cerber | 3a2bb3e07800debe1877d52353ed905524625dd4fd40bb375ddce9e9cc7d2a7f

Analysis

max time kernel
132s
max time network
137s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
Size

286KB
MD5

c5b93ade217bd9a818c90976e3acc87b
SHA1

f1dd3f84c3b8f0782367ce8a38dc1da0aab64854
SHA256

3a2bb3e07800debe1877d52353ed905524625dd4fd40bb375ddce9e9cc7d2a7f
SHA512

4e3213abaab8b1495f78b55a90882c12c70da2cd686683800bfd211e472a4a7126d2366624cc85177638e9670ce8ea1e9cb13d493ed8b9bdf6dc04e0dc90713c
SSDEEP

3072:lhdf2HTrKylxOq/UlIbEEphx7+CWM/Ns7a9x4s:LUzuylsHlVEnJ+8ZZ

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414 | | 2. http://cerberhhyed5frqa.cmfhty.win/AE41-AC06-3AF3-0063-7414 | | 3. http://cerberhhyed5frqa.dk59jg.win/AE41-AC06-3AF3-0063-7414 | | 4. http://cerberhhyed5frqa.xmfu59.win/AE41-AC06-3AF3-0063-7414 | | 5. http://cerberhhyed5frqa.er48rt.win/AE41-AC06-3AF3-0063-7414 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/AE41-AC06-3AF3-0063-7414 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414

http://cerberhhyed5frqa.cmfhty.win/AE41-AC06-3AF3-0063-7414

http://cerberhhyed5frqa.dk59jg.win/AE41-AC06-3AF3-0063-7414

http://cerberhhyed5frqa.xmfu59.win/AE41-AC06-3AF3-0063-7414

http://cerberhhyed5frqa.er48rt.win/AE41-AC06-3AF3-0063-7414

http://cerberhhyed5frqa.onion/AE41-AC06-3AF3-0063-7414

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414</a></li> <li><a href="http://cerberhhyed5frqa.cmfhty.win/AE41-AC06-3AF3-0063-7414" target="_blank">http://cerberhhyed5frqa.cmfhty.win/AE41-AC06-3AF3-0063-7414</a></li> <li><a href="http://cerberhhyed5frqa.dk59jg.win/AE41-AC06-3AF3-0063-7414" target="_blank">http://cerberhhyed5frqa.dk59jg.win/AE41-AC06-3AF3-0063-7414</a></li> <li><a href="http://cerberhhyed5frqa.xmfu59.win/AE41-AC06-3AF3-0063-7414" target="_blank">http://cerberhhyed5frqa.xmfu59.win/AE41-AC06-3AF3-0063-7414</a></li> <li><a href="http://cerberhhyed5frqa.er48rt.win/AE41-AC06-3AF3-0063-7414" target="_blank">http://cerberhhyed5frqa.er48rt.win/AE41-AC06-3AF3-0063-7414</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/AE41-AC06-3AF3-0063-7414</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/AE41-AC06-3AF3-0063-7414 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
776	bcdedit.exe
1632	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\\xwizard.exe\""	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\\xwizard.exe\""	xwizard.exe

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\xwizard.lnk	xwizard.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\xwizard.lnk	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	xwizard.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
2368	xwizard.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\xwizard = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\\xwizard.exe\""	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xwizard = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\\xwizard.exe\""	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\xwizard = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\\xwizard.exe\""	xwizard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xwizard = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\\xwizard.exe\""	xwizard.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xwizard.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp61CF.bmp"	xwizard.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xwizard.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2820	cmd.exe
2856	PING.EXE
1708	cmd.exe
2404	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2860	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2832	taskkill.exe
1588	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\\xwizard.exe\""	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop	xwizard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\\xwizard.exe\""	xwizard.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E19FCE1-64B6-11EF-902B-EAA2AC88CDB5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E06F1E1-64B6-11EF-902B-EAA2AC88CDB5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430953944"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d055f050c3f8da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb90000000002000000000010660000000100002000000005594833f8e1e31a2daad2078ea9db27a701b3c327324ac307e990db35e24f84000000000e8000000002000020000000d4f10f8831f26207ba5676e5920345f8264ca1be1b9b8177d2f9a19666624317200000006ab197c476d978e76d58d590d1ca797550ab0aae02b93752050ec38bfafb94214000000089f62c69d490cbb8e351ccba526b49ded1fe38300004f409a2433d95c72182d7094e703c87c8a36832d223d98970ebd84f3a6682cf03cc8e2d1a0dbbc8eea054	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000b7a524fadc40e27f0de41072ee4fa1c1e414428ba0ac0662df5cce4197beb453000000000e80000000020000200000006538b47a00c985adc542fea04b09e66e6b88338f6863c46a6ef6987b29552cfb90000000661c8b6b486531813f0c10a068d15d68a60b03ca60b995c9b16ba9dbc87adbe29fde8c65b6b960068838fd50e794ec9057ef3d827bff99e42d4100b01b3ddb6a174bc47caa8d92a1f126129b8f6175fbe60dcf7bb81cfa0247b1fd99e4fbf859b400b89b95a75fc8e2e8f5a759542af96cd32aaef2c4ab962dc2f1c2049ae51b2d78edcf121eeafdcfd645f4fa2c8cb74000000054deec71f557227acd4f74dab203e9b6840605f4d1e2acb3549e0c4d653bd27d374fae4c0f9c6003dce7f51efbab8e9419677f146747bce7f835210069ef5318	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2404	PING.EXE
2856	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe
2368	xwizard.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
Token: SeDebugPrivilege	2368	xwizard.exe
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe
Token: SeSystemProfilePrivilege	2684	wmic.exe
Token: SeSystemtimePrivilege	2684	wmic.exe
Token: SeProfSingleProcessPrivilege	2684	wmic.exe
Token: SeIncBasePriorityPrivilege	2684	wmic.exe
Token: SeCreatePagefilePrivilege	2684	wmic.exe
Token: SeBackupPrivilege	2684	wmic.exe
Token: SeRestorePrivilege	2684	wmic.exe
Token: SeShutdownPrivilege	2684	wmic.exe
Token: SeDebugPrivilege	2684	wmic.exe
Token: SeSystemEnvironmentPrivilege	2684	wmic.exe
Token: SeRemoteShutdownPrivilege	2684	wmic.exe
Token: SeUndockPrivilege	2684	wmic.exe
Token: SeManageVolumePrivilege	2684	wmic.exe
Token: 33	2684	wmic.exe
Token: 34	2684	wmic.exe
Token: 35	2684	wmic.exe
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe
Token: SeSystemProfilePrivilege	2684	wmic.exe
Token: SeSystemtimePrivilege	2684	wmic.exe
Token: SeProfSingleProcessPrivilege	2684	wmic.exe
Token: SeIncBasePriorityPrivilege	2684	wmic.exe
Token: SeCreatePagefilePrivilege	2684	wmic.exe
Token: SeBackupPrivilege	2684	wmic.exe
Token: SeRestorePrivilege	2684	wmic.exe
Token: SeShutdownPrivilege	2684	wmic.exe
Token: SeDebugPrivilege	2684	wmic.exe
Token: SeSystemEnvironmentPrivilege	2684	wmic.exe
Token: SeRemoteShutdownPrivilege	2684	wmic.exe
Token: SeUndockPrivilege	2684	wmic.exe
Token: SeManageVolumePrivilege	2684	wmic.exe
Token: 33	2684	wmic.exe
Token: 34	2684	wmic.exe
Token: 35	2684	wmic.exe
Token: 33	2068	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2068	AUDIODG.EXE
Token: 33	2068	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2068	AUDIODG.EXE
Token: SeDebugPrivilege	1588	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2820	iexplore.exe
2820	iexplore.exe
212	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
1228	IEXPLORE.EXE
1228	IEXPLORE.EXE
212	iexplore.exe
212	iexplore.exe
2132	IEXPLORE.EXE
2132	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
2132	IEXPLORE.EXE
2132	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
2368	xwizard.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2368	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2368	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2368	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2368	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2860	2368	xwizard.exe	31
PID 2368 wrote to memory of 2860	2368	xwizard.exe	31
PID 2368 wrote to memory of 2860	2368	xwizard.exe	31
PID 2368 wrote to memory of 2860	2368	xwizard.exe	31
PID 2512 wrote to memory of 2820	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2820	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2820	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2820	2512	c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2832	2820	cmd.exe	34
PID 2820 wrote to memory of 2832	2820	cmd.exe	34
PID 2820 wrote to memory of 2832	2820	cmd.exe	34
PID 2820 wrote to memory of 2832	2820	cmd.exe	34
PID 2820 wrote to memory of 2856	2820	cmd.exe	38
PID 2820 wrote to memory of 2856	2820	cmd.exe	38
PID 2820 wrote to memory of 2856	2820	cmd.exe	38
PID 2820 wrote to memory of 2856	2820	cmd.exe	38
PID 2368 wrote to memory of 2684	2368	xwizard.exe	39
PID 2368 wrote to memory of 2684	2368	xwizard.exe	39
PID 2368 wrote to memory of 2684	2368	xwizard.exe	39
PID 2368 wrote to memory of 2684	2368	xwizard.exe	39
PID 2368 wrote to memory of 776	2368	xwizard.exe	41
PID 2368 wrote to memory of 776	2368	xwizard.exe	41
PID 2368 wrote to memory of 776	2368	xwizard.exe	41
PID 2368 wrote to memory of 776	2368	xwizard.exe	41
PID 2368 wrote to memory of 1632	2368	xwizard.exe	43
PID 2368 wrote to memory of 1632	2368	xwizard.exe	43
PID 2368 wrote to memory of 1632	2368	xwizard.exe	43
PID 2368 wrote to memory of 1632	2368	xwizard.exe	43
PID 2368 wrote to memory of 2820	2368	xwizard.exe	46
PID 2368 wrote to memory of 2820	2368	xwizard.exe	46
PID 2368 wrote to memory of 2820	2368	xwizard.exe	46
PID 2368 wrote to memory of 2820	2368	xwizard.exe	46
PID 2368 wrote to memory of 3064	2368	xwizard.exe	47
PID 2368 wrote to memory of 3064	2368	xwizard.exe	47
PID 2368 wrote to memory of 3064	2368	xwizard.exe	47
PID 2368 wrote to memory of 3064	2368	xwizard.exe	47
PID 2820 wrote to memory of 1228	2820	iexplore.exe	48
PID 2820 wrote to memory of 1228	2820	iexplore.exe	48
PID 2820 wrote to memory of 1228	2820	iexplore.exe	48
PID 2820 wrote to memory of 1228	2820	iexplore.exe	48
PID 2820 wrote to memory of 2132	2820	iexplore.exe	50
PID 2820 wrote to memory of 2132	2820	iexplore.exe	50
PID 2820 wrote to memory of 2132	2820	iexplore.exe	50
PID 2820 wrote to memory of 2132	2820	iexplore.exe	50
PID 212 wrote to memory of 3048	212	iexplore.exe	51
PID 212 wrote to memory of 3048	212	iexplore.exe	51
PID 212 wrote to memory of 3048	212	iexplore.exe	51
PID 212 wrote to memory of 3048	212	iexplore.exe	51
PID 2368 wrote to memory of 2532	2368	xwizard.exe	52
PID 2368 wrote to memory of 2532	2368	xwizard.exe	52
PID 2368 wrote to memory of 2532	2368	xwizard.exe	52
PID 2368 wrote to memory of 2532	2368	xwizard.exe	52
PID 2368 wrote to memory of 1708	2368	xwizard.exe	56
PID 2368 wrote to memory of 1708	2368	xwizard.exe	56
PID 2368 wrote to memory of 1708	2368	xwizard.exe	56
PID 2368 wrote to memory of 1708	2368	xwizard.exe	56
PID 1708 wrote to memory of 1588	1708	cmd.exe	58
PID 1708 wrote to memory of 1588	1708	cmd.exe	58
PID 1708 wrote to memory of 1588	1708	cmd.exe	58
PID 1708 wrote to memory of 2404	1708	cmd.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Roaming\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\xwizard.exe
  "C:\Users\Admin\AppData\Roaming\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\xwizard.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2860
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:776
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1632
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1228
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:406530 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2132
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:3064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2532
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "xwizard.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\xwizard.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "xwizard.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2404
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe" > NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "c5b93ade217bd9a818c90976e3acc87b_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:212 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3048

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
4078f60651b3a32c8f829caea62c2903

SHA1
9a47b68f646f90061b15e075091bb36fcc37ff65

SHA256
1d404d616f1421c484913b147aad3f57be7ba439a7d35acf5f827cb771fad957

SHA512
8435253f96aaa546e7c5e0fea9909d9d69b6b679791131b86866f0ddb6cf218bc1e50cb9c1d39f264c13ed5a8fa39b4f93725731d8f8b96ba217d3db2941b1ef

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
296bbb14778f597f8785cf07c9934d39

SHA1
fca702418006f622e9908f27fd84c01f65c9b6e5

SHA256
1cfc723288c793fbaa9071bf4cb31f7fdf8e6aa52b03f2bf7d1f5858487f6dbf

SHA512
32c396854065199874952c931b81972f0d80333ddba46dc4d2a37982263a796cb9e69dc7ed56f41ec5210a224f9bc3d913fad0fa42a7ca9aa3d06bd140d8c5c4

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
ade4ba8977217d03e5044a837380b284

SHA1
202de9a302a3b6036be3a925cfa1ee8549f04aed

SHA256
e32e4d075fc7f88317ca10b55f91a6d675686d0aebe8e3b578e55557fa20beae

SHA512
c0de0c39e1998f0f209cae3e7a596e08d633ceb4d022f1e54c2ccc88df1498a0aefe9569f8a862db076995d1b30dad9fe3034069b03741ec6746b451e3450adf

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d578ddbf70af2ad5c81a53a2f204c80b

SHA1
bc89c51e2223b811513296473b71bc716e9c3059

SHA256
72c305af655bea9346d693a486f4a87376a5461df3c76caa5d6e38ff2d0e79a7

SHA512
91bb213568b83ebf60c84dc75408929935028a5be8040f85032efd5b84462a9a98d0527bc96a43507715210cbf0949be05cb020277cc1a20804c2b30849fdbd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a964e950d50c64d45b641e06e0e40de

SHA1
1f41a9cf692c65d7fc6c9c96eb56e4823e208dfd

SHA256
08929ae013fc30de7f38828f3a0d6d377c2f5209286362865591fa197624ebd0

SHA512
6ad0547d34e6828ae48f89b305447adf1a490ae7f546d4d14772b1f3329182ab1001a1c7675a21677d98eb37c803ffd7e1ea55460b924833af66963219baf6a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab8c8ae6862f603279e2535bcc05c6fd

SHA1
bbba2803be88662bd4277f6288f70d40b36f37fa

SHA256
05467027966e53f2804bc99fa0807033eeb588c241c5250d87b5083dd70c6ae3

SHA512
88326b8fc735fd0f4c170e1deb3e37a1baefc1732418ec3b8cce77c62fc44f888b86a9303fe102e97f029e26bb83c7822fadfee350b801813780db4608d593a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c938d246720902bd1d01b5c26fa2076

SHA1
af6e98a037e1d298a5dbe6da1eb71cca03c862ae

SHA256
c02e4a186cdee3daf3020a55d88a43d2d0968935c0cb4f02a64526a4e3f86bb5

SHA512
b9e414a2128a3630c606215a993c9d6ddf73e24f0682702ae379812a8eaae1cf7c55139209c39967e157e7463857c9b8baea7800964f4ea78b712b268b693599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec7ce781805d66978b9dafeb1452aa27

SHA1
440416362ade49e6667dd01423190de623e0ac89

SHA256
58008e55f9b49f7a943475c5df6155ecbc2df4792e255bb2d3716600c597244b

SHA512
f26958d1fa868b66a9e22cffc0c7c5350682caa2c87b2c1e9d995b4d6883519a1b43ab0ca600d82d85982451729f4e6ecbc97b0e2e30586c6ec45a48873f9f76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9c4aad7fbd8829d692a0ea656fd9e7e

SHA1
619c012b93250f4f0761662473442df20072593a

SHA256
5b839f37b0c9a630563d708845cd5af3f971088746358821e7946a75d78a4b34

SHA512
4c8be66ad84817ca5f106561c022307518f03f762771af4b6afed303a98f5ed19eb4140adfa8fe00d71ffe27ed070618cf8da829e0f1471932f5ba0786ca6aa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24bf3ac94b8de885cfd80de617730725

SHA1
4269cfd6e716207eba3459037df3e90abd291483

SHA256
a149adae1187cafd9e3de361e1dfe9e29b16e7ebd2e113114343853a94a3602d

SHA512
e5cf77d894ce0777fed77f7b2d4ae3ecbd550f3ff956843233e896cb45831b0e2f0c50c225f5ea17fc191e20256cdca0ada1090e336255f988ff5748fb495d38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6acd831be2a0e57febef70eea049044

SHA1
0c4049adf383a1b95c462414c365aee482638583

SHA256
a8df371cf98252bb0fe1502302765c58775ab5e3a2a9eb5b954192e690c5b702

SHA512
2a56b1d144a661527a0d6b259bf40db5fde92888031502b77b8206daac3e044927fdae28aa63126b1bc3b177e411b4995454a10fb35bad963bc8831bc0505814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d9b59dd9260cbd60f6a302efae5d5ec

SHA1
0fdcfb40050938148d0d76a0bd4e30057b58229e

SHA256
b41c708a0deeb145a5e2b8084f02adafc258f82b64adf184f5115d75b2b3bebb

SHA512
5c4ad2e25f2aa1493de4d154e5c22cbf11eb417bdd18e23ea139fdcf71f1a81c47a7fb54101631462d7b1e9bb98086dd633cd025af309fbac02f0bd4fbfb178d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54c9b1f5735a265f232df6d2a44d1d02

SHA1
1fd4c7e6f6e14ea7c21546fee26bd8d656b7a3bc

SHA256
11c7b4a299ef09c2ab1aa9943d4670871da2a2b3125fe23d1ebe06c118f4ccc1

SHA512
86daa1d6a3235dbf6dd5f8ddc8f616ecac047ab926ad8f052a3d3ea296c27437a532907e7ccc8832727f3b62e380071da73bd0b42e360b751e335e93af491c5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c98b85a36a38216060bbe564d2071f6

SHA1
453e367f071ac6d669fea1033818af673fa13f23

SHA256
e3e285e969f60d2c206a195fd8c8d0e50607c6fdece2c1c715025fac91910c05

SHA512
2a934326e3045fdd5f512abadcf20bc88bcfefdabeec45e02a49cdf93e5eea61f7b44fa3ddf9ed498debfc71ca679065b19bffd2ca1feed4443a34a950487f57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d0f439709bac5c1ec87c5e87b99bed4

SHA1
aabbf8e24450a4446b1b674331ef6a700578998f

SHA256
d8a9fbbcf830d1a8a75fcefcc5d67168882d748dc046fff9fffcd2614dbeb450

SHA512
36e297f4827c48d53c48a00c939ae3ccd659011d0b9d05045accea9548bb12785205d25503667928ea6386919cb66b0fd94216b86ad085207ae3aee9d90115ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96fe3d9994981ab7c6ca96504f337368

SHA1
2fc9e40f400030e5140849bb30e2aeaa1be6cbfc

SHA256
87311367064a95dba22f928ddd43f2bdb1c6376cf6fae8df7886e08b01bbee36

SHA512
7c2792b0dce55fa29b91c7d2c6869d0027b9358871fe7d2a938cb92984ea0da9f536bdb79ab317bac20124acbd91228912c2edd41aa6e702e653ae8fc0d78ba2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a05fd13d55bc80ff11366246127c94c

SHA1
0a3977e53c331a268e8b950e22ec32c1edef6d54

SHA256
1f09d3eea2eecaa3cb8e0a31efb3557b59ebaae0f4bb025ebe6d1f127bcd8b12

SHA512
b865618c0b3a714855bf636b1b3429a3d33a72d7b089c54530e95953c7b1e11515b4009064c81b5b330f66d4742da840390ba5bbc9465dbc72d2b53a71a3757d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66798dcb3ea7cb1471d7185e963343b5

SHA1
77dee7356dad9c59c92329cde55b3ea9a0e50032

SHA256
a6075d7b23fc9542454860ed827dfe2668279dc3312f282ee546af3986e0ec86

SHA512
58b45a0acbef78184ec770a07e90ba878cac9911086045fec956f417b935925eb700782ff074d3a436507f6dc3fcd7ba7bca172c622ec06d11eda20e77e2a864

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7ac474d37ad2fd454ee11379d38e485

SHA1
eec5be91bcf0f20f45f44f3ce63f96769dcd32c6

SHA256
5ca25cd5c3ef422a183de314bb6c0222195eb9f748407264e9def08268202a70

SHA512
21c37babaf3b4e870819f83941a7e393ff4d6011c60f0ca966b2dea6ae4b651222b134bb981524340f10b9cb671985581cba3d0d56f34823ea4b8b2d08893be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
724cd0351d556923c76f417c4cbe42ae

SHA1
d4c5a7b66a7d57a4ac5203afdda26460eec7ae92

SHA256
cd720700186d7889795f0a50ca02cfbba67405ec49e147e47ebe2f0d6aa2227b

SHA512
3281a3f2952e74c7806218cc431c50078b32acafb33a63c89b5f41bfcf3fedcde11b2254d6a148084a1a890cfb3744383c237744bfd87660ed961e2246dbb68a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8E06F1E1-64B6-11EF-902B-EAA2AC88CDB5}.dat

Filesize
6KB

MD5
f66ac1c2a411bc10daecf17cc580f56e

SHA1
ae2207de157d255464e73c1ceaf36ef6ab9c8064

SHA256
21def7211d554472c3a3ade8e7a27e0399d3e731902eb165de9f3cf1e71177a3

SHA512
58190a9d67ca0b465c87c7f8bb7d638cea6c7a727398504264863517152f28ae159c46f4ee742da1e005273684917c181c9e319490d317985ea8732707706168

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab78BB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar791C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\xwizard.lnk

Filesize
1KB

MD5
d1835b2abb14870c1415bf800f64c6a9

SHA1
30f497ed5133d2f8d48439fb80531537e9dd292b

SHA256
216075dfafe12d7114f16a3eb4e513f173da18750ddaae4c212d97069943f2a4

SHA512
57c6ca5bdd2a11133fd3c3c1268ceaae8028d57effaeb240a5c888bd690e2a9a983d2a0484ab0ba126a8306058c6a3a2d3ca5418bff689b1783ad491835e1345

Download Submit
\Users\Admin\AppData\Roaming\{7950FA1F-A216-74FE-80F8-918F1AE2C65E}\xwizard.exe

Filesize
286KB

MD5
c5b93ade217bd9a818c90976e3acc87b

SHA1
f1dd3f84c3b8f0782367ce8a38dc1da0aab64854

SHA256
3a2bb3e07800debe1877d52353ed905524625dd4fd40bb375ddce9e9cc7d2a7f

SHA512
4e3213abaab8b1495f78b55a90882c12c70da2cd686683800bfd211e472a4a7126d2366624cc85177638e9670ce8ea1e9cb13d493ed8b9bdf6dc04e0dc90713c

Download Submit
memory/2368-966-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-489-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-496-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-524-0x0000000004460000-0x0000000004462000-memory.dmp

Filesize
8KB

Download
memory/2368-499-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-491-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-506-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-503-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-484-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-510-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-495-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-515-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-516-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-508-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-504-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-486-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-513-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2512-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2512-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2512-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2512-0-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download