Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-y1bg2atglq
Target 4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118
SHA256 128f8916d9fb9f5f19b277f7dcb457e403263eece127a888aa0caec3c5b278df
Tags
defense_evasion discovery evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

128f8916d9fb9f5f19b277f7dcb457e403263eece127a888aa0caec3c5b278df

Threat Level: Known bad

The file 4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Renames multiple (884) files with added filename extension

Renames multiple (423) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Looks up external IP address via web service

Indicator Removal: File Deletion

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Modifies Internet Explorer settings

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:14

Reported

2024-10-16 20:17

Platform

win7-20240903-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (423) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\dujgyacroic.exe" C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\en-US\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Journal\de-DE\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Mail\it-IT\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\how_recover+sni.html C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
File opened for modification C:\Program Files\7-Zip\how_recover+sni.txt C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000b90c63eb41735fd5bec45c47c26a704345bd0d67f71266faca66fda5ffafa9f0000000000e800000000200002000000077fe4306bf0da33ec2cb92c918d8a2b2e1ca1ecc076c97303773e89599dddf0c90000000b653b929de309c74cc4395650e4dbff6e3b91b439e254032ae53d5c5e401348b90546fa42c8d257ff4a8817585c82ac6cd9669fa3eef42e1e1c80b10cbfe60ec0d877c2fb0905fa47fbefa5095fe37b85f8998a99a013e28c5024e4cfd8a34d4c8c03a5e37309e325a86ca2567fef76a54c2d2d3b9d6b6b4135172aa6231cf227730733efd1238b50d7223fce119031c400000007414b3953218c0fe1a476eb42843efaa7df28cc429f9ac4bcf19eb4b7fc39f0d3eaf2253ba33e835f575c0198000872076eb578d4cbfab66ddf43bb1d7ace449 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435271632" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000d3be920b118b13ddadba42010e16f8ff7bbcfb3aaa1161ee6b7ee1ac1a735fad000000000e8000000002000020000000abcd5c09e0a74d8f51509c392017366999b8ca8d0d2c70ef9eea601d3d5603b5200000000d73e499b9c1466a55a2c011b6ab7a206c409ef8481483c22664e831af6c030e400000009795966beeb3bb43bde69f5ce05ec6b63249cd2410fdb2bb80b2ae09c8d5ac9c12761d007a68c6925d00bb9ab729febc62c5d0f248c118214c5bf2043eca4793 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8092634d0820db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{78DDD1F1-8BFB-11EF-969B-D60C98DC526F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2648 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2784 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2784 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2784 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2784 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 2720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Users\Admin\AppData\Roaming\dujgyacroic.exe
PID 776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\System32\vssadmin.exe
PID 776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\System32\vssadmin.exe
PID 776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\System32\vssadmin.exe
PID 776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\System32\vssadmin.exe
PID 776 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 604 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 604 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 604 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 604 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\system32\bcdedit.exe
PID 776 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 776 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 776 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 776 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 776 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 776 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 776 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 776 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\dujgyacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2708 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\dujgyacroic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\dujgyacroic.exe

C:\Users\Admin\AppData\Roaming\dujgyacroic.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4ECE32~1.EXE

C:\Users\Admin\AppData\Roaming\dujgyacroic.exe

C:\Users\Admin\AppData\Roaming\dujgyacroic.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} bootems off

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} advancedoptions off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} optionsedit off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} recoveryenabled off

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_Restore_FILES.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_Restore_FILES.HTM

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\DUJGYA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 kochstudiomaashof.de udp
US 8.8.8.8:53 testadiseno.com udp
US 8.8.8.8:53 diskeeper-asia.com udp
US 8.8.8.8:53 gjesdalbrass.no udp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 8.8.8.8:53 garrityasphalt.com udp
US 198.185.159.144:80 garrityasphalt.com tcp
US 8.8.8.8:53 www.garrityasphalt.com udp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 8.8.8.8:53 grassitup.com udp
US 3.33.251.168:80 grassitup.com tcp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2648-0-0x00000000002F0000-0x00000000002F3000-memory.dmp

memory/2784-1-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2784-5-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2784-3-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2784-9-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2784-7-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2784-15-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2784-19-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2784-18-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2648-16-0x00000000002F0000-0x00000000002F3000-memory.dmp

memory/2784-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-11-0x0000000000400000-0x0000000000489000-memory.dmp

\Users\Admin\AppData\Roaming\dujgyacroic.exe

MD5 4ece3282f3b5e5ebe0b928ea54b008e7
SHA1 5265c0f16cf4c1e09bf76c75c5256d53112b1da7
SHA256 128f8916d9fb9f5f19b277f7dcb457e403263eece127a888aa0caec3c5b278df
SHA512 35a4e0ea29250dd1134776fa3f6599f7768a622060e0cda8d139dccae3271d7bc96f7d021c3315c5b42fdd8d38af839c1b764488f43b808b99839b278dc5cd21

memory/2720-25-0x0000000000400000-0x000000000056A000-memory.dmp

memory/2784-26-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-48-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2720-47-0x0000000000400000-0x000000000056A000-memory.dmp

memory/776-46-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-49-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-54-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-53-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-52-0x0000000000400000-0x0000000000489000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+sni.txt

MD5 6cbd28bcc9b27bc981fa27f55e0155c3
SHA1 31e5eae6be8c8c938a791de5fa4f0c8eb70eb46e
SHA256 71380003f488285626e5b2f8e0867d992a2c9acd1e0d7d2427d71f1e70615c04
SHA512 bb7132c7525fcd6f79201954bb7580c50b0698c0472a51e045570cc821c222150be5dc9cc34464084a3d2ee31ceca3afbba6c2b7b32e3de73b3d8ec8add16379

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+sni.html

MD5 39161abaaf7e1d20e9c536d560d9d85d
SHA1 8d71e16f6499138db6aad10edb9b109d699f37c5
SHA256 fe2b326c422529bc34144004b922487611676cadd22809969781b1c9552322c4
SHA512 96bd876d49de83a5f14ae94094f8e7f4e37afcd70078bf967d7e967d416dad4d5ef0f8191d32f6b5186c3c002abf2264100b42b323884965ad7cc4385a90c70f

memory/776-851-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-854-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 3c0a28fd4262fd2e857d7d86e1f0d757
SHA1 4631878b148b1f5b04fc0258c65cd07373818369
SHA256 688d58679df192e11774026dd37f100593be6a7f9255aedf4b63df0ac8db80bb
SHA512 94145cdd52d3efa3f711d220c05793140ff402949a33cd46ad8e52b2763a82cbecf69529b7ace39721fc03f4fa580f45eeb4f8709c05919dad53fd79191f07c6

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 ded47b4014bbfd29e9bcb6bc8f07fdbc
SHA1 93b33439e47c404ce30024c00b324fc5798dcafc
SHA256 1c36f0713dadc746903310531cddf9ca80b8da766a765b929feb3dead865815f
SHA512 5ecbd70d74d63999fbe1d7e4c3c1679c297f077e6519bcd5d512c4adef6420d93931f809430f782df1fbc57973899f997b986dbac75028b1d1fdd92a9d40313e

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 514737d7294b382d76e57984ff1971fc
SHA1 266bff3a29756ad1beecf41ae479660d44e7bb1c
SHA256 fd76b48f0056f0936637de4f067069d948ea1f2618749603c5ccc6407120d652
SHA512 ed61a6aa8a768e4f7ae5f2b15b232b6b931c68a3e7f5477d8377372d7e02344b0ca8573c931e3b181d3ebc60d16515d5068883e0b12425e014d73daa85f7b379

memory/776-4379-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-4386-0x0000000003190000-0x0000000003192000-memory.dmp

memory/2980-4387-0x0000000000120000-0x0000000000122000-memory.dmp

C:\Users\Admin\Desktop\Howto_Restore_FILES.BMP

MD5 5a25b4430a5675fb2b7d4086bc4b73b0
SHA1 c500d6555303fe5ffe5ef147acb0c9760b264454
SHA256 e19b1548bc71f90d0cced898ccbb98c84f445e92b1a263cd59426ac4fd1fd880
SHA512 88dbce7bf48f30146a197a1bc0111bfce6602d1344db3d6afc151ab2b279bca1e0c490d99edf8366d3c4685cd3b2e011d5c37aa7b06a0e8fe0b9c128fd23cb17

C:\Users\Admin\AppData\Local\Temp\Cab3D60.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3DC2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20437778b2e39534f9754ab940c49d29
SHA1 195547a6bcf1b32863e673afeda43e6b4e23a162
SHA256 c4810818c261b15ed6cadd8554bef36258d4d4c50cc317ca63fcd8bab481be87
SHA512 c00df696c61bd0fd4fc800533623581a15d9cafd6cf37318d19dd524c2ffcd21f7af84af13f5c843ab7fda6207c605303438b7e38f11681b981db18b9d263036

memory/776-4827-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-4826-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-4828-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-4832-0x0000000000400000-0x0000000000489000-memory.dmp

memory/776-4835-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a751ff84331ce6e23b73f43a88befe0
SHA1 9bd604c7852d725acf4d28aa6850ad7e7dbc5792
SHA256 a0bf794343bdc065d7cbf643937c1134b7bcc4a723bca8f6df0a72bbd9a2ac1c
SHA512 dcf88d9598ea4ab1bd402c58bf8ad1ca8ae788907ba0658562f1a712cbb78e97dfd933cf245e1cf021356acdb0484bd4beeaac116615737bb25fd007e6b8d0ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f3c9b8229f66ae54c7f70df6aec951c
SHA1 b91b4bf0b92787b53941fcdfcd910eaf10aaabc3
SHA256 a361bfc5ce9323e84ba836b9b7598b7c11e4c49bfff39007d5d4bd913b0fed10
SHA512 d5d29870afd89b6535cd64d14d1c1563da3f2e3634298f6701184d92f12c2998f6cf20b4194dee6177842e8663a845779207779e26e39f99e72a2d17f077808f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 caf457f3adbaeb4306733ef7a3e4c200
SHA1 71850b57dd3aab56393f6467ba1bb51aa7c821e7
SHA256 3342f814eef94bc77792b7bc3bffd93cf49cf6c5049de3bc97e576bf1456c145
SHA512 b9635612e84abb493bb72980e12881a2aaeab1e2f42615aaa11dc49aa5fd0013a9a4a747b686d360343923e81ceb0ab9a19108de4df1c958fb7c042eb646dd9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 876d5e8d98ce1ccc351fbee01bf19736
SHA1 708834b097349722df702dcad0cda40c2d5246b0
SHA256 81ee7ab1326de83f22d312285a45f25567f6257c840492d39a7083850d818993
SHA512 d7cff88335e8b066281d8a1d93533bb47cb087eede08d2bf108aa831d86bd2920efecfd0687f6f6db3880a7b9584601fb8dcbb2c4576cccd1280292cdba5157d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 964469bbb3e59d9b1398298e8a90a830
SHA1 2ece1ea039cf68abc883832d1c6e5387fa6279eb
SHA256 39d32a474c921809aead60d193b4343f72ab152fd2169871b6c216b4d789e840
SHA512 d1c794faf17189cc60d15c86e728c9af38c3bd2e99fcb7e93f9fe41d506d3c84389a3dc7ef966e2190398eb1d09b04c017096b774f56c22b8100778eb418a68e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 732d33e5a20215b4645e545bc8e75a4c
SHA1 7b07f32fcc76e1942f36e1e1b1550961821f88d6
SHA256 ced9c058bd2a57d90abb73ca52cdb2a8f66e265caea86893805a1b5194634dba
SHA512 a928d552e91bca9e299b991676c1ea3532f65988b6ff18701a32655f5fbd50c9286c0b6d0f0c7fefde1545bcb04dc7c0f4d3f3521d1e4fe1ca47f5efdc26150c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b1f3f05512d750ad0d03f0da3470e65
SHA1 3dadbda8fbf042be501540ddd2fa0e9c27a86c66
SHA256 c7558eb8c3359275413ec0d759926ef65e4881142f7d27ce39c9dee7295b62a1
SHA512 2927562633b9ab64d4d2b96036b77965b48a369eb6f7bc4ab75ad69c2f41690aabe66fcb4cf86c692386e165eacae514dfd9e44f97694283ef196a714b96f2d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05e13a1adc02f68d1807f1b2c56c326a
SHA1 04081384b5e895c09d34c9f71e1ce100f1ca7573
SHA256 4a4228de2353e6f7d808472606af69d09178dc33941a9a9a71c0dd08443f5640
SHA512 e6561b04f831099d1910ff02f318caf240a12eb0916f0045e74ac5283fe7e1052a3e5c716ce5b6bea05a021672471d1594b473d5da6086e10c374b0698819e73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b7e79d0f14ce4189fe00b6bd2dd4bc1
SHA1 fc4e487aa25c31bf757f427489b8fbf3336c973d
SHA256 3de4e927676728217cadb7931a1004d37b2df1892eba844d05dd5f3512228f51
SHA512 9f3e3ad0e1b35007a166edf44aa3a5c40b1f8a80614055ac0c98ecf40f408babf4bead7f2ce2dffb55ebdb4ce6d2bbb5ada65e066d170830dd84bad1aaaf1ae5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edafd2b67528d23afeda865641f0b7a0
SHA1 cbc677049886abc075fb8363d05008c256b9c4db
SHA256 d810184b466b0b8a49cd4b220257047603cf6b2d78c180089de0b97d506c04f0
SHA512 2878d11e85d980c0d63cd2526909b30f70a07b6769eab1f5dd3e2ddd8129fc8e67aa55333941781d60a39cbe58859324d4ba3e0a4ec757e412b4fd59639a9354

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:14

Reported

2024-10-16 20:17

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Renames multiple (884) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\bsdrlacroic.exe" C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\12.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-60_contrast-black.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare44x44Logo.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-125.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-200.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-125.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tongue.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookPromoTile.scale-100.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-125.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\webviewCore.min.js C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_contrast-high.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-100.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Bark.jpg C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-32.png C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5.jpg C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\how_recover+fmj.html C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\how_recover+fmj.txt C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 1692 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe
PID 2384 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 2384 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 2384 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 2384 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3168 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe
PID 3128 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\System32\vssadmin.exe
PID 3128 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\System32\vssadmin.exe
PID 3128 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3128 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3128 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3128 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3128 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3128 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3128 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\System32\vssadmin.exe
PID 3128 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe C:\Windows\System32\vssadmin.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 220 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ece3282f3b5e5ebe0b928ea54b008e7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe

C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4ECE32~1.EXE

C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe

C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} bootems off

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} advancedoptions off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} optionsedit off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} recoveryenabled off

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_Restore_FILES.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_Restore_FILES.HTM

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd404546f8,0x7ffd40454708,0x7ffd40454718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,11984454841319607603,9971687973897260388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\BSDRLA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 kochstudiomaashof.de udp
US 8.8.8.8:53 testadiseno.com udp
US 8.8.8.8:53 diskeeper-asia.com udp
US 8.8.8.8:53 gjesdalbrass.no udp
BE 35.195.98.220:80 gjesdalbrass.no tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 garrityasphalt.com udp
US 198.185.159.144:80 garrityasphalt.com tcp
US 8.8.8.8:53 www.garrityasphalt.com udp
US 198.185.159.144:80 www.garrityasphalt.com tcp
US 8.8.8.8:53 grassitup.com udp
US 3.33.251.168:80 grassitup.com tcp
US 8.8.8.8:53 144.159.185.198.in-addr.arpa udp
US 8.8.8.8:53 168.251.33.3.in-addr.arpa udp
US 8.8.8.8:53 kochstudiomaashof.de udp
US 8.8.8.8:53 testadiseno.com udp
US 8.8.8.8:53 diskeeper-asia.com udp
BE 35.195.98.220:80 gjesdalbrass.no tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 198.185.159.144:80 www.garrityasphalt.com tcp

Files

memory/1692-0-0x00000000006F0000-0x00000000006F3000-memory.dmp

memory/1692-1-0x00000000006F0000-0x00000000006F3000-memory.dmp

memory/2384-2-0x0000000000400000-0x0000000000489000-memory.dmp

memory/1692-4-0x00000000006F0000-0x00000000006F3000-memory.dmp

memory/2384-5-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2384-3-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2384-6-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Roaming\bsdrlacroic.exe

MD5 4ece3282f3b5e5ebe0b928ea54b008e7
SHA1 5265c0f16cf4c1e09bf76c75c5256d53112b1da7
SHA256 128f8916d9fb9f5f19b277f7dcb457e403263eece127a888aa0caec3c5b278df
SHA512 35a4e0ea29250dd1134776fa3f6599f7768a622060e0cda8d139dccae3271d7bc96f7d021c3315c5b42fdd8d38af839c1b764488f43b808b99839b278dc5cd21

memory/3168-11-0x0000000000400000-0x000000000056A000-memory.dmp

memory/2384-12-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3168-18-0x0000000000400000-0x000000000056A000-memory.dmp

memory/3128-17-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3128-16-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3128-19-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3128-20-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3128-23-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3128-24-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Program Files\7-Zip\Lang\how_recover+fmj.html

MD5 021dbeccaa0a1dc7831929e856cf4991
SHA1 fcf64a0d7bc90589bd37b5c37b815ca097abd889
SHA256 b1cafa731145ceb37cf439008646e4974a6453dc38acd603835d6c6616d26ae7
SHA512 b456b464ecde56cfa9ba24b2a12230fa350073465df6a19261e99d35a994dab09383bfd42b66f9ada1d46cacf503b9af0ce30f8756cbfb41844835a1486d10dc

C:\Program Files\7-Zip\Lang\how_recover+fmj.txt

MD5 a98cc3159823be74b3a65c807ab4dd5a
SHA1 d60ac639bf8bbad0cc1a8ac73f03d88c882ac6b3
SHA256 8c05202e5114111b1f0a7fe4db1db04758e0a4da6447f2ba5f5a07081ef9b88e
SHA512 f2e56dfbcaec762cdb55b65aa6e744ad51d31ee366c10b4c4c251cd88ac8525a7dd0f23039abcebc5fa7aa332af5cd98b317982912f9e2993352e2e04aec7631

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 6fae519777e13d96b720fcf8277a5836
SHA1 73ceb4eb7b710e584d10a6c00f81ae6357cb7c38
SHA256 525a0d462b42adcb603b847ee88b36cae3f69249aace13321ba5598a42f9e283
SHA512 8bc0afbc951392d0641c06594902cfe9b15b96e6ef29c696200c801dc88081df6b3e985e043309ba7423e11c44facd3ac32c7ccc0cc9342f66858538bff8cab2

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 b1462d2eda461eb1f870b5c2e51002e4
SHA1 632d2b133cf280e52fb7a0c0a475082c738c9f88
SHA256 98f7e1ea1a51e17d26b4240a11ec4f3fb1587c9f4487bf74bfa87106c297638b
SHA512 33b66cfff4801936b27767e39b550206e9e88a362cbe118dda53ae7b991af2329e5a55b1de6acab87fdee2e9e991800c583abc3382fc55bcf60f5b7ceaa7103e

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 f2424a92bea74b23049bdf4485bf00c0
SHA1 212b7ac98e5150e829f1b5af00cf177cf7f45ae0
SHA256 44468a4d58abbf918f0548cf0e4c840fec907bf660ff0d07cf8d59a6c8a9d7af
SHA512 9df50ab327105252e69ea6f912abbc993739f472b506cae4a74a352042d892a17a14d4d87bb3613dab4bc6af492f3d3039ad8f9a732ffe81808cd449778b0728

memory/3128-2259-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3128-2258-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b793433c-19d0-4103-bc12-9373e111268b}\0.1.filtertrie.intermediate.txt

MD5 f1dc9f4640f90ed534a225c5b4b26ea9
SHA1 def5c9e498710e5e7bab410c50b434d8aa53b3c3
SHA256 34929ac4cc0f574874283e000dbd54aa2e1eb8af266847bdb1ea89e24b32abef
SHA512 ddd7c5b7a3a78e1841f3052ff4733aa1c6a2207344b9eb63f93de4ac8515f3d732a90d45d16e72286679d5b35e37f7ef75fed4166700229b979efddb2b809d57

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b793433c-19d0-4103-bc12-9373e111268b}\0.2.filtertrie.intermediate.txt

MD5 adc81f78ad602440e505ef70c2dee7b6
SHA1 3e7f851379121df4c3cefc85923a8a24d20fbd3e
SHA256 3bed0dd95186bf03caa7c3a5908336baae85f33a524290cb4151b6221efe80fa
SHA512 c25db3ada27bdc847135de238faeed95135d7c99647b68e746f7dedb1a7350462d30c5c9b3d0d8fe422b2eb6df45c6dc46a817b37f964646995252972486738a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665766873969.txt

MD5 4c47305d98696fbdd0179ece407b704d
SHA1 def5114aa04f2feb109944803dbaa3f2a6d7e74c
SHA256 418a8b61a41ef1ebc90494ef32602146dcfe83b6750f0d314caa037f42a806e5
SHA512 b19969e1cfdc2d1fa46be62c1742bc9d88fdd5391ff76892919a61f35dbd167e978e09ebf9f8454f5e9fd1e62c72b85d8e0f086f820a0f1e2b4aeb8360090b79

memory/3128-7678-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3128-7680-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_220_XKMNEDKITTKURZRY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

memory/3128-7713-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3128-7714-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f9031e99389ecc71d847309bdd9773c8
SHA1 f2f2b8c3057105ace0bb88146339a789acf45d79
SHA256 ab0e8dee2e7f93e6914d82edb340a7d3c8787db41ec6a441124203c6b47ca6cf
SHA512 cad2349faf6f3e017ac852667d093ada88ce7da1c6c33cbb6ac444a69c24aac1c46553779392a94100742c3b783205acf8d1545327d6c79c921ca6e34ac307f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3128-7744-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 06a878bb2a059d6471cc1b2e89aea3da
SHA1 100d50ede63214c6c3f6c26c341cc1cfb9da5655
SHA256 6f9dd0ac355a340e53121c9c755a3ab095a829070059d254db1943a0be573bf1
SHA512 0e1e4a3557997416bb0b6200e296ad73470a0a70dabdcb3f9a8ee783af8a11656d95b27770fdeed95e298e823cdcad53e591ecf398dbe898f7e5f5fb08ecb869

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 da814ff9bef73c3956ae4035b5965719
SHA1 ab6f2b3b17b55e73438521f313d96cd4c7b84b80
SHA256 9636dfb158aaddaff6aac358c5823a36ce1c92e480723fa4b39b7a5a813a5f25
SHA512 889dc997369821db52c708cfed22c10b068a1419872fc1ecc2d06e9823bbe592f5e8c58c1d3c1f6e09696b9cb86fd21cbef3b53f3fd9cfe34720f073796cce93

memory/3128-7761-0x0000000000400000-0x0000000000489000-memory.dmp