Malware Analysis Report

2025-03-15 04:38

Sample ID 241027-2lqj7a1rfw
Target 764dde3f1fd9259e60c40b148db70637_JaffaCakes118
SHA256 403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a
Tags
defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a

Threat Level: Known bad

The file 764dde3f1fd9259e60c40b148db70637_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware spyware stealer

Deletes shadow copies

Renames multiple (873) files with added filename extension

Renames multiple (374) files with added filename extension

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Indicator Removal: File Deletion

Looks up external IP address via web service

Adds Run key to start application

Drops file in Program Files directory

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates system info in registry

Interacts with shadow copies

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Modifies system certificate store

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System policy modification

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:40

Reported

2024-10-27 22:43

Platform

win7-20241010-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (374) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwgel.exe" C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C" C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\es-ES\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\en-US\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\ja-JP\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\UninstallUpdate.ods C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Mail\it-IT\restore_files_wgjny.txt C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\restore_files_wgjny.html C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9FAFCF11-94B4-11EF-9358-7ACF20914AD0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b5a074c128db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436230767" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000003cac72e2d5a5adec5a04e420cb4e40fe6ce0d12a0a4c7837ac80ec4db192658a000000000e8000000002000020000000dfa1a7a4dc36a9487f322d2fefd0467dd27567f856ebf3c7a09a809ebb254bed900000008168545f80a31279d67d11b79458a47537b6667fca557078852622ef2a8852a51feef28804e77d805640e3f4bee04b5dc8410f9be145af6ccdb4e852f9f17f53b18c4480c1a84d2f232766dd6d6282054c78b07d6ac01f9886dd8f0bf94e14762525e5f63fa8066b9c28315084562ef5116a82c4d0cad68094d6c211616bf7793de0bfcd2c1e8722f05b343586b6410c40000000cadc43192ddab1572a9ebda37f12f096293ccba3f6d3fa13a71307d214081b46e38ce8e018058d00ed3978ea46c27edcff07679fed2893317003dd76faa07943 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000000fc0f08d9c2822c7fcd4972a5d6408b748ae4ce4fc252180c0d334543a93786a000000000e8000000002000020000000ccc8c6e4247a320b25a71c2f80892081409012e85ca2b373d493e7feb66ea335200000006b889d64271389414a32699374e80150e0755aa8adab8efbe376c39fdd49f68e40000000578218710fabd1c391305076bf38cfa79565fe7193710b4e95833cfa161c0115f79d463f6f5f48fffba4f8884bbe19681aa9dbbc5c240cb53d9e5b28e63006b6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwgel.exe
PID 2332 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwgel.exe
PID 2332 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwgel.exe
PID 2332 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwgel.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\System32\vssadmin.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\System32\vssadmin.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\System32\vssadmin.exe
PID 856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\System32\vssadmin.exe
PID 856 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 856 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 856 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 856 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 856 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 856 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 856 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 856 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 880 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 880 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 880 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 880 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 856 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\System32\vssadmin.exe
PID 856 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\System32\vssadmin.exe
PID 856 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\System32\vssadmin.exe
PID 856 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\System32\vssadmin.exe
PID 856 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\vcwgel.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwgel.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwgel.exe

C:\Users\Admin\AppData\Roaming\vcwgel.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\764DDE~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:2

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwgel.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 ledshoppen.nl udp
US 8.8.8.8:53 teenpornotube.org udp
NL 67.22.44.2:80 teenpornotube.org tcp
US 8.8.8.8:53 www.teenpornotube.org udp
NL 67.22.44.2:80 www.teenpornotube.org tcp
US 8.8.8.8:53 ezglobalmarketing.com udp
US 8.8.8.8:53 shmetterheath.ru udp
US 8.8.8.8:53 fgainterests.com udp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 serenitynowbooksandgifts.com udp
US 185.230.63.107:80 serenitynowbooksandgifts.com tcp
US 185.230.63.107:443 serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.80:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.serenitynowbooksandgifts.com udp
US 34.149.87.45:443 www.serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 zpr5huq4bgmutfnf.onion.to udp
US 8.8.8.8:53 zpr5huq4bgmutfnf.tor2web.org udp
AU 103.198.0.111:443 zpr5huq4bgmutfnf.tor2web.org tcp
NL 67.22.44.2:80 www.teenpornotube.org tcp
NL 67.22.44.2:80 www.teenpornotube.org tcp
US 199.116.254.169:80 fgainterests.com tcp
US 185.230.63.107:80 serenitynowbooksandgifts.com tcp
AU 103.198.0.111:443 zpr5huq4bgmutfnf.tor2web.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2332-0-0x0000000000230000-0x0000000000233000-memory.dmp

memory/2332-5-0x00000000003C0000-0x00000000003C4000-memory.dmp

memory/2332-2-0x0000000000400000-0x000000000076F000-memory.dmp

\Users\Admin\AppData\Roaming\vcwgel.exe

MD5 764dde3f1fd9259e60c40b148db70637
SHA1 0594e04536101063361d903e7db109a6dfaef85f
SHA256 403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a
SHA512 cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a

memory/2332-11-0x0000000000400000-0x000000000076F000-memory.dmp

memory/856-14-0x0000000000400000-0x000000000076F000-memory.dmp

memory/856-17-0x00000000002F0000-0x00000000002F4000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_wgjny.txt

MD5 d32ef9d9b1b541f8d72b0af47e8f13ff
SHA1 c01748cd525a22ead396b1a619b98da3ee9368f8
SHA256 3178ae48133fc4ced39f84912bcfa719e1cde87c8c00e2e1cc528efc2435d67a
SHA512 f7aea41e1bf671cdde6077f2a657c21c8ba8311c1a5b5ba4b02aead9a2e2cc081e5eceba3daa1a5657e993d448ffc7bafc7f87be39a577b418eb984c01c22fd6

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_wgjny.html

MD5 ec8d28083308e33e7f725a85db34af22
SHA1 0b8f542c9e6282c4918eb9470768d6a491254d5b
SHA256 cbe1751f442cf202680c8bb6d9d69799fe1a8d34efc55a2de44355c2e9379cd8
SHA512 7f1f9c2f5984d97e272761ab8f432531f86bacdf71074e39e8cc89caa4d8cee9e94301e67ec7bf36ffc626a0c3557436fd142ca260528414ae319d57ba72eb11

memory/856-374-0x0000000000400000-0x000000000076F000-memory.dmp

memory/856-1161-0x0000000000400000-0x000000000076F000-memory.dmp

memory/856-2485-0x0000000000400000-0x000000000076F000-memory.dmp

memory/856-3648-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1104-4207-0x0000000000220000-0x0000000000222000-memory.dmp

memory/856-4206-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

C:\Users\Admin\Desktop\RESTORE_FILES.BMP

MD5 a787aaa6b67e4b5f9ee3d74af06d4d63
SHA1 3e4fe77c59ef60cc3a7abce20017bbe4cb3cff11
SHA256 a9804ac914b54558a1ffb386b5197d5040569c9713311f4bc95558cf120aecf0
SHA512 830850a677cec710df2dc32a1156d0e8491c62a5744df915f6e110b0ebea00387dc0f2afcb60479552fa2ac0bac3c9880412f3d6955f77cc789c5bcb560c6e21

memory/856-4210-0x0000000000400000-0x000000000076F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD971.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD972.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b5af1e0cd4924093c67b4ee7623d375
SHA1 e8abf0b1488e96918ab89e51f3cb781c4122eed9
SHA256 fcb07295bf3b633b95a57fdfa0490d3c8afd366e4a19a0572a1287b989a6b44d
SHA512 b38f32381c859683ae56e389aff4da6c5ae9ae9c820fc4a1ac1395cda2578f0c67a9852b9cf21a9cf6b8b8017e7837b8550d131e247515d1388028850e38ba23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 838bd13eb172126734e326e6e3d30af9
SHA1 ea9c163a480967ab0ab773b3ddaf76fbd95781cc
SHA256 7da945b21b2614b9e1b54235701a4312f33a8e6263c19334cbde671b514fbef8
SHA512 d474a685872e749b3f4d7ea756f0daeaf059a2facb90e0bc58d1fd77b50ea009a937c4b42d32880acb988dcbb999ca917859050499fa34d5623ce59d86af7a75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7479bbff0591f3ff210f20d774a671b8
SHA1 72c8c77e3f18080e78da7612b151c5a786a68773
SHA256 33751ebc0395b36ac15dee4f96a0b1ee07e26d942861fdc2ad55e2c3a89a8266
SHA512 bfb6b4eb3e66436d49f5e9cab885dd9a93b8793cc8383c0212a0a516a0a991fed268e13f2dc0ce85941b7c65c6f7772a5faa43d4c3ea9f452759bc8d22fc71d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e5a660fbdc84de122fa2516adac1aaf
SHA1 19eae5eca0c968b487ec1651838c7ef94c7009b0
SHA256 3e593f87374e12919264d473095942b7d4bc47f9ecc7bef1aa0aaaaf7d02374e
SHA512 5d170f774f566152ff8bce9638c99fce7a63b2ada5dc7194a4110dd673975c599c93a4377128f1f9cd9d74572273a38d306726e7da0776648acb9585d3356840

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5179cabde433326e734b42f32faa56b4
SHA1 05a3894b2d4d02a6a8c24b2b338d8f8fed751e46
SHA256 64885b8b41b0c1009875382f7b0d8de219df4e3eca862e09f94afaee7a276f4c
SHA512 b4f56f62f51cca5c4b71e04185952347fc294a68a69d594a601f8e38746cd50fdd37ee75f9f336a3d117152ba8011205a8bf65bb15fb55b4acd1345403a49e1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc85e1f7869383d30d6f0a2bf382d200
SHA1 ae24a4279427157b5e5498fc2c16f2b1156b8cf8
SHA256 2d72e3b9c3d9f9a7c5ec76ef0323a7cfba2105c27dbbbbe12e343e1ec9a89275
SHA512 bb7b7139ea2b4d39f3fe52077db965d63e17916085d64d311f7cf0d74e3828f054321d9f0947350d106c0a3ea67dc5856c871d336bc2130a55d2aa8af4c409f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 023ec209280fcf5dbc2410b491848261
SHA1 43014e9f2135ba5fc90db266821821f453b60b7e
SHA256 576fd10ae2f9351211919db4407a07a099fdb891ce5bd4193b24729bc00cb4cf
SHA512 84c8b0fae30243fab40c211c3ba23909a4c52cd0b3771fa732ceb3f6bd8aab06450fe5b6d48b6a481ee258814a307f7c66ac1855e9eaf987f8613d726cc56b89

memory/856-4646-0x0000000000400000-0x000000000076F000-memory.dmp

memory/856-4654-0x0000000000400000-0x000000000076F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f843d3062a8bb4ef2bb2c589f9dfc22
SHA1 49bf6bd4f9fedc387d7132c96c8b8bd24a329d18
SHA256 d5d5725885c390125ed2047671869a6398c2d5aad79d0a7cf9834b4c450d38f2
SHA512 520f92519a0f6bb37490ac568a298a3c62646cd2c9ab4410608b0736ac3aacf9d965fe1af0a3316145827ea97b675c56c44ad00f20d057dd7b3292bfd4be4416

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 081eb611b3c92ff08ac54fe4c08e785b
SHA1 74b96e24744e419c9705e04c9298c80519fdeae5
SHA256 8918bd36f9fc097fffbc65c9392851eb45482dfb0478a552055fa89b5e8915b3
SHA512 8d75eedcce53f769c2463d78f883dbf32dfb3c9193b35c6b210fd7c21a1b8cc0684cd3f9eb928e9d39292b1e28d97f3da0a02f1fc757db00449212cc7d8b3d01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcb80063717cb14b6670fb17f26f82b8
SHA1 c94f298ae51189e3c0c27cd23861e06be5db91f3
SHA256 8b6e1ca28a49b071265803dccda8e8b63509e6ceca970aa36cbe4942c3b42253
SHA512 a4a6dbb9ca2d142a882bc5fe81231219fe4fcc52a1408378bd67b5330165deed257b0e10d808b4523bc200a2bad69111ad0881bde8fad3c223ba84e9fce396ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9a32d585b25ede72fa465701aa5508e
SHA1 959581e79262a60604c9f5b47c6f2ab5cff46d59
SHA256 34319fa018d872cbcc2d02cf44f55f50bb60cd679ee8d96deb4ad76e530c4e80
SHA512 a46cdfce4b13c52685e28077a3bee729ca740b2ac4078447a94a8b39a94bfa428720940745a05fbc99e7510d3a1a8f23c7b4228fc899e86cc33a3954091e8c75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6201ff5378953383e5c92e688ea9b688
SHA1 7dabc651b858a275142bb34d32bd6cc0406b8ee9
SHA256 e0e85452f745cbb925f35c3c2863642c08940a79dad41f2bb73d923044949667
SHA512 2415ab528945f31252148d5305c14d217e731201a0d04dc841658bf99e71169513b010eda501779d77f0e5030460dd1fadd5cce9670622e7f8bb5c1a593be77d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cdb242026a768495ac0e251bf00ddc6
SHA1 55c197f07a971999ebad6a836715a50d5732ef3a
SHA256 cd92c83afb17f8acf42328300651b9c929a090bed7fb1c5ce05df96c91645ccc
SHA512 c38886c515822e6ac20d70039a1519428e41ca45d78233b5a04ee242d6cff92fb05da73aaf6bcd4910f23a55666908a809cf54f064c8065702f3221c12c5434e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d36736a8b3c5b888903509a59e653d4
SHA1 6aad1c109ef53e83e54f7e44201c0a802a1f8d63
SHA256 aa818e6d9608a2fd2abbf3d74a0eadefda695f08d58b635844d5d6798b1fc21b
SHA512 6169c8d7d589c0ef7e975b0bc0f8e6eb69c73972942fb12657f22a44a7c036cac9ae64dcf4e0c893e8f4980b97ddd070b9f4d9bf1457d464de3d5c19b1cb9fce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a367a5e6eb1a1addfc91a6b923383433
SHA1 2c08c59cab903f2817c531a89f55a83075e31b71
SHA256 714f64b7afccc810f00b4a0e8eb951d766ef57fb3398a3614ef991369e7b2b60
SHA512 f7c7c6ca6831c1c1965b5199afa4569e7ffa6d5e36109d282fbcdc5e8722583b431eac09198e2bfd70a6f660afe26460351d3aee54e601ff58a970c93363ce48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84808b849a9a51a8197757203dc8db9d
SHA1 bc213de09f039d2fee1cfa1b1767b705a707477f
SHA256 7cd42cf3b9a15ca9432a60ccb7ced6271eb3b3dc7565df085f8421c5ebd32725
SHA512 c1a25412c5de7a6d08ac9d4bff9dc1609633f00820b7629ade61ee92c1124d84d6d00de13b96d40816567de08d7391231e7391038e4ffa70ddc8921a032c8ab4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 511fe68b19fd29aab0bedaddf620d645
SHA1 6d588a0c7fbb718f2260a58174c3276b7c12990a
SHA256 ac66c6dd2f33eb0da3221c1d8727ba2b668f83125ee59f804a021d6111ecc5f3
SHA512 200090ad054736bec2dc69776196836ea90b13bae2b8d0d8f865761a7599e1b3129bcbbf50c7546027197616b612118f9eb0908d34ec16f5103301e68dde6e86

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:40

Reported

2024-10-27 22:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (873) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_vewif.html C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwsfs.exe" C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C" C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\restore_files_vewif.html C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_vewif.html C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\restore_files_vewif.html C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-125.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-100.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_7.m4a C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreMedTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-48.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-20.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-400.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyAlbumList.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-400.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\restore_files_vewif.html C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-100.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-200.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\restore_files_vewif.txt C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\restore_files_vewif.html C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\Windows Mail\restore_files_vewif.html C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\Windows NT\restore_files_vewif.html C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\Assets\farewell.jpg C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_MouseNose.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-256.png C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwsfs.exe
PID 1564 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwsfs.exe
PID 1564 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\vcwsfs.exe
PID 1564 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Windows\System32\vssadmin.exe
PID 1112 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Windows\System32\vssadmin.exe
PID 1112 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1112 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1112 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1112 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Windows\System32\vssadmin.exe
PID 1112 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\vcwsfs.exe C:\Windows\System32\vssadmin.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 3520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3144 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\vcwsfs.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\vcwsfs.exe

C:\Users\Admin\AppData\Roaming\vcwsfs.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\764DDE~1.EXE >> NUL

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e1ce46f8,0x7ff8e1ce4708,0x7ff8e1ce4718

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwsfs.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 ledshoppen.nl udp
US 8.8.8.8:53 teenpornotube.org udp
NL 67.22.44.2:80 teenpornotube.org tcp
US 8.8.8.8:53 www.teenpornotube.org udp
NL 67.22.44.2:80 www.teenpornotube.org tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 2.44.22.67.in-addr.arpa udp
US 8.8.8.8:53 ezglobalmarketing.com udp
US 8.8.8.8:53 shmetterheath.ru udp
US 8.8.8.8:53 fgainterests.com udp
US 199.116.254.169:80 fgainterests.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 serenitynowbooksandgifts.com udp
US 185.230.63.171:80 serenitynowbooksandgifts.com tcp
US 185.230.63.171:443 serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.80:80 r11.o.lencr.org tcp
US 8.8.8.8:53 171.63.230.185.in-addr.arpa udp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.serenitynowbooksandgifts.com udp
US 34.149.87.45:443 www.serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 zpr5huq4bgmutfnf.onion.to udp
US 8.8.8.8:53 zpr5huq4bgmutfnf.tor2web.org udp
AU 103.198.0.111:443 zpr5huq4bgmutfnf.tor2web.org tcp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ledshoppen.nl udp
NL 67.22.44.2:80 www.teenpornotube.org tcp
NL 67.22.44.2:80 www.teenpornotube.org tcp
US 8.8.8.8:53 ezglobalmarketing.com udp
US 8.8.8.8:53 shmetterheath.ru udp
US 199.116.254.169:80 fgainterests.com tcp
N/A 224.0.0.251:5353 udp
US 185.230.63.171:80 serenitynowbooksandgifts.com tcp
US 8.8.8.8:53 zpr5huq4bgmutfnf.onion.to udp
AU 103.198.0.111:443 zpr5huq4bgmutfnf.tor2web.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/1564-0-0x0000000000ED0000-0x0000000000ED3000-memory.dmp

memory/1564-1-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1564-5-0x00000000025A0000-0x00000000025A4000-memory.dmp

memory/1564-6-0x0000000073F20000-0x0000000073F59000-memory.dmp

C:\Users\Admin\AppData\Roaming\vcwsfs.exe

MD5 764dde3f1fd9259e60c40b148db70637
SHA1 0594e04536101063361d903e7db109a6dfaef85f
SHA256 403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a
SHA512 cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a

memory/1112-12-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1112-15-0x0000000000920000-0x0000000000924000-memory.dmp

memory/1564-17-0x0000000073F20000-0x0000000073F59000-memory.dmp

memory/1564-16-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1112-18-0x0000000073F20000-0x0000000073F59000-memory.dmp

C:\Program Files\7-Zip\Lang\restore_files_vewif.txt

MD5 ba95d3cbbc52103ca2f2c8a8ed3dfc4a
SHA1 92cc2bebee676002dbd11c9c831a4435588fc403
SHA256 3f05098bd0c1c9c9c0e71642d12fe443190a3b9ba69470c038341185efdc6127
SHA512 c9fd6b309668bdeb9aaa3ec233a2e12e16e0096e92bee8977b0f5f588bd3f6fe712933c43d65e70462c39ccc0baafd88135ed0c5cf0036045589f67aa455c50c

C:\Program Files\7-Zip\Lang\restore_files_vewif.html

MD5 29457c0abb75c95bf4c37e77fd1488d6
SHA1 e053e2b109e051193f82dad75dbbe1b86b26c080
SHA256 6fb436f2e59e9696894784a2e572a2e87cd792c38dbbe27922bbb53b833fee4a
SHA512 6f610c1402f8ce93bebf4f70304f461777b0818b940857ddd841e158fcfc035c4dbd92e490f1353ee5e7650e23a20e2c3f10820c545b17c3a8bb432e8467543a

memory/1112-1776-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1112-4683-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1112-7703-0x0000000000400000-0x000000000076F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d2c4f40f47672ecdf6f66fea242f4a
SHA1 4bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256 b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA512 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8749e21d9d0a17dac32d5aa2027f7a75
SHA1 a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512 c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

\??\pipe\LOCAL\crashpad_3144_MPVQMRTKBSAYHNZB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a89fe62492ddc21dd15a3bd9d0a22153
SHA1 f5d83032adefbdd24d902ba412922ab5b74490a1
SHA256 2a7466c04cb8697d270dbd3ace3bff305ba73834a5e0eabcfa87c1b4f8c639b9
SHA512 98afc9da90d9ad74d4909e569b2dd76872435d5716405c57a28bb9a9b10440be0589c035857e829cd23cf2c233c14cc8c711f92b4a1786b58db5300269065e7c

memory/1112-7747-0x0000000000400000-0x000000000076F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8117a800276e8fadbfb2f5384a9400a3
SHA1 6d12802e19e04c9baa180760dc62b11bae9cb27a
SHA256 4c17d5b032153a98d8ce115e6ece1fcbfff7a2ba58b359a1d92778813df1a983
SHA512 af230ad5604b5f802fec697ba03c215f1b9f8a94b2df89b7e2a4f9a06e21706d3209b7143820b1c7d560fd7a8da2715727d96028d6fe0df9cee9dd07d739a052

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a08c60aabafbeca068a2ed8b6087fdb4
SHA1 f5fe6f608cd41b1b6a608a2c4d584e33a7338327
SHA256 bd88b3f145b40df21a9473a086299971b7b849613021e1d176f7a7d1d9f798e3
SHA512 3aaa31be567eb3b7bcaea5fde300f17e27e1c1457b1b36b04c204d751120cf63d4560432cdae1a01eefd30b8fa320c81d1c3643ccb90596579b1c9b957d16f99

memory/1112-7763-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1112-7788-0x0000000073F20000-0x0000000073F59000-memory.dmp

memory/1112-7787-0x0000000000400000-0x000000000076F000-memory.dmp