Analysis
-
max time kernel
135s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 08:56
Static task
static1
Behavioral task
behavioral1
Sample
5e39796740d470869174eaecd70706af_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5e39796740d470869174eaecd70706af_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5e39796740d470869174eaecd70706af_JaffaCakes118.exe
-
Size
504KB
-
MD5
5e39796740d470869174eaecd70706af
-
SHA1
76afe1f1de09e25adcbf675f68b2b0370ad37aac
-
SHA256
f93057ea3b4ac606408e145b212d5b257744920dde857e0f3ced57520c22a8fb
-
SHA512
5b48dacb64f3373121a83aedef476854db2331533fe28f98f50b6128b7f22a0c25bf2a497daccb3662b7d6872f1a3e4156b1e3e4edf2da19d35aa63c99e3af25
-
SSDEEP
6144:c867hSKXt8UaTxPMhvXoIdUbYgiE9ZrH16Ov1rN2s4JI/yUICVL8VfaDCFToWQH:y7G5xP+L6kZE9VV6O1MUgfaOzQH
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_IZL3S79_.hta
cerber
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_0CJVGK_.txt
http://p27dokhpz2n7nvgr.onion/8F2B-4696-186A-0446-9D54
http://p27dokhpz2n7nvgr.1a7wnt.top/8F2B-4696-186A-0446-9D54
http://p27dokhpz2n7nvgr.1czh7o.top/8F2B-4696-186A-0446-9D54
http://p27dokhpz2n7nvgr.1hpvzl.top/8F2B-4696-186A-0446-9D54
http://p27dokhpz2n7nvgr.1pglcs.top/8F2B-4696-186A-0446-9D54
http://p27dokhpz2n7nvgr.1cewld.top/8F2B-4696-186A-0446-9D54
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1104) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4504 netsh.exe 4980 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 5e39796740d470869174eaecd70706af_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ 5e39796740d470869174eaecd70706af_JaffaCakes118.exe -
Drops file in System32 directory 38 IoCs
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam 5e39796740d470869174eaecd70706af_JaffaCakes118.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpDD31.bmp" 5e39796740d470869174eaecd70706af_JaffaCakes118.exe -
Drops file in Program Files directory 20 IoCs
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\program files (x86)\bitcoin 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\thunderbird 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\steam 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files\ 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\ 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\the bat! 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! 5e39796740d470869174eaecd70706af_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word 5e39796740d470869174eaecd70706af_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 51 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3856 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2912 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4708 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 944 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 1272 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5732 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5204 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5212 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 1992 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4888 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4520 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 60 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2744 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 3468 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4940 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4156 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5520 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2528 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4616 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 3600 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 1956 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 1252 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5212 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 1992 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4888 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2868 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 3908 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5184 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2216 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2312 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4036 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2288 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5300 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4872 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2480 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2528 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 3804 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2820 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 6132 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 3828 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4900 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 1036 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 612 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5304 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2484 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5156 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 2300 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4396 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 5336 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 4680 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe 816 5360 WerFault.exe 5e39796740d470869174eaecd70706af_JaffaCakes118.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1380 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 5e39796740d470869174eaecd70706af_JaffaCakes118.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4528 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeShutdownPrivilege 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe Token: 33 2584 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2584 AUDIODG.EXE Token: SeDebugPrivilege 1380 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
5e39796740d470869174eaecd70706af_JaffaCakes118.execmd.exedescription pid process target process PID 5360 wrote to memory of 4504 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe netsh.exe PID 5360 wrote to memory of 4504 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe netsh.exe PID 5360 wrote to memory of 4504 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe netsh.exe PID 5360 wrote to memory of 4980 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe netsh.exe PID 5360 wrote to memory of 4980 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe netsh.exe PID 5360 wrote to memory of 4980 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe netsh.exe PID 5360 wrote to memory of 2696 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe mshta.exe PID 5360 wrote to memory of 2696 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe mshta.exe PID 5360 wrote to memory of 2696 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe mshta.exe PID 5360 wrote to memory of 4528 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe NOTEPAD.EXE PID 5360 wrote to memory of 4528 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe NOTEPAD.EXE PID 5360 wrote to memory of 4528 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe NOTEPAD.EXE PID 5360 wrote to memory of 6012 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe cmd.exe PID 5360 wrote to memory of 6012 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe cmd.exe PID 5360 wrote to memory of 6012 5360 5e39796740d470869174eaecd70706af_JaffaCakes118.exe cmd.exe PID 6012 wrote to memory of 1380 6012 cmd.exe taskkill.exe PID 6012 wrote to memory of 1380 6012 cmd.exe taskkill.exe PID 6012 wrote to memory of 1380 6012 cmd.exe taskkill.exe PID 6012 wrote to memory of 1780 6012 cmd.exe PING.EXE PID 6012 wrote to memory of 1780 6012 cmd.exe PING.EXE PID 6012 wrote to memory of 1780 6012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e39796740d470869174eaecd70706af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e39796740d470869174eaecd70706af_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 11522⤵
- Program crash
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 13082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 11642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 11642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 14002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 14962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 14962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 14682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 14562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 14482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16362⤵
- Program crash
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_PLDZ_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 15082⤵
- Program crash
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_N2NTY_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 17482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 17522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 17722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 19642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 23522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 23962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 23802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 24762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 24962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 25962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 25722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 26122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 25882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 27562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 25722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 26042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 16402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 25682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 24802⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "5e39796740d470869174eaecd70706af_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5360 -ip 53601⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x4c01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5360 -ip 53601⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_0CJVGK_.txtFilesize
1KB
MD5716e39532bbd1279b3f9b58851962066
SHA164802c8838b5c80ca08f09f35d20aa164acca2db
SHA256d868ee6751ac3692e68419009140f5d6fbf27815ed7c644292aa4a7eb49b4618
SHA512924818637dcb99bcaef0562b88ce1a4de8801e56e92793fda4254dfe96685ff5eb757e2ef982e9d6964da9d74d99887d24a0cf49450355b97cd3e5f412b5c8d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_IZL3S79_.htaFilesize
74KB
MD589550b4a92367cff95e98082fb7bf6c0
SHA10cb79b19fb49e7e4a398f276b2106fb85906a282
SHA25689ba56389d8f80a420d406a276b399c00f993c5c75a651ffd5c24f720df0c4ed
SHA51251c7800ce647f3a9b23f99b8ee0257617f1edc4777b3e80639fd0f59070cf44b0167515f0ef45ab882a766b1ef12085bf26b45fea4a4d31aee521e7b29128c54
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_MY7OF6NF_.jpegFilesize
150KB
MD5b1049458c06885846867eb1c95cee169
SHA1a2e5d8e5c437b6a8c27550481b77ed5ca6722a0c
SHA2569701d9c3fc68a53d4f211f63a83e30d6e46926e2ed2a92dcb5c698475e9c0d41
SHA5123798675e86dd435a2ae79d4071fa4ec72f1c26697ac7c6e5cec5d041e11bc946a5e06a5c9be03387a386cc9ec849c0171a17a98ceb87f8de97e76d1922967b35
-
memory/5360-0-0x00000000025D0000-0x000000000264B000-memory.dmpFilesize
492KB
-
memory/5360-1-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/5360-2-0x00000000025D0000-0x000000000264B000-memory.dmpFilesize
492KB
-
memory/5360-3-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/5360-5-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/5360-6-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/5360-9-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/5360-406-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB