e6690b37c6ebe76ced29a504a3a3284d69737912ac7
SHA512 82dc57b33f12b3c7c5f306d3036fccfcc4721058c4bd62d7620e88a7c002456d5b2dea62f289ec1dda7a2028257d5f214027724a188588c01bd2e09d16b56bee

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+vmx.txt

MD5 a79159632c7222fdee8bccc154b71119
SHA1 649530aa67f0273a70e1d6f23a85f5df6235ee0c
SHA256 d1bf37de9468c779d293de7c9bf75cd7761c6f79329a45898ceddffe34b0b2df
SHA512 f8d789ca8eeab28790ba63f3a8a66e2b29235e25c359df0394a50f23b8e6344c4dfda50257dc81f042e29c41d35ccc4811c3622ec46f50f425488d36f4bbcc31

memory/2824-235-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-236-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-593-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 9ce1842d15ee17e5db7204cfc8bf6c1c
SHA1 24ecf0a3be079e1c6224bea67ceadb514e56b887
SHA256 20a95726e78cbaa9b24345e4d76a7a9f583ce7084a0a8aa1979a84d047314b9a
SHA512 b767492508e9806a5a0629abd1ee4e1b91028ff9637a8dcd16a8d9a515520f9ce8e8a140fd4187817c71db9af61a0ecb08dbf1fcee813263056979ea77ad29d8

memory/2824-1146-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 1fadb43c59794afff9e274eae72c8633
SHA1 7ca52745093353cb72b7767230d09927a111cf4d
SHA256 804750cceae1932b012e76abf00bf5afab6de2518e4bf300faa3923644f7d061
SHA512 fb9b6058e0cec2698589c0d9979600ced65c2f89a1568fc33a5477e5ded66b8e41034b14263713178e70e7e602e38c6962618feb4b765ab895efb3f2639e9b5f

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 3f6018225132dcb2fc43ab6dab6b0035
SHA1 efba366f2d3669cdbc2a55745ce5a5601800808c
SHA256 ff24eb10d469e587b7380f4024215fe9c4299a099e157d0aa0f0d3aa9ee4c4bf
SHA512 42198c14608f08a4176c3bcc637159ea6f324136cb184d3feadcd42717bb7975c3166626fd87582cfe5c40df909dff783a1680038326ef73638e921d677d4688

memory/2824-1318-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-2230-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-3345-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-4218-0x0000000000400000-0x0000000000489000-memory.dmp

memory/1992-4228-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2824-4227-0x0000000002740000-0x0000000002742000-memory.dmp

memory/2824-4230-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\Desktop\Howto_Restore_FILES.BMP

MD5 41f0845dd95503cd54591566b304a938
SHA1 c2614fb7ee7fc84b6edcebe600286a721e105e54
SHA256 976178597e3be7fc03e193b126354dffd99fb7580dd6c735095ccb907b637cc8
SHA512 c24da40a92c7d29f1146a446ffd5bbe212b810958f471e447a67b1108d1311cea826a1903f6d0e61589729c123a13470d814437e6e599c6ee1e726eb184e0ba1

C:\Users\Admin\AppData\Local\Temp\CabF29C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF33B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9eff64f60c6cc16dc2bd2e4da5e6b76
SHA1 ae32b3235b11ead596d590f080a28d3cf4e84d41
SHA256 ff1b7427646a6c7caad419132fa70bbead09c5dab2bd181d00c7ddc3f1f7cbf6
SHA512 217a4c4b87e7ac47cc4459a9e23ad8b233d21e67261fa46cbcd22e7ae9646df5f58fe7cc07e32a55f775fb38af51ca68e6ae9fe05cd676cbb2f9150f61acee59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a9a8a5e443db07e24351cc69b49908e
SHA1 ffbfac2db712609e00d10cd3c659c17e5ccd1ef2
SHA256 179a14aa0c46caa7696e67a5d72ebe1e1242fe1ece2e996de693a704cf87686c
SHA512 ca9c56c331d4cd5e9823e3762452af3f55ac591cfa28cecebf92d35efc225f5a89c2b6830f38a585d22aeab994002f5131cbabb9845bda2cb0844907bc56d493

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc8a2ffc9fd56c185f6ffbd187fedb8b
SHA1 03f49b2e0260a098d99706426d1a83fcfa01df1c
SHA256 61036b361f70df8bf1b945acd564298f7720cce9109a5a09216e72d6ee319bb3
SHA512 3aaa3a36794e02b4d2b657ee3f4ef5b1867c34cc7cd5c220b082eb7f0c1c0648c7f70a94f7a83a92a7f66692693ad4d0640c4d61b9a8a97f1a28826eb390133d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc6c98f8c26860ca8a4ceeba76ecef80
SHA1 a23a6fa3c6074269dd37305817b73492ec846068
SHA256 1906d0b82aaa6a644bdfbaa95eb5411ecb868d13d526698f39fb6befbf2cf764
SHA512 80710efc557040f9aed3cccc4e5936de39e934763a52fbc6bd9595a0598153c53816b96305e477426617dd12fb88e3a0cdb179ddcec4e1807451b3d80741fc1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f44f405f35d58ae65d39cc320a21134
SHA1 5e1c9836c326772a91f7e79589ae046aa84d7060
SHA256 3daae10875a7299986d76105631665f9073d45c1932b344223c86e3208664c84
SHA512 039a03e048b80b457080ec5fdf191213f5e11a12e3666847c72317426b6102800a8311c43d50c8e92a91deab2de50c31b7bb059633f6be7f681a149d12521c55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b2237ce9340c46c8b77b33a2d5973c5
SHA1 273cb076e3c7b6ef3c4607e2cdb37a072f713f2c
SHA256 1cbbeb2c16c9168cf290fd35b16ee5dfde7dd06f4c697926e4b127f33a9f480a
SHA512 1f8372d7e667baa9c5fa446721d6c9a30362a199d88bdb771ed4c0906239a30fbbb636eab3c0beccb736b29a04a77ac9af0eb2632e176872f1f0c07d4faa9555

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2633e4331e243772e1f0e58758b1c795
SHA1 8510b9638abbdac4253968b407c25c48bab68231
SHA256 d145b962a06e819d75246bf7cf6e4f7e5c81e27cae17d4d214b3bf9729e16b1c
SHA512 6cdbff6001b932c46186b73fbb1a81b65394606cb362755af9572ddeb496492ea0da0bf989758574cc4557585e724083cdbe5a601cfd63244cef332dc0d63c8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b7ac3a7ea5cf2d0b8997dabd3a5177c
SHA1 860519d2690ab033ff3a4fd0b60cd229f44c3e00
SHA256 777ef6cb40466adc1a9de67a136b0d311f23020fa0ae9164d5962503ac6cbca4
SHA512 3c05a173ec5629dafb0a82b2d0b6aa34af08ee942a673064b483967a17fe06791e41922e8d37cab87a8ba02288ebb2d231725abd3dbc206f99189be1216e2c89

memory/2824-4667-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-4670-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2824-4673-0x0000000000400000-0x0000000000489000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 07:31

Reported

2024-10-16 07:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Renames multiple (912) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\urhwwacroic.exe" C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-200.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-400.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\avatar_default_large.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileWide.scale-200.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-400.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateHorizontallyOverlay.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_contrast-black.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ArchiveToastQuickAction.scale-80.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-30.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-48.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_6.m4a C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericIntl-1.jpg C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-200.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-125.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Windows NT\how_recover+jfm.html C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\how_recover+jfm.txt C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch-Dark.scale-125.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-125.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\o365apps.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 3760 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe
PID 1176 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1176 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1176 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1176 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 1532 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Users\Admin\AppData\Roaming\urhwwacroic.exe
PID 4344 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\System32\vssadmin.exe
PID 4344 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\System32\vssadmin.exe
PID 4344 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 4344 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4344 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4344 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4344 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4344 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4344 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\System32\vssadmin.exe
PID 4344 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\urhwwacroic.exe C:\Windows\System32\vssadmin.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\urhwwacroic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bec5de5a8cdec61767031eda2dd4358_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\urhwwacroic.exe

C:\Users\Admin\AppData\Roaming\urhwwacroic.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4BEC5D~1.EXE

C:\Users\Admin\AppData\Roaming\urhwwacroic.exe

C:\Users\Admin\AppData\Roaming\urhwwacroic.exe

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} bootems off

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} advancedoptions off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} optionsedit off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} recoveryenabled off

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_Restore_FILES.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_Restore_FILES.HTM

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd65ac46f8,0x7ffd65ac4708,0x7ffd65ac4718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15141975542885525356,17801553728440969951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\URHWWA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 kochstudiomaashof.de udp
US 8.8.8.8:53 testadiseno.com udp
US 8.8.8.8:53 diskeeper-asia.com udp
US 8.8.8.8:53 gjesdalbrass.no udp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 garrityasphalt.com udp
US 198.185.159.144:80 garrityasphalt.com tcp
US 8.8.8.8:53 www.garrityasphalt.com udp
US 8.8.8.8:53 144.159.185.198.in-addr.arpa udp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 8.8.8.8:53 grassitup.com udp
US 3.33.251.168:80 grassitup.com tcp
US 8.8.8.8:53 168.251.33.3.in-addr.arpa udp
US 8.8.8.8:53 kochstudiomaashof.de udp
US 8.8.8.8:53 testadiseno.com udp
US 8.8.8.8:53 diskeeper-asia.com udp
BE 35.195.98.220:80 gjesdalbrass.no tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 198.185.159.144:80 www.garrityasphalt.com tcp

Files

memory/3760-0-0x00000000023A0000-0x00000000023A3000-memory.dmp

memory/3760-1-0x00000000023A0000-0x00000000023A3000-memory.dmp

memory/1176-2-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3760-4-0x00000000023A0000-0x00000000023A3000-memory.dmp

memory/1176-3-0x0000000000400000-0x0000000000489000-memory.dmp

memory/1176-5-0x0000000000400000-0x0000000000489000-memory.dmp

memory/1176-6-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Roaming\urhwwacroic.exe

MD5 4bec5de5a8cdec61767031eda2dd4358
SHA1 6a48b4e4538a0cb0df0724115e66d37d3fb0e283
SHA256 06bf9d4210eef0d389d0683a94c26c3158f5e381b33e83737cecd2bfca6301e7
SHA512 05f02e6f22af70dd2a4b2219b6b14f813b4dbf5410947851bd001bfa4f3410a5844683fc86905164d1505f522f5ff61bc30aebae82497121c376f827bad6cd71

memory/1532-11-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1176-12-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-17-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-19-0x0000000000400000-0x0000000000489000-memory.dmp

memory/1532-18-0x0000000000400000-0x000000000076F000-memory.dmp

memory/4344-16-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-20-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-24-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-23-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Program Files\7-Zip\Lang\how_recover+jfm.txt

MD5 6bf0c19871249a249a4f05520c05afc1
SHA1 1e641822e02f19ca10542e3d54c1c85964114caf
SHA256 bac2c35cacba6ed787cb52364049145d9842f3c25c5c729b12b9eb83a4e19a73
SHA512 9bcc09b16c13066682a2950b41d350b453431c220470205b8d9ee117d67269513187ec5efd51dad8acf3ba6ef39c64a8104a24ea0f7adbdcdd85fd14cff3d190

C:\Program Files\7-Zip\Lang\how_recover+jfm.html

MD5 6157480d4f7b2826a5698d82d80a730a
SHA1 0d55ea119b791beb9d50dfa7661fc1662b679620
SHA256 2aafa209073df819d1f0124a6e9d2a3c49c3d0f3ed8b6ac52ab825de2ed575c4
SHA512 96a12a4862ac282315405b1734afc1ad8eaa388037f769f0caa32148a790476ad5b12c0862c5c887c60fa112f21321ceae5ffcd84ecb3f4aa2d1941b424e231c

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 fc8d239211f764c2462492c2805b176a
SHA1 2ea5b83c0dc24ac27f20b1ec755c52ac13bc4fbc
SHA256 e3eb79311ff6abf29e2ea7797e12b0aa05a2f8447a89acdbe2c3399cdc5d73c6
SHA512 a434e068538cadebb7a974ed73f4cc09125d4e0033feafc8d11ae6801b1e853998caf0a5f6c63e3511c2126d5aac0d602f7613c9b71e11f6490b13e1cbb188a2

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 22d384eeaa15455782b00f21e05e831a
SHA1 27b5f55c866f39baa491f640f453fffd54afcaed
SHA256 096745749ae0a122dd3aa0d187b3728fc06b11a9433e2c65fa0e024a1999cde5
SHA512 4c00141d635f53aa0943621bf14247cd1eed9f686973562c5f3ecda4a93b390ac4074add31f37d6ab805e74e94a7c836c9f86f51076d77af9723c8782f47d25f

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 a734e2bc8f196c64be1390e835df9dcd
SHA1 b8463cd4037a0211e745f20c698971a075e9878c
SHA256 5c42f4ab7dc3be9305ce1baa5ef220c13cb5061e47bcbc832c7f567dde28b12b
SHA512 b625277feb592e86dea414977ce45c4fc695e8d70913da9e5817c2bbe72e9099beeaedf46bcf61865343e886797580ceaf96d20578fc23620d0afba4455ec8a6

memory/4344-1864-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-1865-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f51d3545-795a-4d12-b38a-054029322811}\0.1.filtertrie.intermediate.txt

MD5 1074465283564208a0a60ecdce851105
SHA1 c7be124709b4f2ed2a6765c39ba16ccf3fbe6e68
SHA256 d9bf7768990e974a47fa297dcb11fd9da0f933bb58ba2b2c6cd34994f6ff7eee
SHA512 16ede9d715cdf206a4c55f51ae2a12cdbaf0531ef47b36b2b7133276bc1978ef8a7b1ea25e6928a73e59f8fa6eb28ed417d19bee29801fe704a3533615784380

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f51d3545-795a-4d12-b38a-054029322811}\0.2.filtertrie.intermediate.txt

MD5 a61d3941f04f8444fcf7bbca4cfa32f0
SHA1 2476a588e8494597716a8996eea6d24fb07a4cdf
SHA256 29c1d9aaa06814fa2fd2195964d17248a1f91ec402967156c61350ddc5b4532c
SHA512 223d9b2d3d694ba6170baf03a746d0656a809dfd3db06f161254f52a7b928abc093e0c4827586a844e206d925ed594810d62fb260062c2d8db0ac597ac34a2ce

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662360645001.txt

MD5 6939b6f3ddf5946a7bbf803f397d9b11
SHA1 a0a26bd5cd3f31c9d2a835633530028a04ee3707
SHA256 9d0990b9bdeacb9c1f6ab833ac3e86fce256815b62a82504b5f1b4dd6cd5fa5a
SHA512 604a6311d0cc888d47dae83cd4cd4a1cac3179a707e2ae6955e785d0d0c3feab2abe8b570c0afc5c96f8a19778ecc82bd7980b212bf4a29ffaf2229669e163e9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663623337830.txt

MD5 c5a433cbf9ce7dae02e9642d6548557f
SHA1 fbfaea34e6f0a414a4d22ed0cb8019a64a552992
SHA256 c594cb90319f4d63c38bb10ba6f39ddba0ca63d2b5dd8ee92c5c8eea2b2a96b3
SHA512 d544fafcf5106a3f67a039de1f6b3fbd76a6a2922f565932a437d1e4bdb1250b99ccedabfa7ba8148c1125772729abda6eb5da3d4a042f2264a84a23b981e6bf

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671211214398.txt

MD5 c14759dbd9216061d90762b7c08f3bbe
SHA1 2bf31b84ef7997e4ef153dd7dca18c267c530d5b
SHA256 daa62216bed9443911c2e993db8cb4ee36e75a4f66489ad77f98d7e4677a2032
SHA512 033ff3767ab540a68ce64974ce8b72e66c51c35df791f57beb1762e241ea3c9444b5ff8ead3a2bded49e04240c5aae09d20ae31d3f915394bbd523fc347be934

memory/4344-7784-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-7785-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-7787-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d2c4f40f47672ecdf6f66fea242f4a
SHA1 4bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256 b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA512 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

memory/4344-7801-0x0000000000400000-0x0000000000489000-memory.dmp

memory/4344-7802-0x0000000000400000-0x0000000000489000-memory.dmp

\??\pipe\LOCAL\crashpad_3144_QWSZQQVMSSGAWNYR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8749e21d9d0a17dac32d5aa2027f7a75
SHA1 a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512 c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 df14bc2f31c0fa3015aea2b6f3331675
SHA1 f6e14a285b85cdc95e3f2c907c226b240d774ab8
SHA256 c97310ecf1cb39e7a64f4937c560d9f2b2587684c252340b0c9aedfc3232af2a
SHA512 37a90c8fd95c24c0295798d26926b61d36476087f50112afb8594454a0bf6a932218ae763c87b4d99e77f2a66cee1d7d4adfeff6ee36aa5d2dbf1c462cab30f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7a1774624858b53d2c10508bf8824999
SHA1 a2b989a4c61bf07f14c0f5cc58a6e80b3bfef7af
SHA256 51e07d1e3a8be6a315b64e86f936e5bb5239d029b250c1a4d0c87944c02917fc
SHA512 1d60d06d7afcf8be1b7fc386203adee94163ce47c230672c7b3aa45366d0f4c8ac5d873f6dab1d7940c9bcca64331852fee06aa804bcdaefc7daba76c6d22b5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9f991f11b59946b77f57c30bd3cb56c8
SHA1 2fded3ee4fc258ea126e396da0b0a96357340f03
SHA256 1d209de979429440fc9bd6a7ed4ddea3fe9aaf07b33b78974ab7dfed3c7c949d
SHA512 51eac538616101d7d234e52b8b99e675b990e74bb1001b3c28c3ed350a447e8388c5cffd78a220fcd7023e399da176ff8dee075358e5670bacd73c58a9ee006d

memory/4344-7876-0x0000000000400000-0x0000000000489000-memory.dmp