Malware Analysis Report

2025-01-22 20:17

Sample ID 241020-cm27yashmf
Target 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118
SHA256 4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910
Tags
defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910

Threat Level: Known bad

The file 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware spyware stealer

Deletes shadow copies

Renames multiple (420) files with added filename extension

Renames multiple (887) files with added filename extension

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Indicator Removal: File Deletion

Adds Run key to start application

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

System policy modification

Uses Volume Shadow Copy service COM API

Modifies system certificate store

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 02:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 02:12

Reported

2024-10-20 02:15

Platform

win7-20240903-en

Max time kernel

121s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (420) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwtij.exe" C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C" C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jre7\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Media Player\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\DVD Maker\en-US\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\DVD Maker\es-ES\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\FormatCheckpoint.crw C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\restore_files_xcafi.html C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Media Player\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\es-ES\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\restore_files_xcafi.txt C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435552233" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000084617ecb5d42d0b40cec5cb4e7ca044edff6b9c1c972762821b801788893d42000000000e80000000020000200000008adc981669b72ac6d452a9ad03394c6cc4490d251c43b475722fb706c8e556ba20000000a834c30168bdca3b18624025159cf74a85c9e3266a25efd908a4dc700cd3c0f0400000005a8c0028a5b545fee514443ea1e35e82fbde88e8ebe362a842d399e537848e3e3bfd93c360dbb4e360111c352f98dbe481a808b3fc0026d1c9701a906189f74d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0adc49f9522db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000003cf1269d69c8a3f5323ac8452158ac7883db15d647769b491b5c797037943116000000000e8000000002000020000000ca5fa440bab37e127f112ba79fcb12b58a3cf3d4ca1d2929b8db394d56ffd4e8900000004f231dee1dd952faee1250eb0b0fcfa39660117fcb4e16f27ad5b25dcc22e6624a584eb56c3c5ba00685984bb60e2bd088932a627c9ff28ebcddf0e894c5055057adac4d0e813b4fb913111ceba470ef22c077bafc95ce63db751bd39ca80e2d1f78cfcfdcce7fb9fc3cff8e81f2a3e0311fdf0d3b38d4a9d3d1d780bcf8778771bf36b6ceb217291231e0ea9086a6f540000000589a8932ba7f4923fdc64bc385a69f8ce3e984dae196741f2c6874807fa111a9ac964e793c8da5b28a069f8f380e10fed96c35736e22d779cb619ee8f9aec4e1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CB486331-8E88-11EF-A6BD-E67A421F41DB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwtij.exe
PID 2168 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwtij.exe
PID 2168 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwtij.exe
PID 2168 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwtij.exe
PID 2168 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\System32\vssadmin.exe
PID 1824 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\System32\vssadmin.exe
PID 1824 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\System32\vssadmin.exe
PID 1824 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\System32\vssadmin.exe
PID 1824 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1824 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1824 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1824 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1004 wrote to memory of 1728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1004 wrote to memory of 1728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1004 wrote to memory of 1728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1004 wrote to memory of 1728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1824 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\System32\vssadmin.exe
PID 1824 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\System32\vssadmin.exe
PID 1824 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\System32\vssadmin.exe
PID 1824 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\System32\vssadmin.exe
PID 1824 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\vcwtij.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwtij.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwtij.exe

C:\Users\Admin\AppData\Roaming\vcwtij.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5FDDD1~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwtij.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 ledshoppen.nl udp
US 8.8.8.8:53 teenpornotube.org udp
NL 67.22.44.2:80 teenpornotube.org tcp
US 8.8.8.8:53 www.teenpornotube.org udp
NL 67.22.44.2:80 www.teenpornotube.org tcp
US 8.8.8.8:53 ezglobalmarketing.com udp
US 8.8.8.8:53 shmetterheath.ru udp
US 8.8.8.8:53 fgainterests.com udp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 serenitynowbooksandgifts.com udp
US 185.230.63.107:80 serenitynowbooksandgifts.com tcp
US 185.230.63.107:443 serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.serenitynowbooksandgifts.com udp
US 34.149.87.45:443 www.serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 zpr5huq4bgmutfnf.onion.to udp
US 8.8.8.8:53 zpr5huq4bgmutfnf.tor2web.org udp
AU 103.198.0.111:443 zpr5huq4bgmutfnf.tor2web.org tcp
NL 67.22.44.2:80 www.teenpornotube.org tcp
NL 67.22.44.2:80 www.teenpornotube.org tcp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 185.230.63.107:80 serenitynowbooksandgifts.com tcp
AU 103.198.0.111:443 zpr5huq4bgmutfnf.tor2web.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2168-0-0x0000000000260000-0x0000000000263000-memory.dmp

memory/2168-1-0x0000000000400000-0x0000000000714000-memory.dmp

memory/2168-5-0x0000000000270000-0x0000000000274000-memory.dmp

\Users\Admin\AppData\Roaming\vcwtij.exe

MD5 5fddd166f5b5931b2ab328cfd40e420a
SHA1 fa92f4074a2ee7166b9dc9081707ba7a4e8956c4
SHA256 4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910
SHA512 57aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c

memory/2168-11-0x0000000000400000-0x0000000000714000-memory.dmp

memory/1824-13-0x0000000000400000-0x0000000000714000-memory.dmp

memory/1824-17-0x0000000000300000-0x0000000000304000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_xcafi.txt

MD5 daedfb359adbb7a56d7f476e83305399
SHA1 9a66b26bc81ef21590a7db9aae18c31dbddc70b4
SHA256 2c5a0fe75edbb387fad51dc0735af49a25013870e0febeb2a57d05b4fdfcae5e
SHA512 a4279552e7596c465304d60851ce250408778cd8df1c0e150b7a2bc3ffa288e7b7bbf0d97cbd7abed5b07392631d3d0f3ab90357bea7aea7d309712b3946ca64

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_xcafi.html

MD5 dfc1f99caeda9f1caed116c2cc0c0a6b
SHA1 3b20f1f199d99e56f3e2368a7db540f9a82d66a8
SHA256 e7780198231855b5c208850b68b1d60076e3fd8fda2526546c1bfdc9c27544d5
SHA512 b7bd69667448355bab83d7857e8bccef90fb257cf81fbe3ba57c33125745349537b15da3f3e2319329fcb83d3eca312bc0960446900475874eb8eb3e72fb0ce2

memory/1824-2827-0x0000000000400000-0x0000000000714000-memory.dmp

memory/1824-4348-0x00000000034A0000-0x00000000034A2000-memory.dmp

memory/2336-4349-0x0000000000120000-0x0000000000122000-memory.dmp

C:\Users\Admin\Desktop\RESTORE_FILES.BMP

MD5 83f953ede5aa47a9e3dcff1a69b55179
SHA1 d6ca8a94b5da3e5550d4d450019f06184bfc1a07
SHA256 714a8c262f2fc43ed8b56ebc0f107deedf3e86019815ae3774c09d5756f3f972
SHA512 d77110cb2fb958e36555e5ff2742a786f3c77a8b71833e58c5255a574f1cb21b6945be1dcb4257fb7aa8f01f1a38c8dfd93857065f057e2a0c062a470a918f0a

memory/1824-4351-0x0000000000400000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD636.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD6F4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8624a484206006183aa06e5de9f29bf8
SHA1 21d0b56ba396f345ab6079a2cfaed37cc92453bf
SHA256 cd5af388df20d81efc2f3b2408ff28347290e022debdc5fea9b119d896aa7361
SHA512 a33c41a65b9dd3d11e65ef374329b28e2484dc6633cfeb541273fd629d5b74a9edcc626a73e49489e8f1b75a39e870a8a8c8d4ed2729328d8506d643c460882d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a77de13b4c8e16d3ec7f81e5f5f9a988
SHA1 3d7ccc370a47bf6911276eb466df39510740b19c
SHA256 dc2717c2aa3ea7dae0545cc485586869b48b73b92cdb5c173ad2121a85f7801c
SHA512 26bda65a745fd95404ba145416687474ef2c72c480289100afba13a6ff6ca3baf091859e2c39dde88107e94081ef9fdde20605469cb9c60686d4c01e2ec29553

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8107179bd45b46fef5ff89583f7640e
SHA1 1ab6eebca3e72ae33efdfcfc915ed400102c9cd2
SHA256 3c59a424c91a5ecce77d22365c3c2f80e05d3bde519c127f160e509b8510b24f
SHA512 56564b8ebc343dd3c79adce6bd01c40319081ba82bb14e552ca56627bb6c9197add6a7224a34c6d005304b916f31dfd9eea020b4d29e377f3489b682d6050373

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d3b70913d4f0c06245f6ff2fad9a45d
SHA1 f69026057cce773f147709f7ea08459a6bf7479f
SHA256 2d52ccef2877e5207bef8747861c45581e4e1f1dca909f212dd9b54c4bb3404c
SHA512 7fd546e35824dbe6f008dfa0a98d3fbdb44f28e5b56751d83430cf58690b369b1882312f607ef6933fa83e7ed24816cc39d8881480e651c63bd2b2a052e8d0e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 423ba3d7188b7e45b73db8aa9598087f
SHA1 4868a3e33a5ea296b9b101ba829de390eeb121d3
SHA256 2eb6daa94224fcea30bf4607678e260edde219db74c62bac807586a356f14dc6
SHA512 1282b4a1db7ac08a7e884fc02915e6cbb02f37e72bea6088f5078898dd26535bfc2ed82a3468f9240cf80ea56e6b76d07194a11de31b8a23575cfa65f2d1d357

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4400e9092d10cfafc68195f0db73c398
SHA1 bbd39dbf69462abe43f7d68b34c94914b3444a6d
SHA256 f52db401574e91cfd93fb0ae2c23063bf5c4ed756c06fd015a3ae8e1126f2592
SHA512 f34a8980f452374c537bb9d1f5496fa302f6cf737162d1be169604157164e3f5daa4758ec9aee427c09cb631d85e223aeb88975b8eb507b00a3840c03db167bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5fe829b76d39bb70c7bca573790f52a
SHA1 3b347e79b1b15ba560191b0b3923e11bb6eb3e7b
SHA256 72f03ecdb474e7c40ccde5e95bc339484a7e9cf3168bc34997d38a4ce4f2d886
SHA512 884be5a08b8280798f3194794269407e6be4592d9b148bdc772142a5133df6d95da973adce5d6d3c3e29d02ad4c0d852e87b40385152bd7639ec745328f4d64c

memory/1824-4810-0x0000000000400000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b74168ec93132896e3705b206bcc0b00
SHA1 edca686bc7c19fa3fbde5c10dd0a4af0a554a0a3
SHA256 5ebd696c59cd86ed775830c4b3226a9732a64bb07dee85021399fdd4564701d2
SHA512 0a0f21d9e1f4c9ba817601e177a2d010792a4a481a4df50adc78b8ce566500257271b55e7b92780a4b2a3c3186ea82a66060c7684b1167a5f2b973ba99b863a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 bf65e5f27e0c8de177d6a140c477cad3
SHA1 e9e876d5398d9be83a4aa92902f912e834ad5e6f
SHA256 ebac88ec42fa42b92355a616036db55d4541deaeab8733c8713067607181190c
SHA512 6e24a87376bcb9579b680c3c1e4c8cc7b987b103ef886d35c76c0cfc28e212504071f615e3771bbcd58f14a462dfb31cdb4bec8370718067e112ddad841b11b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa642a92ac80704afe123f935c357551
SHA1 e042de8c4bb533c116e9de704ab94a79bb26e8f2
SHA256 8c5c1b9eede70fff653431b81d0eb41d55b760eab12400a38fa8ad054d3a9fa1
SHA512 35696ec74b61ab4bc1ce36e2213ffce1382d88581c91b5966abf9432d60f5d2173ab468f4f80a7d9dd9791f366f54ae509057479b37b3978ad50240ecb1a0c17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 63d698c6ed3ada0fb04bdecc16b27810
SHA1 199f28eaf1a90967486a68a72d442a475d31813b
SHA256 5d6295f1e3d0b8fe61a8b8bd7d50ad890a0e6b54d0869702a387f0ee7fa82c2a
SHA512 dddfa233b78eb553afdf776cf018c1b1670a6b0531f360781817aa84f14e50e50e0edc9b12d90201ec7228ef67cb2cbc310cfe7a163d83ead258b0cd77a847c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f28482fc857d07fc81d5f86cc78f507e
SHA1 f78cf3c7dbf8a0b1e896f6930bb53b0b2a9b2d33
SHA256 10de88dab129d024bb364f882a5c87e8be4105b0794551aedfdb80c1b6db4063
SHA512 3da0e0d6de00fbfa3ccc7ef4bee430637a39e6e62a8cebf7863fc202a154117ef0604a69abe55821b131cd939e11af24a5cfa13afc17f25c6502715e537c624a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e69011b70e7fcfdaa5e63fd9a74197b8
SHA1 0c9a1be230244d3c5a435646ccaf4554e7d1e07d
SHA256 337a80989da6508d7766b072c30fb883c396c130ea0e82a0722016d8d81fbf1c
SHA512 71185e76f52643253c1aec939a488a6c6b9870eefc232dadc114148395ff658320f9136d2059464cd0cde9a2206f24837b0d789e47c4c0f78e453f2683d89b09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f73fdc65607f5ffe0093b404013b607d
SHA1 cb567032545ae3de466f681da86604b4fa0f067c
SHA256 46ad4a1c5cc477be05b7495a09d9eb92e905c9fd88fb4fe43ed56b3cfc98a5f7
SHA512 fc6a276c8c56cd821dec845600293e403ab8f2d35fc4b1445553f249cfb583beb4c9f08acf7d4fd1c3e024df35871b68f1af5e081c96c09d975800859934428a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 4cbe7c052971d018aaa583cc7065a6a3
SHA1 34d8bd86314b0bb4aaf46ac3592c836dd9a323a7
SHA256 a978d768a88cfbcab1549286b23223673c1391f7965a3444553dec561ba20f96
SHA512 069615a6927279256ca200c48283dbd0e7e942f79da1f38ea99a56ed5a92baa20f3210742f45f598278db4a5a5dd191a04fb7a27acead7d343f00972beebc72e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9074e302b6fbe941c0d3c8cd089b4439
SHA1 5cfe47de4f804b8adc272ca40ca2a9b305e51ecc
SHA256 f9f6c30234ef7c01e072909c6b1041fba477806fedccdf205e2415f7d4ce6092
SHA512 3fa398fef18a18c7b7dbd53de01cece0ab8ff8c04bf5e9aab2369f1fde4c673822b051b9ea685ff07de05f7d8c0e343fc3952603c4e7435b64c2087c5f047f65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6712c299c84481174451f1a7293fa0ea
SHA1 0cf944a03774bb74410c252f04c397c9d34996c7
SHA256 8508b3a8046d77b9bdf38a668ae0230ca7201a85bfb890dc962da187fa1f9570
SHA512 64a31944c72d9c81b9c1a44c49c66089d5172c605b623cea621108cf6554ae3fbe8e8ddc2279156e97b304d261b6f2d0a62a3033a0f2dbaf1924f8aee226c3b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3a0c73962909e9e353e8967850b75af
SHA1 13f765c818c7ef670e8c88e22b4d660ec19e2f9f
SHA256 71cd31172037209ba79738e141fc72e44b2247f80a470ae9336dd6ccc4f30428
SHA512 aa29b06703c7f393c3994152b9de6f91ce556ad5ac13591c3f42def92da35951b33a519702eb1b7ba470bcfdd10def353c4eb69931e48176de9827d4941531cf

memory/1824-5356-0x0000000000400000-0x0000000000714000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 02:12

Reported

2024-10-20 02:15

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (887) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwghv.exe" C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C" C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-400.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ja-JP\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\save-money.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Nose.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_04.jpg C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_20x20x32.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-150.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-400.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\restore_files_rqyjx.html C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\es-ES\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\restore_files_rqyjx.txt C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwghv.exe
PID 2108 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwghv.exe
PID 2108 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwghv.exe
PID 2108 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Windows\System32\vssadmin.exe
PID 5008 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Windows\System32\vssadmin.exe
PID 5008 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 5008 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 5008 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 5008 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Windows\System32\vssadmin.exe
PID 5008 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Roaming\vcwghv.exe C:\Windows\System32\vssadmin.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 844 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwghv.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwghv.exe

C:\Users\Admin\AppData\Roaming\vcwghv.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5FDDD1~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffde01046f8,0x7ffde0104708,0x7ffde0104718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwghv.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ledshoppen.nl udp
US 8.8.8.8:53 teenpornotube.org udp
NL 67.22.44.2:80 teenpornotube.org tcp
US 8.8.8.8:53 www.teenpornotube.org udp
NL 67.22.44.2:80 www.teenpornotube.org tcp
US 8.8.8.8:53 ezglobalmarketing.com udp
US 8.8.8.8:53 shmetterheath.ru udp
US 8.8.8.8:53 fgainterests.com udp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 2.44.22.67.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 serenitynowbooksandgifts.com udp
US 185.230.63.171:80 serenitynowbooksandgifts.com tcp
US 185.230.63.171:443 serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.serenitynowbooksandgifts.com udp
US 34.149.87.45:443 www.serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 zpr5huq4bgmutfnf.onion.to udp
US 8.8.8.8:53 zpr5huq4bgmutfnf.tor2web.org udp
AU 103.198.0.111:443 zpr5huq4bgmutfnf.tor2web.org tcp
US 8.8.8.8:53 171.63.230.185.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ledshoppen.nl udp
NL 67.22.44.2:80 www.teenpornotube.org tcp
NL 67.22.44.2:80 www.teenpornotube.org tcp
US 8.8.8.8:53 ezglobalmarketing.com udp
US 8.8.8.8:53 shmetterheath.ru udp
US 199.116.254.169:80 fgainterests.com tcp
US 185.230.63.171:80 serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 zpr5huq4bgmutfnf.onion.to udp
AU 103.198.0.111:443 zpr5huq4bgmutfnf.tor2web.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2108-0-0x0000000000800000-0x0000000000803000-memory.dmp

memory/2108-1-0x0000000000400000-0x0000000000714000-memory.dmp

memory/2108-5-0x0000000000810000-0x0000000000814000-memory.dmp

memory/2108-6-0x00000000741E0000-0x0000000074219000-memory.dmp

C:\Users\Admin\AppData\Roaming\vcwghv.exe

MD5 5fddd166f5b5931b2ab328cfd40e420a
SHA1 fa92f4074a2ee7166b9dc9081707ba7a4e8956c4
SHA256 4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910
SHA512 57aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c

memory/5008-11-0x0000000000400000-0x0000000000714000-memory.dmp

memory/5008-15-0x0000000000C80000-0x0000000000C84000-memory.dmp

memory/2108-17-0x00000000741E0000-0x0000000074219000-memory.dmp

memory/2108-16-0x0000000000400000-0x0000000000714000-memory.dmp

memory/5008-18-0x00000000741E0000-0x0000000074219000-memory.dmp

C:\Program Files\7-Zip\Lang\restore_files_rqyjx.txt

MD5 df3f6c33e4c3d89d6878378095ee5aba
SHA1 bd3b0afa9593c8743e015e2c875db0a77c3a65c0
SHA256 7354b6c41d7519887de321615fdd3574733e850768fe7d5f51943c33717352b1
SHA512 ef987d8820a79e367b170a44f7ed7f7bdea2a9974ead3264861425ca096a34593818071d7f9572acbfcee938fb8e1db5c4e7e05b48246b1abd75d2a5ce5a9d99

C:\Program Files\7-Zip\Lang\restore_files_rqyjx.html

MD5 6f409fbb014d4e028a1e0096991f2543
SHA1 9b8739eeb29299df52535337cec1b72b6617c28b
SHA256 c62641e645380412f3f8bbdb98547a52dc5c38983097a6cb0211f21c77d1d4e9
SHA512 354fd64e2e14b6f9af2761003e1355310d8a208e89c1051f0c1c5f544cd1914a1530957286aaf6b878dc3680c83c39d58572ad48b9da4e14955e5dae5da3e182

memory/5008-2498-0x0000000000400000-0x0000000000714000-memory.dmp

memory/5008-6998-0x0000000000400000-0x0000000000714000-memory.dmp

memory/5008-7845-0x0000000000400000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

\??\pipe\LOCAL\crashpad_844_FCLNEKCYAGGXJMSI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 631c92d673985addc86c22ec56ffc913
SHA1 6699dd791688dbfda1368dcfa52221f0048b7072
SHA256 a3ad901785522074e84b461e058ea2baf1d747d224d857f4bd898c63247a6d4c
SHA512 dacaf76b8adb0ceed79587fd5f9739f55e7d98dcb867bedafe4cf4b9d652686dbc742280e6f4ec3d53ec91b421cfa0e9fffa1600d8bf5ea14621039650548492

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5008-7901-0x0000000000400000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8e879b483ab784beaf8f1e7538181b36
SHA1 4f89938f0ea379934f41caa7564df522f161a82c
SHA256 402b9c5d0cfbd85d59de78eb872a69ce3b200af11caf9a2dca005c947570113b
SHA512 4980422652c9627976faba298a7e6f8be82c6c1a2c30a92b16cd02b8b5d159c40dd987ccf146910ccd350c069098d537397782fbba01003e180a59c9512bf9e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d84ffe31534d73280bb1b7e616073470
SHA1 a533200c42dbcda819e167f2df8808c678eb9ad3
SHA256 91395eacefaf65ae7b623ed502836dcbb16ce153a8b8bb061e904f1bfe724050
SHA512 149305759994a678560edfc27794dd9d215683bf7f7021f8e5b1f55f5a1a88938486cad7346d682f2e1e8d8d5aa4e105b1434f2a5639518be85fbef3ed40a13c

memory/5008-7921-0x0000000000400000-0x0000000000714000-memory.dmp

memory/5008-7946-0x00000000741E0000-0x0000000074219000-memory.dmp

memory/5008-7945-0x0000000000400000-0x0000000000714000-memory.dmp