Malware Analysis Report

2025-03-15 04:33

Sample ID 241027-1gsnbaterp
Target 760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118
SHA256 f920d55ae83aa4f3489a14231a8776186cea2051a2d642aecc55dd581f59c8c3
Tags
defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f920d55ae83aa4f3489a14231a8776186cea2051a2d642aecc55dd581f59c8c3

Threat Level: Known bad

The file 760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware spyware stealer

Deletes shadow copies

Renames multiple (888) files with added filename extension

Renames multiple (407) files with added filename extension

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Indicator Removal: File Deletion

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Enumerates system info in registry

Modifies registry class

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:37

Reported

2024-10-27 21:40

Platform

win7-20240903-en

Max time kernel

145s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (407) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C:\\Users\\Admin\\AppData\\Roaming\\vcwhrp.exe" C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C" C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Visualizations\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\en-US\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Skins\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sm\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\es-ES\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\restore_files_lvnkx.html C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\restore_files_lvnkx.txt C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436226958" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10319197b828db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000085cddb1096e44c5f2e1568b007c2f72c5ee86b06a62e54d58539659fac642a1e000000000e8000000002000020000000722ccafc94edcb677df861217c29427a1b84fbc1ade48ccb9966c21c70cc66cb9000000080c551cdcfdfff944b055b0e7da37f4720d53ac4250c1b7026603707a656b39431c1a9e973cbc4628fec57766eb4ed0fc5fb202f8894a38ae5fb924832eb968a6c96d34e96379d07de3a9be2dbea91a126dca88e7c2e13ed089b8552ef07eb51e5c4b74e699eefb628abedcb515d3a998232b52ad9f7a218c734672b874fa495b8fe1f2a009f9c090f213ee4e8a07eb84000000096e115a4e2871cff75dc38ffcfe20e3258768cea782350046fc1ed4fd20db578fe1128bf7496fa9033bc1287a125505a58963369de00ec549eef3ab7acef624e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3233E41-94AB-11EF-9CC3-FA59FB4FA467} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000094005d6cc121be3d4d253b4af322dde9344218692d4a264b2263cf0024af98d5000000000e80000000020000200000003f791b6fe48cf57a08e32ce3f5af18b7f6c880b129ad877b8a10cb5ccd3d8677200000004a3a92464df718b3f6a15621910922869661838709c247da01574f5d121b849b40000000b3057283a4adf199efe9141bb31f3780c6d8d680754f078150a12b95ebcface68a554473c0bae5e03a922d79e86af74e5947fb505eb820f14cf0530089143294 C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwhrp.exe
PID 1836 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwhrp.exe
PID 1836 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwhrp.exe
PID 1836 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwhrp.exe
PID 1836 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\System32\vssadmin.exe
PID 840 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\System32\vssadmin.exe
PID 840 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\System32\vssadmin.exe
PID 840 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\System32\vssadmin.exe
PID 840 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 840 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 840 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 840 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 840 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 840 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 840 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 840 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 840 wrote to memory of 356 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\System32\vssadmin.exe
PID 840 wrote to memory of 356 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\System32\vssadmin.exe
PID 840 wrote to memory of 356 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\System32\vssadmin.exe
PID 840 wrote to memory of 356 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\System32\vssadmin.exe
PID 860 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 860 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 860 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 860 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 840 wrote to memory of 304 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 304 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 304 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 304 N/A C:\Users\Admin\AppData\Roaming\vcwhrp.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwhrp.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwhrp.exe

C:\Users\Admin\AppData\Roaming\vcwhrp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\760F74~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:860 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwhrp.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 asecproteccion.com udp
CA 174.142.60.48:80 asecproteccion.com tcp
US 8.8.8.8:53 almaco.es udp
ES 217.76.128.47:80 almaco.es tcp
US 8.8.8.8:53 light-tech.pl udp
PL 79.96.158.60:80 light-tech.pl tcp
US 8.8.8.8:53 mustdecor.com.br udp
US 8.8.8.8:53 ghostwriter-24.de udp
DE 91.90.146.100:80 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
US 8.8.8.8:53 alexsinden.co.uk udp
GB 68.183.44.1:80 alexsinden.co.uk tcp
US 8.8.8.8:53 djdkduep62kz4nzx.onion.to udp
US 8.8.8.8:53 djdkduep62kz4nzx.tor2web.org udp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
CA 174.142.60.48:80 asecproteccion.com tcp
ES 217.76.128.47:80 almaco.es tcp
PL 79.96.158.60:80 light-tech.pl tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
GB 68.183.44.1:80 alexsinden.co.uk tcp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1836-0-0x0000000000230000-0x0000000000233000-memory.dmp

memory/1836-1-0x0000000000400000-0x00000000008FA000-memory.dmp

memory/1836-5-0x0000000000240000-0x0000000000243000-memory.dmp

\Users\Admin\AppData\Roaming\vcwhrp.exe

MD5 760f74e54cf5389a7a29f796d62dd7eb
SHA1 647adf6edcbc04d8d02d82dcb1c50be6c1ee3994
SHA256 f920d55ae83aa4f3489a14231a8776186cea2051a2d642aecc55dd581f59c8c3
SHA512 2107ab429b0db699caa5fd80aca4207aa60b8d3ab5ec2d4e7b4410a00a813cd28e9e8b4cd80ebc1a423d98ebbc8725d6f66ff0b2ec8098b444642b88f4d5d8f6

memory/840-13-0x0000000000400000-0x00000000008FA000-memory.dmp

memory/840-17-0x0000000000240000-0x0000000000243000-memory.dmp

memory/1836-11-0x0000000000400000-0x00000000008FA000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lvnkx.html

MD5 529a3246c567bcdc85df0b44ac15f79d
SHA1 baa7e043a1ddf94ce433cc3f76039d03e9104c56
SHA256 1357700a852776ee4b4c06f689417b41c14e47ac460aaa1d7947e14590009f79
SHA512 7db6be1d9f02c06d0fd0998cab3c59eeb053c3ebccc0e42bbffb04b38411459aa509aa889c640bc68634cab50bf4de110c16493099d0802c883dd1e21114eb5d

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lvnkx.txt

MD5 963a05adb99bd4fb27849ceab9aebc50
SHA1 b324e2fa311fdf762e7f16b73c67e4a3b4ea487b
SHA256 edc9dccce9df2e2495081ab1dbf2190720b0b62fedf1ff33af537a0121c03cdd
SHA512 8ecb011231688388920ddd455c0cb9f04f413833112ba5b02b2948781e74720a7e6e4e67004c185452bfeeab3345cba462453b711776ded06c9cb3f03cd7adfe

memory/840-4298-0x0000000000400000-0x00000000008FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC8F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD40.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f274ef7b6d671eb026f6ab1535dd734
SHA1 bc74e2ea4e1671931cf302a4dc1291d7493d07af
SHA256 4895e3070793050af86906ed550c7ec0fb92bcba994b6bd40ccae25e005ad151
SHA512 0268935e90feb4d1470037c95ccf3200286c37278974ad106f83ece58fd2d34f508b9acf083865456bcbb3cddd7a9024668cd8f2b3d01285258724f9feae8730

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97ddabb43a8c6ceded3fa63eb510ed87
SHA1 abc0f72a82ba16a4a3a00d4151d509355e33a311
SHA256 963943d92afab5dcc4e0e60c95219a25a7a0ff093929e479d97d9678665b76da
SHA512 39b2fb5c8091362c964a1df32e92527bd5c462ca72d4009488471f9887f16c393de3b20f3a97b5c9bdd94a4179a8612ff8fd731ee2c08d10a8bdd48fb17bffac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77c2c3cdb474ded925aabf63c74e785c
SHA1 6a4924aa23288fa5d193789e4657a54a92accb9f
SHA256 20472dbbda372b8b570f62a2c93d39ef260fce49e5a12bee0c060b0b761a8bb6
SHA512 c6c22413f451e736b003722d8f546cf2f88aba97beb15efaab30cd39bc2264694687a8b06332753997da3eb20caa5304ab3f6f75749872777a083b328595115f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16bf472f9de069411f53152be5b42620
SHA1 4440ba31f6678c9ba5af5921f788ff45eabff1f8
SHA256 d41f24e3f09b7547c1350226ad2419944fbdfb83cd55560cd42b7af63da35126
SHA512 f0fc8fefcb9b0094eb1ef239b8c9d1a228615e8e9357958f8a4e00cd4c43b0763859d1ffface49c327e1dc5165b5170d6261a1602d86b717b667f0e6864df58e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e330099b78ce7c92f5557bc4c48c2f69
SHA1 4ecb6f0bdc52ccadbfdba8436e8194747fbe20a6
SHA256 ffef0f7b0f9bb6d427bf96647e32262e67ae592a8923555090c644e05d46a331
SHA512 8c8855f0e14a2ec65f6d847e50f1138c38b998db8caa180592580517b358070db8d99da44a155f20bbb7b70fcf8739efe2c1db3c51e9ee77863fb097389a63e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e371552ef609cf4e8efde75c0b223dd
SHA1 7a1e798b9b6c716056586662d0495992942900b9
SHA256 fac9d9034846311924a5d7fa0f7d26a07736959014a516195f9c2463f392f4b2
SHA512 c4e0f9b730d524e89edacadc181ad27fd8ef829d47865121e6ffea0ac17493c99f00b40748ec723d63bb3e2db16e6a97b2ed32a3dab6880fb5b1c4c00229d755

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fa2d440da1ca93428e7e1c640255b8c
SHA1 d2e5dda1b3a3e09836dfc326ffa14d8fdaddd64a
SHA256 bfbdd20c763568455bfe4fd3f61f3a17fe3e3cda7b116652f71ac865979a27f2
SHA512 46dbba43c3e495517e5c0c1e61026eac900f7f646ecc6ee22079a63893b1c730582f0510b87668555b4804b57a6680f819638cc89ba3704e8057cad099eab8cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e83c5d6f54e358fd809e86449d7be2cc
SHA1 b4baa5eac9da0c7814dc11243d5e533e0a23f93f
SHA256 bc24cbed88de2641cfd4a1573864671dff03bcba403b436351646ad3f909e3d5
SHA512 55419304e0dd0824aa233c4a87457c20881339f788707947ad225db5bc36443f1591e10687e38f50c1f6eca3c3b1e93bb8e733c24c0a45ec1b48a6fcac469cec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03690c0592b2789e3f2cabc9b7a4f08c
SHA1 bc830c85fcbb41e80ca67a7f12f9a2b9d3fc1445
SHA256 e25b6185f661c20fb072fbb71487f28122337259a5a6fe484dd64ab362861345
SHA512 53709d4187b5622712942ebe2d69e2719262703b2782718642b2e1f190c0b2c3ef0faca2e83c5f750d539dfc7fa02af4a117a6f38067a7b6b7b0e494da60377b

memory/840-4756-0x0000000000400000-0x00000000008FA000-memory.dmp

memory/840-4757-0x0000000000400000-0x00000000008FA000-memory.dmp

memory/840-4761-0x0000000000400000-0x00000000008FA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e96333aab09c2615d961091eb351824
SHA1 40ec665e54d74d7a344b2015a28325042d786253
SHA256 6976ed26b2660b0fb45783cc9a7638f8601563c627b18f82bdcd435331bb4450
SHA512 aad91115fd576db0accde13e188d8d114d8e11d35c8f9a3110cf979c21bc9c5847ddcea00e9847c6b0d2fea71cd4384f1a142daeb0ea011df57ae995239e0a7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0620fdb4ba35edb1535184c5fb9cab9
SHA1 02d0fafab943d18431ed156957f80f24487a13ee
SHA256 2c8d286a6cac765b2bbc38f4e47e9125d945a26add9c02514a44f1276553d617
SHA512 ea31ef83b2b01ebdbb43d4b1d1c3fbb9e54294388699c22ef3c41602d99c8c23a32424ffaf8e2c981ed032e62c7c7d9284eba8c35b785767cea087d08ec6d6a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d85451dc117e2269748316d1e1e50bdd
SHA1 e2ddbf27ad93b71db2869d712ee47ea596e967eb
SHA256 fcbf38c831849e840aac48e069e7d0f4b47df5847cd62c9e88ce4d85a69bd274
SHA512 b3aa148a819e8ff443fb4c104274b971273c7416be9b16e16bba4e251e9f900811ef0db153c009454d6f900415ee8b7941011d2f8ea49e9721521d55813c3173

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 098c81dd2709f9acfed272d051eb4b1f
SHA1 92b9bba41269b97da6c69cc8ba4c259b9f5f6d3a
SHA256 293edf0fc84e2bcd81460bd3dde7555479d8e3bcc547d294a80a97bf1ad46b09
SHA512 d5b7b59b765d2d76f4d060e722e75dca280f5a6f387e5690061394e5013256fa0b23ab558028a33c1203519780cfe7625f5742e20c51bd31e822e896e6b9455d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1b7d4e5ae827136f4a857eea2c33181
SHA1 8340cb936517d5fca231e8f1b8a51e9c3514314f
SHA256 60e07c91cabb30733e35b15b0197f062f73c69a907f2b14fb3d6915675eed144
SHA512 3d5eb5d6f8dc42f4ebacf258d4c51d5b4967af5873fa960124d8d95e540fc2d7fd6a93f66867d06e6cc3293a96c5e4fa16138c7c66ce5656c20fed4c565be391

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03b8cc836926a6f9de5ca6dab01781c4
SHA1 548476ec76a1032d9e24eb99bc977e5fb58b9953
SHA256 3aa5e3e8ff902c92abffd6e4feca0c56f3c4766d50c1fca9630f50884ee55b2d
SHA512 573b5d29bd42fac3c862e9d7e09bfeb68b70b092066694861d18d718cf3795e2d84cfa2bae0945c59fa67204942c3862bbf9ae5d1136627280001dbcf21d302f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b0c4d416b5a63af5b83750e6b7e5c9b
SHA1 26025d0fbf88f0f9457f70b27ff666e57ebf8fee
SHA256 92dc64cd93baeb55c9e312482c003ce0b2b69fa41a842e6c6555b13d98d92ef4
SHA512 435dd1470b8423caca91a9420177416908e8d729d727341c9547e445167bc5fb4dc1dbff4073ab5fc2cb1363dcfa90e9e78badb588b7fc8302a18ff76cd3dd29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1b2c48b98cd801f0313592cc0be7709
SHA1 8bbb046e69128a7314908fe172c146ce3ee6e7e3
SHA256 0ecbc3942e5f2a083bd0b4d4ff5d8d149e514ccb93702ee159d569e696c1c7dd
SHA512 cb0584d707173495857cd8dafe450410043e42e910a8667120013f6d8250df4971761149b2fb011059a0f159d54b926f9a3fb518fdb53da6ad6d38c3082bcc1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbec55ef3aadc2307b3b67ae569094bd
SHA1 e04d3241ae2f1e2ca8d178d6b6d4121990f8fafe
SHA256 b9a1185b0ef31a1f8410056d6467078295398832e6e43c31a51208952288150f
SHA512 79d71c9abc107e25c91a8d5d1e7d336edc5272749702f68e118c12021c85575f8389bacb12991499a6bf7188a7af8d5e4c799a7ed302200879c60bcc88c0d88c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 769a3e23abc8c76351d518909bded25b
SHA1 01f1efb99467ff96b66503b3cfe840e9b78e5a3b
SHA256 d9b955b612cf10c8248de5eb93a0a7b0457fc93bd311b6e85bc126d37c2a85de
SHA512 8e01a501430413b6255266ef37f29cdcba22a8a8c7a0445207bf56e89f294c59ee0eb67696dd75dbf0ffc5d2b17ca6e6cb695f94ec3a13377558f0391ba1cd6b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:37

Reported

2024-10-27 21:40

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (888) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C:\\Users\\Admin\\AppData\\Roaming\\vcwyto.exe" C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vsadmin = "C" C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-64.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlCone.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A9C88E0B-9DC8-47AB-AB89-9AE025316701\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.scale-100.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker29.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-150_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-100.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_DiningReservation.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nb-NO\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxMetadata\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-125.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Studio.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-125.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\credit-illustration.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-400.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\restore_files_ubydy.html C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-100.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\microsoft.system.package.metadata\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\restore_files_ubydy.txt C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwyto.exe
PID 3160 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwyto.exe
PID 3160 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwyto.exe
PID 3160 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Windows\System32\vssadmin.exe
PID 1620 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Windows\System32\vssadmin.exe
PID 1620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1620 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 2404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 212 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Windows\System32\vssadmin.exe
PID 1620 wrote to memory of 212 N/A C:\Users\Admin\AppData\Roaming\vcwyto.exe C:\Windows\System32\vssadmin.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 1748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2628 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwyto.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\760f74e54cf5389a7a29f796d62dd7eb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwyto.exe

C:\Users\Admin\AppData\Roaming\vcwyto.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\760F74~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8197d46f8,0x7ff8197d4708,0x7ff8197d4718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwyto.exe >> NUL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,11275698479748463299,8687194065948906092,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 asecproteccion.com udp
CA 174.142.60.48:80 asecproteccion.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 48.60.142.174.in-addr.arpa udp
US 8.8.8.8:53 almaco.es udp
ES 217.76.128.47:80 almaco.es tcp
US 8.8.8.8:53 light-tech.pl udp
PL 79.96.158.60:80 light-tech.pl tcp
US 8.8.8.8:53 47.128.76.217.in-addr.arpa udp
US 8.8.8.8:53 60.158.96.79.in-addr.arpa udp
US 8.8.8.8:53 mustdecor.com.br udp
US 8.8.8.8:53 ghostwriter-24.de udp
DE 91.90.146.100:80 ghostwriter-24.de tcp
DE 91.90.146.100:443 ghostwriter-24.de tcp
US 8.8.8.8:53 alexsinden.co.uk udp
US 8.8.8.8:53 100.146.90.91.in-addr.arpa udp
GB 68.183.44.1:80 alexsinden.co.uk tcp
US 8.8.8.8:53 djdkduep62kz4nzx.onion.to udp
US 8.8.8.8:53 djdkduep62kz4nzx.tor2web.org udp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 8.8.8.8:53 1.44.183.68.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
CA 174.142.60.48:80 asecproteccion.com tcp
ES 217.76.128.47:80 almaco.es tcp
PL 79.96.158.60:80 light-tech.pl tcp
US 8.8.8.8:53 mustdecor.com.br udp
DE 91.90.146.100:443 ghostwriter-24.de tcp
GB 68.183.44.1:80 alexsinden.co.uk tcp
US 8.8.8.8:53 djdkduep62kz4nzx.onion.to udp
AU 103.198.0.111:443 djdkduep62kz4nzx.tor2web.org tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/3160-0-0x0000000000950000-0x0000000000953000-memory.dmp

memory/3160-2-0x0000000000400000-0x00000000008FA000-memory.dmp

memory/3160-5-0x0000000000F70000-0x0000000000F73000-memory.dmp

memory/3160-6-0x0000000074A00000-0x0000000074A39000-memory.dmp

C:\Users\Admin\AppData\Roaming\vcwyto.exe

MD5 760f74e54cf5389a7a29f796d62dd7eb
SHA1 647adf6edcbc04d8d02d82dcb1c50be6c1ee3994
SHA256 f920d55ae83aa4f3489a14231a8776186cea2051a2d642aecc55dd581f59c8c3
SHA512 2107ab429b0db699caa5fd80aca4207aa60b8d3ab5ec2d4e7b4410a00a813cd28e9e8b4cd80ebc1a423d98ebbc8725d6f66ff0b2ec8098b444642b88f4d5d8f6

memory/1620-11-0x0000000000400000-0x00000000008FA000-memory.dmp

memory/1620-15-0x0000000000920000-0x0000000000923000-memory.dmp

memory/3160-17-0x0000000074A00000-0x0000000074A39000-memory.dmp

memory/3160-16-0x0000000000400000-0x00000000008FA000-memory.dmp

memory/1620-18-0x0000000074A00000-0x0000000074A39000-memory.dmp

C:\Program Files\7-Zip\Lang\restore_files_ubydy.txt

MD5 5998a6c27ea5eb99cd881eb7c4c44bdc
SHA1 dadc7b3b692c33578af8e51c5f73e25b1fb5a038
SHA256 6e9416261bbd46444ee89e2b35d1c0be90f64edb04632b8dce3eb27f9a4382f2
SHA512 218855aa92b7f2136d127f1a8e8f9fdc503f801a0b14e6d03cf4fff2ecd7af9012047c8deff6b82d49904be2f20201d5b38c5cd26d99b32ea0bee7c12a814682

C:\Program Files\7-Zip\Lang\restore_files_ubydy.html

MD5 65e4cbd87a1b1b7fff2d0a0abce61041
SHA1 27d9237c3a06d7e422dc8e1740a7bf03e7ef63bd
SHA256 db5ebae9a0072cf6e3a97652f2fad14e05454fafff0b157160d2a5098d471088
SHA512 bf99c3d3b6e1b034e157d0e49f20f23d731335527b4a031f0f714ed07be23c62c6168ee3444253d0a42ccafa7829101a8e2bb36a1310b5b30e6a69c6b14641ab

memory/1620-3082-0x0000000000400000-0x00000000008FA000-memory.dmp

memory/1620-7884-0x0000000000400000-0x00000000008FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0486d6f8406d852dd805b66ff467692
SHA1 77ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256 c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc058ebc0f8181946a312f0be99ed79c
SHA1 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA512 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

\??\pipe\LOCAL\crashpad_2628_YEWGRGPMCIMPQXGJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8fabda9ccaab42f96b483bb93e9a2a9b
SHA1 ac6cb3b2041b49a6e35a0ce603bd1215a5f330b0
SHA256 083d907d68f97051e788f41462faa6531aef9757c4cebd4c8d839e8bc755fb01
SHA512 c1a12f0ba5cb8589f4de687a8086b15a11ee1c9ede5f550fca51fd5231117b7d62c5354aab1d2f6e9375d4404b4cc739895f8b7d61ce3813a74f385ead217d47

memory/1620-7927-0x0000000000400000-0x00000000008FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 223e8aa2be8933cf6fdf2bb82a8059f7
SHA1 2818c1641b3a9a8cee09251b8faba39f0e14de10
SHA256 e11b0bc50e0849f09165bd505cba3601e0dc098cfec410b7f2363fc5bf7ada3f
SHA512 6c4c39cb56fd3c9b936c2f916d092904171369336212d89bef62e2b38a5c8fef7bb6d1210b49b75e4ad631f53d5106f236cfe17c4541125c59ce3b5462c4a968

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bc09b8b36b1d60ed17b942d396fbf243
SHA1 b122abe5b203e50c8be1c6a0f591c53a811421f7
SHA256 ba526a320481a45b4f052857bde23fc231e766403e10a403168047fcbced6ff8
SHA512 374c6a6c975a38eb8a0c7bffb571a5b26f4a483cf6ca810717c398ad5595e1c94e82e44ddf390c6362d831ca72bcba0eedad8ba3efa08e12a74851eb87614411

memory/1620-7962-0x0000000074A00000-0x0000000074A39000-memory.dmp

memory/1620-7961-0x0000000000400000-0x00000000008FA000-memory.dmp