Malware Analysis Report

2025-03-15 04:37

Sample ID 241027-2h95es1rcw
Target 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118
SHA256 091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1
Tags
defense_evasion discovery evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1

Threat Level: Known bad

The file 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact ransomware spyware stealer

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (881) files with added filename extension

Renames multiple (417) files with added filename extension

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Indicator Removal: File Deletion

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Interacts with shadow copies

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:36

Reported

2024-10-27 22:39

Platform

win7-20241010-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (417) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\deploy\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Google\Chrome\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\7-Zip\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\ja-JP\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\how_recover+kau.txt C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\how_recover+kau.html C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000005596ed1d8024a78cb7b6e58da6ac16a3a4c484c3f43cb1c30b9f2cbacf6786fa000000000e80000000020000200000000f81c47bba6bd87828d5f0d2e6e17a67aa301a014271c033517017cbe88d019d900000007a5abf716e8553a147c8ce1b04a7f0151a8760f5382ac8c0b1581bdbc41e51e985e1a65ef1140be47e419b0f2e026e7fff1b82be7f5980fd288c4b28a69a82ae7e564dcaa6c92eedaf49cef2e243d359a9faae36eea9ddcc998ba098f4482e42ebf46ba38c65c8ebcfe8330870c20919d4e674cbf76f18fe3cceefa7478dd43fe178e6d65297ef9cc7dae5526a1d8dc440000000c1ce7bf62d2654d94c55c95608927bbd04cd8e8a870f8b2e61e2d0047304b76898e0d1e9b769e06db32c3198ae28f185e587c0d2685425b8d812a2ecdefb3f65 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD1A5951-94B3-11EF-8CE5-7A300BFEC721} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3018acd1c028db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436230492" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000a718e7a4b022c36ca54d19794e52c58bd556f7658e3d34cb148f1c0315ecd8ae000000000e80000000020000200000009994bef2a85bc5a52e6f306f465efd22845fdccbdee0d377d4d0874735030ade200000003919e8998adc7b89a8261ac9224ca7d408c92d9663ee1db20716b9247238d83840000000a393815092ee773877759dd8882e72db89e1906457bbe6b6910eb97fcb4dfd98fa5126a985c50153e4f36c0d91a1fddd1f7a2d06a4a519e2656a693ad046f607 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2956 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 2800 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2800 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2800 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2800 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 2944 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Users\Admin\AppData\Roaming\iquwh-a.exe
PID 1928 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\system32\bcdedit.exe
PID 1928 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\System32\vssadmin.exe
PID 1928 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\System32\vssadmin.exe
PID 1928 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\System32\vssadmin.exe
PID 1928 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\System32\vssadmin.exe
PID 1928 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1928 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1928 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1928 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1928 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1928 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1928 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1928 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\iquwh-a.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2028 wrote to memory of 1616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 1616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\iquwh-a.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\iquwh-a.exe

C:\Users\Admin\AppData\Roaming\iquwh-a.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\764A3A~1.EXE

C:\Users\Admin\AppData\Roaming\iquwh-a.exe

C:\Users\Admin\AppData\Roaming\iquwh-a.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} bootems off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} advancedoptions off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} optionsedit off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {current} recoveryenabled off

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\iquwh-a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 station-1022.net udp
US 172.67.181.137:80 station-1022.net tcp
US 172.67.181.137:443 station-1022.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 eventur.ro udp
US 8.8.8.8:53 cybersecurityafrica.net udp
US 8.8.8.8:53 service-ict.nl udp
NL 46.249.42.110:80 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
US 8.8.8.8:53 museumsmeile.org udp
US 172.67.181.137:443 station-1022.net tcp
NL 46.249.42.110:80 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2956-0-0x0000000000220000-0x0000000000223000-memory.dmp

memory/2800-1-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2800-11-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2800-18-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2800-19-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2956-16-0x0000000000220000-0x0000000000223000-memory.dmp

memory/2800-15-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2800-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2800-9-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2800-7-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2800-5-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2800-4-0x0000000000400000-0x0000000000486000-memory.dmp

\Users\Admin\AppData\Roaming\iquwh-a.exe

MD5 764a3a6827e4d04ebbb801e8f5b95f8b
SHA1 6bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb
SHA256 091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1
SHA512 2a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2

memory/2800-30-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2944-31-0x0000000000400000-0x00000000005C0000-memory.dmp

memory/1928-51-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-52-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-53-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-56-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-55-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-58-0x0000000000400000-0x0000000000486000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+kau.txt

MD5 148f92ad3e9e94860edac78a1cf11538
SHA1 67364632d152c05e99d6ff81a4ad7c793a8673de
SHA256 206b3974f77e98783e9a3d2d16b0400a911170cb3fd1cd0bb6dbbccfd89b9227
SHA512 01dd7d42fe1f1ee3b2a1bbbd7486bf97f8c65fe0e521e37741b88b4c9807966e577442722e276d33666606940da66c182c2caeb42d4474bc8b80b2929ad77608

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+kau.html

MD5 0794ac99a6f60eb0e737a2e9cb1ab4ec
SHA1 89d31ef1b6e2d41655123ac0e76a4da3401ce796
SHA256 9894bf3d7044ced3910bf242282de2386a4af5ff3247fb982f1c749a808b73b3
SHA512 dd160ebb99054be2c47b1ab271408a86bb72a0f9434b71ef6314a0244361ec6db650a8afa40e0946b6c4d332f2ad37b648ecc06805da4a83bfcacdde03652e37

memory/1928-610-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 e54aa028e3de94289cfdffe267e019a4
SHA1 0a3630e5adb9edb5aa68ebe7a15e8c81c6f2f3f4
SHA256 5687e31b80f3c59d142130c68b8053ed00ebaa9f96c45580bc92be648465be05
SHA512 71a8f0ed802df2a321f440a52f2da793e9e2fb27ad849542a65448155380ca57f155dec583c163e15883f2014008c48eb9c5d05d1b0a7b30daf65e6fa83d4e8a

memory/1928-1260-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 166f6f456a1a6872f3773bf8418846ff
SHA1 2c328390bcaffed35ecf59ecb1976754d25ff482
SHA256 8f220bc06a83e03f303e8ec0545f8d38117b3fbac63922af8e48e7cb20b15525
SHA512 a2fd985842f5c033a197971ff555019c5dbac93bfe623614423472e3e9cda19c7b6baf7b5a9e82705b3b6c325dee9d5573bf0cfd3e0f6e8894e239a7f1089000

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 6c4fdc53cf759ce56ebdbbb973944453
SHA1 6f949962c70291ea43d45f956ffec09d315b6d4c
SHA256 5cc35d60aa4ee3499f87f51ac13ecc2a3845916473ee43d00b0723deb4431f1e
SHA512 0db741ecb5aa9af4525bbfa350cb0531734a4987c80a44acaa8ee8791094460f4e6ed09a103cc137309ead4898a0829c35f0788ff926a504a370ab4b91730ac0

memory/1928-3988-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-4389-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-4396-0x0000000002E60000-0x0000000002E62000-memory.dmp

memory/1992-4397-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1928-4399-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-4400-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\Desktop\Howto_RESTORE_FILES.bmp

MD5 1666a00bff6235739b5d06cfa331e517
SHA1 2dd42a1c40ccda81ebc1102f1b920117ecc76841
SHA256 00102c61a4cbbfb1ca06c78248730af25eb970a089c21e89e53040cb5a8c9408
SHA512 f9d7ef3d4a49a21f16f084316e0aa19df7a98200ea4fbc6683ad406442040e8f2cc73c5f77534a04313afe6f98db7d91201042505643c49dd604d6b030477694

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5de7135b51b4a68878ab48077214c761
SHA1 e0fc56f8cc1addba4f6c6c108c6bc26b3acf2f2d
SHA256 e325675e819d4d6c14ddca13268c82042251d2344afd158a28dd67b1dd970539
SHA512 a305ec061f348ad7a0f5189e90469f9dcd46fd65d0f227bae033eb86aefe4ec77a7d807f100e4d04f30cf44849756a2abfd3ef6e87c14cb884d2c625c600a7d2

C:\Users\Admin\AppData\Local\Temp\CabE1CA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE1C9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cf36a00e4ddb127ce114aced3e3d80c
SHA1 b3459c9b2a68463602a3f769b2962075fa3c2d42
SHA256 2564270afcd49a83d12386c375fbc5e55bada15e8e67b0c96adfc976fe84ca83
SHA512 aec0ba5eda8fc69d6f87499e2f8988a13d90d7b99fd1d040bf667b6e629723336627c13cf5425fd4fb15b8462dc03d580a76e9a5a7c42e1dc879c5f0d0f3b2b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee0aa1b5e93cbe3b3262d612e525af34
SHA1 1f7af529a1cb68a0b03f4fd4ccb6c3876a04adea
SHA256 6c8fdc00d23e65d87f18ee0267f0081ef5b89a549f64c8f982e0248b66737d2c
SHA512 13be6872385ebed2c2a7176bbec9bafdd4042d61041a073e2c01f5262ba4b5aa24fa55f5f3370fca2ba7441dcc4b654017a35efc32c891455356fdade1400219

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43e4c4e94ac832273c514e8d63af3465
SHA1 8d167e7c2efdeac957d2d0a5fd127e7133ea01c6
SHA256 db4576c146badbf22f3c15c13fc93a2ad8a1e5323c4aa3c81bfaf58ac862c268
SHA512 e9db3c22969369021488a1d73fb41d5ccbdc3f18cf2793ad8a6df2cb1682da2ee9e35b674a71605790565c71fd6e14eb465f70fd8bb448f2076bb1f545e87c93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d83b5d4f009a765919f4abb38c418ce
SHA1 429ed501ec410776f0fb813dddca7e511fc0156d
SHA256 87b79b5b358a6cf97e7f41bf6b023142c2666b9ba2917c7203d2a6ed15d4da2f
SHA512 e8b1d1ff926dce29c3d7c1ad859b4088a1dff5939cbf6cd5abeac284f1eae35324843a24589f04621e37afb4432641ec56d7f3299b638b25f23b8ae374723cae

memory/1928-4569-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-4557-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f582fe91a6dc67ae114994192e56942
SHA1 cfee7efd1f970f7750d8c342dc785b8e60ac6715
SHA256 06e8839df290d1ca3d070dfaeebdc4a49810177b23845d214caf9959435a8a77
SHA512 61d782d1226022be1c72a83ab38588ecc4ca5c937cca03a06fe67f56b15400d71c35c03c672cb1051d1db5b704d9fb959980094240e415e4ad4592cd37be2220

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9aaf90baa50aa261c66fd779e147847c
SHA1 f926b25e4f933f1193ab7980822b3da603b8ec70
SHA256 8f5df2482ad591c384de719c02b29e468db3ab932bd3414712487fcb6f01ccb0
SHA512 1e312f2a5714559a397f344ff28a4c1285b5c68682cffc5d03835fdfbbdf58b4793f6a0aa515d09106d6155429cdb60ba0ee3c6d8575162a647945bb0e561f7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa3f60be9db59b9f7dc6abf2b149227f
SHA1 5f1d744b4e69e6277e7685be0883ed17284569e0
SHA256 fd72d34bb4b06a3d544f108934d369615a1c5e2884b536624dc529a3966428ad
SHA512 88406eac1e6a82e4a5b76b66b45439ddc1b9126114cc0fe8f65614b79948216cb6b2d449691663c0b2e1cb55bb95773388e5e9949c0e36c68f706fe07c9464b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dd578b6f34368bbc51fc66a8c1c2a11
SHA1 80356234173c64f8ab59d464d152542787dfa91a
SHA256 b8199b730cd6882c3fbc0c12b5f54b4bd4133008e451e8c1de91d72dcbd10d31
SHA512 ec18fade41342bdae9e95cb285a60bebb5a71b457a57fd97af36ff4b102ca16f81f324f066e15f47e386d8d78ceca00a50cccc6560ad154ce0bd0d3b818a0c92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36e66ef82d60face7dc260aaac3105ba
SHA1 e8fe314d6eede1e5155ab0d5636eeeeb759ecae3
SHA256 9cf1c1e2e06e2346a69a05e09e61a6b1c0b70a647062a4c22a2a2288a30263d1
SHA512 52a8b2564ec1a0e7926f660ea8f08415cbf4da7baf2f457a403f4f09da8258ed61397f1579d5095ac8f2f661ae6e102fcd30160d0388fe8bfc896bb9557784b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4a47dbcf4f14f9a522c941c9536f156
SHA1 18c825261be413f4edfa1e9b6806f91127c3db00
SHA256 1e0e2c76d7fe54deabc8118799928e56fdafb6823d39b084be190f82ddc8ab94
SHA512 3c29d8ff7d36943a419f815ae137c2338b834395695f8743c5c3a9c37717c829aa937d9df8b055be90a248279e7dec07f5c502a1e6c792d661cc6a5741983bef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b50031b453ad5f65c1ba3360ff5a4f4f
SHA1 e8c11d3da00b593eb758d84a439f7d1ba1eed9f8
SHA256 87772a7b9d9a56bb46a98e105e84836e0d66e4d2ff12b17a59827b4a0bc67ae9
SHA512 4f937f51f29a9623060a6ecef0fcf7de0d41c8a42ecf1532a14fc627791ceca564070a29df599404b11356d8f9ad125fe7ed02f6a26b2e9950ad45f445daa8f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9379ff00310de84c34ba4ecb11bd7070
SHA1 bbb3cf696da9ef86a1c4470ecf5c1696e7480aac
SHA256 fca5cd62bbdc9430d044c6f8fa06d08a0c8c6678df36d3b4a6391d691cc1480d
SHA512 a8d697c80a33e34dcce8d1bb7f05c7b1024c41923c0ebd7dbb1203328685e360ecb12fbecc110333b32915b07620bbeeef213936b619b50de20c37864e82bff9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 687cea0aa5e152280e12ac1ae7be2867
SHA1 1ee71e3c3c391574be5ac220e239d052024a02fc
SHA256 af6c80bc064b53de3285db773d18fc6bcc53fc331cb3705b0871f5ff2226f52b
SHA512 a97716be11029a243f0825f560b1559dc297afd7d990880394773d3422cb422b8cd441cb10d555a601d65cd78b8b6beac1736fab244d9da236d2a74ee386b749

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e834d86b3c32c3bd591e38542291383c
SHA1 1a1a814d9d97dbfb4a535bab4f5c1d262160e8ed
SHA256 90921886f633a7e21e9f125810ac925780aec71579c87aac6880280bb3c1738b
SHA512 9a43a88842068bb5fe603b60fea5f1fa09ae8733758627c8941440f8ec86328b3031b668568aa50d3ef18bcee9f4c0f3d34197629054d1aa018b23329d76588f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 756956d495bc0b2d4474fd6894575d96
SHA1 79dab64b305640453fbbb6a7d3de241ddfea46d0
SHA256 16c069495c7e428e829e88b0f8e2a8fc52d08ad6834eb291e425857c452d3b3b
SHA512 885b8330c330d61e70dda2dfe3ea87c8bb17346b89278b2dfbfb9a7a1d1b81c4a1a818e6020e6b81e0036a1d586e989280439d987fc748694950d85dd972bb8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1939359c1f66726c190cf582e68328a6
SHA1 e9b36d1c95a882871e3ddf315845439006eb1633
SHA256 305a53c05e1b604aa5241a0f75b9eb3aa870bf340cd40764b698943006d8db2b
SHA512 858b72d20b9cb10479de212c5bbe9409fa4f295edce9f8bacaf40f9485111ed4cf1862efac2827b97760086bcc175acc159ba836c831f598a08c58693f392c00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d60cc289134d6f241c6e0a63f4089dba
SHA1 357b0e9ecd47bfb6cb397c466f20915cc6d8704a
SHA256 35e2db4c7cb676dcc4aa86f5143b30d30e30c0c9c5c60632d2e85b66f65c8148
SHA512 49656aa1406ae11b592f739c89cbe92d9c6637a660de1f0a408ef67dc1acb804506076764ebf4c81a40ed1fb83e980b307cbf4955517c3a04557c0816a9c8a33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40f339d4ae4e1409caeedf344586e8df
SHA1 ee6a9f3702247364a48f52f67998beff9cde5c22
SHA256 42b3fa4373de5c358555e15539ee5b3b32fb82f99dbf2cb36884f916123302f7
SHA512 084d905bf616bcd41846462b0f97598519f4fc7b446d08c9e0f2f8baa138c58c459a3cc140ac527ffd3bcfde57af9d47e2b7cab6b9b7482bf6c74c34cfc22989

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69c5f88e3953227e53139fb53cd330e8
SHA1 484817f7090aa6e190cef4adbe55ee7dcfe6abe5
SHA256 39bf2b88fdb10fb27043c819371797fd32eae6767aee756201c47a01d0452996
SHA512 a78d648ea29ae07743810f77062458f2152cd9433fc5ac4ed51a7e92d82efa2fb70d71fd75068c968a8157ea7cee3b2fc17683988c8b25413adfd193a941b1b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:36

Reported

2024-10-27 22:40

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Renames multiple (881) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-125.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\xbox_live_logo_black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppUpdate.svg C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-150.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\View3d\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-100.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\how_recover+ydr.html C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-fullcolor.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lt.pak C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\20.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-16.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-400.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-150.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-150.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_TeethSmile.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\how_recover+ydr.txt C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 1248 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
PID 4392 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 4392 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 4392 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 4392 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 3780 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
PID 1896 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 1896 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\System32\vssadmin.exe
PID 1896 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\System32\vssadmin.exe
PID 1896 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1896 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1896 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 284 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\System32\vssadmin.exe
PID 1896 wrote to memory of 284 N/A C:\Users\Admin\AppData\Roaming\vqlwm-a.exe C:\Windows\System32\vssadmin.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4032 wrote to memory of 4292 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vqlwm-a.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vqlwm-a.exe

C:\Users\Admin\AppData\Roaming\vqlwm-a.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\764A3A~1.EXE

C:\Users\Admin\AppData\Roaming\vqlwm-a.exe

C:\Users\Admin\AppData\Roaming\vqlwm-a.exe

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} bootems off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} advancedoptions off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} optionsedit off

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {current} recoveryenabled off

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd84da46f8,0x7ffd84da4708,0x7ffd84da4718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\vqlwm-a.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 station-1022.net udp
US 172.67.181.137:80 station-1022.net tcp
US 172.67.181.137:443 station-1022.net tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 137.181.67.172.in-addr.arpa udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 eventur.ro udp
US 8.8.8.8:53 cybersecurityafrica.net udp
US 8.8.8.8:53 service-ict.nl udp
NL 46.249.42.110:80 service-ict.nl tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 110.42.249.46.in-addr.arpa udp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
US 8.8.8.8:53 museumsmeile.org udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 172.67.181.137:443 station-1022.net tcp
US 8.8.8.8:53 eventur.ro udp
US 8.8.8.8:53 cybersecurityafrica.net udp
NL 46.249.42.110:80 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
NL 46.249.42.110:443 service-ict.nl tcp
US 8.8.8.8:53 museumsmeile.org udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1248-0-0x0000000002310000-0x0000000002313000-memory.dmp

memory/4392-2-0x0000000000400000-0x0000000000486000-memory.dmp

memory/4392-1-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1248-3-0x0000000002310000-0x0000000002313000-memory.dmp

memory/4392-5-0x0000000000400000-0x0000000000486000-memory.dmp

memory/4392-4-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Roaming\vqlwm-a.exe

MD5 764a3a6827e4d04ebbb801e8f5b95f8b
SHA1 6bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb
SHA256 091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1
SHA512 2a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2

memory/3780-10-0x0000000000400000-0x00000000005C0000-memory.dmp

memory/4392-11-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-15-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-16-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-17-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-18-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-20-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-21-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-23-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Program Files\7-Zip\Lang\how_recover+ydr.html

MD5 e934986609c30d84b918f37e5925c09a
SHA1 e2c0686a863654ca010077db5bfed22a1bb7dd6b
SHA256 c00caa3fdf946ff2b9a462f8a1d85e0b2ffaf08b9dbb35fbb24decccd1b885ca
SHA512 c0200d1c88013168c3bda2bc8cb231302f8ea4bde4fca2380fedca56d72156971b883ef3fc5076e136ed10078bcd7ac02a30bc5667b0caf77524f2b400a9cd75

C:\Program Files\7-Zip\Lang\how_recover+ydr.txt

MD5 d0cfeb6d19154ee1eef1daf8bb6fbae3
SHA1 936b633553b5964d23f1905f73c13aa0d387d3db
SHA256 9cb5bf9a51266d33d068dd97e9d06b68ce1eb32502f75835851ff141d64350a5
SHA512 8b87c80eeb3b676e36880ffa6dd851c0cb0a0326d303da573efc51cb55ee5bf5002284cb307962778374a82ab1115ec45ac165f61e84bb153c725930d1a2e75d

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 58b77e10cefff64c2e08ff74a1972b30
SHA1 cfeb2f4d98f4b99caecf83a1e9e4711ba84b97a4
SHA256 0aea1491c7638da7694ba7b19514b6c7998b77847009cb4cffd246e6ad6dca95
SHA512 6fbd84347a90550c59225d1b2f29aa94974128596e147ba397bfeaa06d91583df49157e1fc1a081debd15c9ca7f16352472179dc9e675a7324f37be24ac58480

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 88e0c500f512d0d7e65890f2891b65e6
SHA1 21d1541b7966d41f0b5a70388a078b49169fbe25
SHA256 08f0b4107437be884b9f9a832a610f0f34ff0e518104d72abc3760fa3c7c0f9a
SHA512 facea6da5f86459f0491a33599fea633270dffb936c80a7117f41567663ae2641fe98606746cfb4fd8cf0d07af370cbe87e8c5068276ae3a60dd03e894c8d0ea

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 03669f320795483d8f30933e764e6703
SHA1 769552fc813bd5fc1b89cab14d53c60fd15e236f
SHA256 dfb31012fb3ad46ec55cec1a4771534db0b5c37fec54dd7b64170d672a316768
SHA512 3d7b6da74056929d230eaf10c17be9043a7b4377a53bc1121daa6445961e8010e4635b7b80cea09bf568d97b8b369a0a5a427d638851beb1383b00a2fc5ae5a6

memory/1896-940-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-960-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-1050-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-4576-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f51d3545-795a-4d12-b38a-054029322811}\0.1.filtertrie.intermediate.txt

MD5 03d49acccff15a594047682135359e25
SHA1 5d1665c3293c60ce4c1dcbef5e46784e3df4c4d1
SHA256 be4c647022e56511052dfbb15a086f864a5aa7a525e229c58456357c6550e533
SHA512 03b48871eec8467b61e3b12db3fadd33167ca6068bc6a6ef46597c52a000bb958534067dbacbb0ed17f138b451cd39843226adc2c6986bc3b535990e1c0f03f6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f51d3545-795a-4d12-b38a-054029322811}\0.2.filtertrie.intermediate.txt

MD5 62697800f1937f996ff42cd8e847b629
SHA1 69f7be8d3822009924b420413aafc55288be589a
SHA256 099caff0fbc1d47f6c47d67b0a32276ff57b7fa9d66c92786768d26f4d393cb5
SHA512 b77770e6da1cd11d0e6ee4180e698983a1e86668e02108ffd82c666664345226f70b6bb70abb418a4a0113f6b41a57903df2c1236f59a5e519182aae52a6df0d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662360645001.txt

MD5 5ca3861453b5273f15488ede3be82409
SHA1 4e94e11082e1414150fea560f18151e15fcb96a3
SHA256 97819e17bcbf823923abefa0667f96f4487f4a6f284a1770256d9814fb3f01d2
SHA512 54258af21c8a7b30a1433fb31907abef9716f836befa1e8aac83b6304b31758763f24e213419af1a04ab0825802ca1dbdbe2c51bc208ff9b62bec3a6f7c9294b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663623337830.txt

MD5 c955122d5cd2abba7748e219d6364163
SHA1 ba9f155f9ae2e5bb2b591709f15e48cda5d9f802
SHA256 179449e7243e6e42087887a7a9b9399cf0a8c04e5a92bb958d36dc1af8224905
SHA512 c766a4168643b1d35ba78c0c112142fa09123972e7021e81612c855d0e1e4777919bbc6055b5e05d8a0313356340689f95fdd9a549b9b6dfb7bf8892cda20728

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671211214398.txt

MD5 aa3f9c5ca79c1fc57aed819e3c60f657
SHA1 96076a04d840c1904aa319211dcf74ec3005cfff
SHA256 33cba2b71f439b9ddca3ccc5a68f2b7298ba57d2fcd94fc3c5e27a95609b0811
SHA512 f5008b4985657598b5046baa17f966d522ac00d47b09b909faaac811d83128519f9e5f25c709de388f718e0a69c134f6246645266080418b96d8cc6d0bc3d75b

memory/1896-7789-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-7790-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-7799-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1896-7800-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d2c4f40f47672ecdf6f66fea242f4a
SHA1 4bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256 b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA512 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8749e21d9d0a17dac32d5aa2027f7a75
SHA1 a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512 c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

\??\pipe\LOCAL\crashpad_4032_TLEKJJDMZQZMKADL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4a2ae1d3a20337aa41aab2e1f44b2f92
SHA1 35306963eb3be97abafb175518e25af22a83ab44
SHA256 6263c5f226317c4aabb8b0c0214b94bb6c75ed5b509f32cbd873e28f6ae0e957
SHA512 a0336b0c63e678a3089eb36ddc88d5685f15870f17516770c1c56c3139191ac80647af1fa010b771de037b7460df63547711fc989125bbf63249721878a9084f

memory/1896-7842-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d7ed0d08ea84f2729a66e06869868636
SHA1 9e4e8a25a2c27dbcc6e6cc7097ca5dba47171226
SHA256 1e014fa399544bcffc9ef0abd8f8441c812a7d1ec1a632a82b9653961955fca1
SHA512 2c7a3a0953dff7e71b968c500d6de233cd1afe8e64b1a020b13b4081e6347a353e033b92ae221350cbce52253cef33c03e308a1663f40a9627063c254a1397dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1aa60db21ba6dbe54d236c37ad8fd474
SHA1 59c5f36158d550460dd136b414fd7e19ae8da900
SHA256 2dd66d26137aac03b8b1db05ae6692cc28e331d254b672cad6b5df26f9da0689
SHA512 3105ea0b7bed5801e7500149033e429bb97a9bbb2fb4ae4daf65bda2ea079011aec0217752dbb404656537fb8967e9e78556c10d9a490944797b7e102be08a98