Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-x9sx1awfmk
Target 5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118
SHA256 e41d77be5d026d0d9a8bbdf15de64421f0f92343a09e936ec489b2f33f168893
Tags
defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e41d77be5d026d0d9a8bbdf15de64421f0f92343a09e936ec489b2f33f168893

Threat Level: Known bad

The file 5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware spyware stealer

Renames multiple (889) files with added filename extension

Renames multiple (432) files with added filename extension

Deletes shadow copies

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Deletes itself

Indicator Removal: File Deletion

Looks up external IP address via web service

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 19:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 19:33

Reported

2024-10-19 19:36

Platform

win7-20240903-en

Max time kernel

122s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (432) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ms-helper = "C:\\Users\\Admin\\AppData\\Roaming\\vcwlyb.exe" C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ms-helper = "C" C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\meta_engine\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\ja-JP\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Common Files\System\en-US\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\ja-JP\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\restore_files_hpogn.html C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\restore_files_hpogn.txt C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435528294" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F2F54B1-8E51-11EF-A073-FA59FB4FA467} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000001288a408f8c5c807264c01776de4ac523c2a59e6c83ed4fd76efa8f8d6fd90d000000000e80000000020000200000001e518a1579c1a8a37b84f24bf7c8124cedd7fbf45b10f494f8bed6402c8735a9900000000a7121f31a6ddcc22300b9aa50f8bf6e555e5f34fd29f8ef7acea42d7d8cf59aaf408661e475fe1c10b5b3180a2e228cba70548e14499adb81803fc0a667aaacaa3655551d1d6376f4f12d144110cb89402b472ed172ffc01efd85c87d67548355f4157a94c2f252849766fadfe69133c1f075eafb4739584ca2715e4ab03494b29e762e12b34234f8c3a697ce69db634000000078d8a32411c766436c81a90a6fa15c34938ab01b6b124cfc821e5d6457d7b321acf3166a8b9b8ad8c6ace5b54805a046f3d9dd8b1d733c3bbbc045cc058e17ac C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000e7c2dcfdd30afd571e22e5db14071697d1382279a98d22f63066833dff81fc49000000000e80000000020000200000000eea8988c97132e36aa94a0b91127d39e9549b8d745276b5f512bd0cc386fc2e200000000f92e4a2209538a503ba2633f04360da3024c98dc0c510c307bca51e3e3a8ee24000000010c17cad9fb27f3ae26f574eec3295d7c16d13b3cee1a65b0d1d5c8c1674f01b17dadce1f2a9286dec8bcc5f1e22b5d625b55d22e39516037fcaa757649c1c2a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0054cfe35d22db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwlyb.exe
PID 3000 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwlyb.exe
PID 3000 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwlyb.exe
PID 3000 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwlyb.exe
PID 3000 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\System32\vssadmin.exe
PID 2388 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\System32\vssadmin.exe
PID 2388 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\System32\vssadmin.exe
PID 2388 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\System32\vssadmin.exe
PID 2388 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2388 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2388 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2388 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2388 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2388 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2388 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2388 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2388 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\System32\vssadmin.exe
PID 2388 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\System32\vssadmin.exe
PID 2388 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\System32\vssadmin.exe
PID 2388 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\System32\vssadmin.exe
PID 1996 wrote to memory of 1704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 1704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 1704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 1704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2388 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\vcwlyb.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwlyb.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwlyb.exe

C:\Users\Admin\AppData\Roaming\vcwlyb.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5E4B56~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwlyb.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 wanderleben.info udp
US 8.8.8.8:53 elifeline.us udp
US 216.160.185.162:80 elifeline.us tcp
US 8.8.8.8:53 strategyconsulting.dk udp
DK 94.231.103.100:80 strategyconsulting.dk tcp
US 8.8.8.8:53 www.businesstransformation.dk udp
DK 93.191.156.102:80 www.businesstransformation.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
US 8.8.8.8:53 majowy.info udp
US 8.8.8.8:53 iepsicoanalisis.com.ar udp
US 8.8.8.8:53 bangaloredial.com udp
US 8.8.8.8:53 djdkduep62kz4nzx.onion.to udp
US 8.8.8.8:53 djdkduep62kz4nzx.tor2web.org udp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 216.160.185.162:80 elifeline.us tcp
DK 94.231.103.100:80 strategyconsulting.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3000-0-0x0000000000230000-0x0000000000234000-memory.dmp

memory/3000-4-0x00000000002A0000-0x00000000002A3000-memory.dmp

memory/3000-1-0x0000000000400000-0x0000000000817000-memory.dmp

\Users\Admin\AppData\Roaming\vcwlyb.exe

MD5 5e4b563289a23868bc558cbc63d1cdb1
SHA1 738ecfa238325e5f72de199c878bd6975c08e720
SHA256 e41d77be5d026d0d9a8bbdf15de64421f0f92343a09e936ec489b2f33f168893
SHA512 c5277d21fcee6dc64e3092ef75d37621d26208a4de39c69be5eed6f2c7ea98fc197b8e8673a0252884e8708e4e1a190f262ae54171f8d59a9737b96e62c6fe7c

memory/3000-10-0x0000000000400000-0x0000000000817000-memory.dmp

memory/2388-12-0x0000000000400000-0x0000000000817000-memory.dmp

memory/2388-15-0x00000000002A0000-0x00000000002A3000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_hpogn.txt

MD5 536a3ec5a6ebed80d3b89cd5e9dd2ab3
SHA1 5530ff847f5aaf644011ad15c951ef9757930025
SHA256 3719222243d27a020fd217aa4bd3cd756ae537e1405d00adcf4a2185816a785f
SHA512 b2542f3f82dc4b250a8b99a798b02fdbf583ba3c306d8044329019fde6b50369db654650cb94d28b9fc97538e9ec78eed7b43e4ac0f2df8300abb4b3ce8debe2

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_hpogn.html

MD5 1610ce39d161436d73acac301e449128
SHA1 baa6df70c785ee9eceff6a31c6faffd6b7ea4d54
SHA256 5480eeafde3a35727b172debfac0cba4ece7aa7c06cd70c4ba8a2f6ded98d821
SHA512 7b58c4f636ef9e0eae725739e4f0c36a535178222339d5b05a7ff476beda860dbcaa08385eb190794966acc309ded5ec8f44d037c5d913baad1637e56fb6f14c

memory/2388-4359-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF827.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF8C6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1105924140c02973f7d77de08bca14ce
SHA1 785334f70db0cd89a7ae1331cf2cdedbb623cf5b
SHA256 a8c53c4d4936669d180ed97c0390290577da6fed10e856f7de3b76137fa2a486
SHA512 9ae7d0f03f4f5ab4266fe1ba1730f96c272a9fb684d3e99a90c782dd481ac9c8d84b306f2c8941d5dba56859b0285db15ac29596cc9d3ca7456a542161bf5e65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a0596a9466ea462ef7da51cf63f463d
SHA1 e6c93f7ec3bcee98dd375f3d86e3c3ea9629e085
SHA256 e878ca276ae7ea777f9a2e6478bc9da8c0cf5215fe7d7d0f7069727d464db532
SHA512 c7c6fa1190aaaacb09eb909c5c37ec2c6e290717e9ddc18e150757ebcb9db094f4b33fbc7f3b49f70b627550fbf964f6b3fa2fa3f12ff2c7bca4efa017cfecac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30529faac626d03f74923524821b58a0
SHA1 bf58b8b3616ad02bff60acb69b50ba73e4f4a38a
SHA256 f4132258abc8577cb48fdb61241fd644d7d7d120355036334975bf128e189990
SHA512 731ed1181770d63a9fa62f2ea1116f806eb6a9b5bfe6a9a95d7fe4b171ce3cb4485b25f708e48470adc44293c98161dc800128b4d649ad5e6a670c0b17bc142a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92fcaa76c426012ce99f7fc7446c1c31
SHA1 d5bcd39b39c759be130755d409c7db2d00028786
SHA256 bd63608f57afe69d8f5fd014aeb09563b7fd364c7decbd5d15ba0b5fd6bc05ba
SHA512 5880b3d5f56e20928b241e80235afc26a11a584c31da78be7efcd173deae79206b8e5d591155d391552041e56cf2d2efa6324692f0d1eb052fd0ab7fb7a33a7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4201da5da5cbb619b8df17d85eff82ea
SHA1 c52075c9e5900e0789f90879a175786e5648f337
SHA256 7dbe7abe56d6a00eac2aefbf988dcfbd5129ec331318c23aaa494605a0591869
SHA512 bd6c11cd9ba902c9294f54461541d70a6a2be46b4df11019d291cbd2e3e3e654a58d0d856969c0d19b25893c094348ed508b6639309703da64fd4a50b38bfc13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed9058437b7f0859a23a6c2336611d22
SHA1 ff77ffabbb5d0456574be4bbfc92a5cf0f86a9ab
SHA256 c3aa790957944178af095d84ed98f651b9ecbf6246ce2916ef0f48821d6a920d
SHA512 7c098efeff1551871a66bee1cacc3dd3ea6e178c9efba05f878e08e0cc751d3c412215ce86e5475f5ffd6cc1ae5e1fead9939df4aa323a60720fb01a71db2bf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da319de521e50e36b2939e017fc03b42
SHA1 984b53600d579e9bdd6e4acb6aaa658c4a66efe6
SHA256 36084198547366ea3cfe3bcb44c2d65f192b71bd01aeafcf70112c0c1384e325
SHA512 dc2459a3730dfd26aa9f68888022f20a3cedaca6a6f23276d69edece85c376832056e05447a03b4bd2dbd1108081d6d36054cef8eb53191ed2e7f66d092e058e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbd4afe15c55659f323ec8dd5157c094
SHA1 d8d4472605675a0582e0dcad2ce5ef742c2ebe58
SHA256 37ef8e87e3fc86dc8caa167c3417524b273769a666def326e310db407967295a
SHA512 001ab9f07b40b67795637dbd4e700e0a4854da3ee0d4d1fe70f381f1f3be3ae7dc504af0d3014b6a6572bf66a3958acff2a3287c5370899702c01a1b6e332cf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40bdd09a812652f51c6bed8c7bb1e58a
SHA1 e1b67768c95f2b4cd8b6393948563bd3e7858589
SHA256 7bc03c5bafa9aa723c1aa2a5f2d2c135be714e3835ea0984a1b1cc767fb7363d
SHA512 f06f4ae8cf424cb827477e33578c1c4ed42b1a9bf17f7f72d0485b176e6f25e9b98203eb32acde7d69ebd74bc42b6f80a7365166bbdc87b94c52c713abcd592e

memory/2388-4799-0x0000000000400000-0x0000000000817000-memory.dmp

memory/2388-4801-0x0000000000400000-0x0000000000817000-memory.dmp

memory/2388-4803-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db349afbb739c5947a95e2c9a320e812
SHA1 dbfec33d9516422d6c3f5cbc15d76ef0a5ed444d
SHA256 7c9c49f33480520d9a14d27f10e613bbc2cf15a087928b86679b23441b38f1ea
SHA512 9e4a9de6e59d0eaaa45c41a4eeec072263b3da0ec1289957e2118cfe100b82a0a41d6d2d6a51313aeaf9daa26a05e3fb6f08cfaea674df0daa78217454f91ab3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cab7c386dbd08ff929f117e23e611a19
SHA1 fd18fa57b11dcc0e6a72c4bb4e66aa7ffdf26a63
SHA256 f5018a81b2ab73a86ffe2f3ece6f5487119e196f3a4d152df1b60498294eeed3
SHA512 009f3e640ab83527c583a0a28e1566b057a6a7a4094e6479741446fff82b4b591b937134f9f51acde322c5a1ac1097c6955a38a9800294955cc91ed4aae61cd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e692a4f7d846a8e720afb9a15c7e7f1
SHA1 d6b71646468a925f64a25cd1ad0ed5e7f5790750
SHA256 962fcc99305a2fb504ba1693dce56cc6877c2672229347aa12b74e796b84883b
SHA512 7d24f551042c3af0d480416d8c6435b620aad4983506832d8b953535880e7bf50766585d81b2a838ea883902129de2d628fcb985aefe7fe5399e69f9b5f0605b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90c2c58f628a04ee7b390c12693abfe2
SHA1 31ac06a3180843bfbfa5bb1579232a72386f8e9a
SHA256 1ff226eb93d510b22aba2f967f20ccabc96a3727a3e8b985f1fed0b7316d5914
SHA512 beb1dfa029817691eaee3e155267481b4774dc50d2bad8e66264f6ff7bb9f041c142a0496482acdc4bb53511febae5ec40a93c2169e4398034a7ba88ac81455e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28ef0d67808958a54673ee1f2be3b79d
SHA1 1cca55f6e1b71b4d40b815a7e158f6ae93fdfea6
SHA256 dc54caea52b2c5981e3263427a79e7eaa39e7b0289912a265f0325abab7c1186
SHA512 bb7aaa0bb361f3410b76a3c71f7d2b4cd8406f3be9b1e52d14f9b742f235b7791bf0b327600651b8d32c6a3e8385bb3a0cd3bc264cda94ff5958161761ec98a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 079102d037b5c0caba5c169c3e888039
SHA1 53c63989b21eb5cc69a90c969a2375e48847f7eb
SHA256 c8d3f6fa0e553a5798f5cead2f84e4f313ac50ec0018635e544f429f7d8f725f
SHA512 b634415335d818cff2b7a78254c81173c451637e90de80a33a8ac224ac12b31f7fcf6e060c2349d168db87a610b222a32f28a256ee9742bb559ebdcbe38bda01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89600fb192538b09127d3a5dc2a349a9
SHA1 32bdbc9c40f869047f6b52fef6615c07e97b1de7
SHA256 530915bbca04d356ccbb19087bdc545c6402686987d9d2cb7ed9f4cf85482513
SHA512 ab2d635ff7a94b6c9a5e0e7817e6a45e519136e002ba275f7f976b44a060d8439ae4867556afdecc93ad1105168373ffad892420b213458b04f9fe130f5772a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87b1f54ac3760cfa190e31e698c41516
SHA1 2daa100b3caa9ec5c62251cf29f1857a8a457563
SHA256 5c82fdce88f0fdf8b088f2e343dc23381a5e37f9dabefd473bbac3c0812ec5bc
SHA512 3d098eb066febc06792ae8953c6327ed2d6d607c84ca224825bade08f8a4374db2ad92a99d95ee1986a53e79359ab68a9f1f63c36fee21d922d800daac84f78e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 922a9eb753ed5068f58dc8069babe30e
SHA1 57fb0ea8d08840226dbf8fdffac32cb244b30463
SHA256 19fb90099c4d187fc38d804961b4afd9adce42992586f4fa59957e518e34520c
SHA512 da2a17c560dcba99d0a36a9db2f828e0493cd6a95d9a3c3b98783acb7e09d2c030f0be0b69ed135a88db17e611a6bd13b82f8169dff2e441fbf87b4ec81bae32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1fff795e2352b91c446cb07969b42e0
SHA1 fb6400b200f3c24be6bb5130da4e48ce1851a91b
SHA256 1d6003275b3d8200834dc7579aea6dc525a775c57f9f26598c77124386def8a2
SHA512 252a2c8020ff3b331b2d1ac0433bf7f2d076056716ddb3d7eaf77c302cdd429db20dc332bfecaa1b8a2e603a69345adcfcb3a7bcaf12be944cb3e7fc3f42e7f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cdef41fdd210d03eb012869adf001b5
SHA1 d24db655c603da23ba0998e16138619508ce0102
SHA256 91b5febf5f1b510858a8d0a1d6e4778e027382d474bdbe50a055f884f6c68fad
SHA512 5d9d864f5bcbadf16c4e3343d827e20347bca74c46bdce4b57f1ed260e1f7170c9972b203056feed3593ba5dad385d447de66389a7eb1c70aecdf4c9afd4398a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 796297ea869268a59e67a56cbb39331a
SHA1 0f69d2b119501f7336d908b3cf918aa45c6110ec
SHA256 99c9058f4931e4ef638d4d996c497f4d9be88148c374720cdf671a96d920cace
SHA512 42688aacfdceb1bbdf01443964d2bc242999581f5cc54dbd73b6525d12aef487f86b21810c31e59023c0c8af69fb5a27ba28833aabf50ca42d868df732b371a6

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 19:33

Reported

2024-10-19 19:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (889) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms-helper = "C:\\Users\\Admin\\AppData\\Roaming\\vcwdqu.exe" C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ms-helper = "C" C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-400.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-300.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-high.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\auto-renew.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-100.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileSway32x32.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-150.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-400.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-200.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-125.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-24.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-100.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\155.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\View3d\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-100.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\restore_files_vrghn.html C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-125.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-100.png C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\restore_files_vrghn.txt C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwdqu.exe
PID 2032 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwdqu.exe
PID 2032 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwdqu.exe
PID 2032 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Windows\System32\vssadmin.exe
PID 1384 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Windows\System32\vssadmin.exe
PID 1384 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1384 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1384 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1384 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Windows\System32\vssadmin.exe
PID 1384 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\vcwdqu.exe C:\Windows\System32\vssadmin.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3872 wrote to memory of 5524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwdqu.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e4b563289a23868bc558cbc63d1cdb1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwdqu.exe

C:\Users\Admin\AppData\Roaming\vcwdqu.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5E4B56~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee7ec46f8,0x7ffee7ec4708,0x7ffee7ec4718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwdqu.exe >> NUL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,6553483869798237726,17365737414353314712,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2432 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 wanderleben.info udp
US 8.8.8.8:53 elifeline.us udp
US 216.160.185.162:80 elifeline.us tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 162.185.160.216.in-addr.arpa udp
US 8.8.8.8:53 strategyconsulting.dk udp
DK 94.231.103.100:80 strategyconsulting.dk tcp
US 8.8.8.8:53 100.103.231.94.in-addr.arpa udp
US 8.8.8.8:53 www.businesstransformation.dk udp
DK 93.191.156.102:80 www.businesstransformation.dk tcp
DK 93.191.156.102:443 www.businesstransformation.dk tcp
US 8.8.8.8:53 102.156.191.93.in-addr.arpa udp
US 8.8.8.8:53 businesstransformation.dk udp
DK 93.191.156.102:443 businesstransformation.dk tcp
US 8.8.8.8:53 majowy.info udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 iepsicoanalisis.com.ar udp
US 8.8.8.8:53 bangaloredial.com udp
US 8.8.8.8:53 djdkduep62kz4nzx.onion.to udp
US 8.8.8.8:53 djdkduep62kz4nzx.tor2web.org udp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 wanderleben.info udp
US 216.160.185.162:80 elifeline.us tcp
DK 94.231.103.100:80 strategyconsulting.dk tcp
DK 93.191.156.102:443 businesstransformation.dk tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 majowy.info udp
US 8.8.8.8:53 iepsicoanalisis.com.ar udp
US 8.8.8.8:53 bangaloredial.com udp
US 8.8.8.8:53 djdkduep62kz4nzx.onion.to udp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2032-0-0x0000000000DD0000-0x0000000000DD4000-memory.dmp

memory/2032-1-0x0000000000400000-0x0000000000817000-memory.dmp

memory/2032-4-0x0000000000E40000-0x0000000000E43000-memory.dmp

memory/2032-5-0x0000000074410000-0x0000000074449000-memory.dmp

C:\Users\Admin\AppData\Roaming\vcwdqu.exe

MD5 5e4b563289a23868bc558cbc63d1cdb1
SHA1 738ecfa238325e5f72de199c878bd6975c08e720
SHA256 e41d77be5d026d0d9a8bbdf15de64421f0f92343a09e936ec489b2f33f168893
SHA512 c5277d21fcee6dc64e3092ef75d37621d26208a4de39c69be5eed6f2c7ea98fc197b8e8673a0252884e8708e4e1a190f262ae54171f8d59a9737b96e62c6fe7c

memory/1384-10-0x0000000000400000-0x0000000000817000-memory.dmp

memory/1384-13-0x0000000000930000-0x0000000000933000-memory.dmp

memory/2032-14-0x0000000000400000-0x0000000000817000-memory.dmp

memory/2032-15-0x0000000074410000-0x0000000074449000-memory.dmp

memory/1384-16-0x0000000074410000-0x0000000074449000-memory.dmp

C:\Program Files\7-Zip\Lang\restore_files_vrghn.html

MD5 e54243d788547d57100509681b6bd6e1
SHA1 9414df91c5e9e1e9896490315431246e8715f068
SHA256 0eb3884eb538e34a221f118a1f8ee92a1ed06e177fd483e9d34f7096b866c460
SHA512 041b98418e6485765c6c3612162633140329182413cfd99d453c59baf79af7c873071528090449bbd3bb7c26bdd92644dd7df0933ba1bef85d3591f25efc1e5a

C:\Program Files\7-Zip\Lang\restore_files_vrghn.txt

MD5 1741dd9bd616c47016ad81eaa0cc3d9d
SHA1 0f1271b716188db55e5dadc89d085ce71aadb7e4
SHA256 744e138e76ed0f095d5bb8dbb4472e988d84ed8f7cf87ba767c64f291c55540a
SHA512 e5988f09709ab3f44bb84858f5881a85731046f3dd9e2ea60810386b02da79f85e44435e739d99f7078fe5ab2bb457bbdd4ff0d3fd73cb939aed6030606c9b2f

memory/1384-3711-0x0000000000400000-0x0000000000817000-memory.dmp

memory/1384-7784-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_3872_IWQFQLDQMWAXJSKQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bf4d81cd93c08df59380173f603749e7
SHA1 4bc902f2aa16b8a25ed47f3b4489cb5c9344f8db
SHA256 a78d473e983a7ad2786ed4c43fc12a74607704d6cc1ae30d4e85ca3a8942e7ae
SHA512 c7d57328260c2030eab4b0225678dc07fc764c4ea88b999cf131f599da3e5d5e4c6fbec6e6d33bea343f2d37d034645f802a88ba2ad017ff0c0c7a1a5804578a

memory/1384-7826-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 651da1a98adf319a76bd7ec9f9fb7d4c
SHA1 331ad6e2c4bae6d4b94bad2adc121ab432ae7216
SHA256 b0404dcf14fdf827a6cae25e8526417359c89f5cc77297e9405c6871b2bf9721
SHA512 7c8414355ce940f64cf4dc19ed42babcd5a8eafda6a4977d97770e0ec06bc9f0fa08d0b7beefbe5753aee7d1ac084680b5681c384a79095711d6e70263c67fbc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b2e69647b359de922a11d5fa9ee826b8
SHA1 85ae275fcf3acd796a81e9579fefbf4e6343882b
SHA256 1caa90ea40a98dc666cff1913d3b78deccca3740b956dc395a5eacdd0e96eab7
SHA512 0984b7fc1e5a2840865b3e7d8ade3f472ae36d403c25f7169bdd42e9075390eba360736922ce4d4f90bac666a90217ab36db96ce5869ae9f06feb4448ed62712

memory/1384-7870-0x0000000074410000-0x0000000074449000-memory.dmp

memory/1384-7869-0x0000000000400000-0x0000000000817000-memory.dmp