cerber | e11c6b8b5b102a0b3bdb0756496594c0ba37f08d27320a7bde4d7f70fbd63256

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
Size

504KB
MD5

ddf213af2398313fbbab060f48968499
SHA1

6cf48ff4999b6697076fac8aba03a3c2e5b6e7dd
SHA256

e11c6b8b5b102a0b3bdb0756496594c0ba37f08d27320a7bde4d7f70fbd63256
SHA512

efb5032c1ef5aecc40610537733ef4dde2abc84501907dc7cb7a72c04d248a759ec1b85efebae00c81067382969f5f34d54ebba10cf9ba9ad6f13578842a9aa8
SSDEEP

6144:c867hSKXt8UaTxPMhvXoIdUbYgiE9ZrH16Ov1rN2s4JI/yUICVL8VfaDCFToWQs:y7G5xP+L6kZE9VV6O1MUgfaOzQs

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_CVG9FH_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url('data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=') left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return showBlock('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return showBlock('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return showBlock('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return showBlock('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return showBlock('fr');">Français</a></li> <li><a href="#" title="German" onclick="return showBlock('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return showBlock('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return showBlock('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return showBlock('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return showBlock('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return showBlock('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return showBlock('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return showBlock('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yox9OVPUBqu find the necessary files? Is the cMqYDdpgontent of your files not readable? It is normal bexf6fScO1Kccause the files' names and the data in your files have been encrypOkANbnaooFted by "CeBrber Ransomware". It menld2ans your files are NOT damagem6Nnkd! Your files are modified only. This modification is reversible. FyZqDrom now it is not poss18ible to use your files until they will be decrypted. The only way to decIjENM1Zrypt your files safely is to buy the special decryption software "CL3erber Decryptor". Any attempts to restcN8ZCNFfJAore your files with the thirTnyd-party software will be fatal for your files! <hr> You can procxJeed with purchasing of the decryption softwbSMcQAuWjsare at your personal page: PleG72gQase wait...<a class="url" href="http://p27dokhpz2n7nvgr.1a7wnt.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1a7wnt.top/86D3-1901-8032-0091-B676</a><hr><a href="http://p27dokhpz2n7nvgr.1czh7o.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1czh7o.top/86D3-1901-8032-0091-B676</a><hr><a href="http://p27dokhpz2n7nvgr.1hpvzl.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1hpvzl.top/86D3-1901-8032-0091-B676</a><hr><a href="http://p27dokhpz2n7nvgr.1pglcs.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1pglcs.top/86D3-1901-8032-0091-B676</a><hr><a href="http://p27dokhpz2n7nvgr.1cewld.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1cewld.top/86D3-1901-8032-0091-B676</a> If t7sBypqhis page cannot be opened  cliRYock here  to get a new addr8pyoess of your personal page. If the addreCqIEsg1ss of your personal page is the same as befovTj8re after you tried to get a new one, you c2HrRqplqan try to get a new address in one hour. At th3qis page you will receive the complete instrxuctions how to buy the decryptiysePCWzSCLon software for restoring all your files. Also at this page you will be able to resRSL0tore any one file for free to be sure "CerbeiEr Decryptor" will help you. <hr> If your perfeZZP4cEsonal page is not availacmjMpY1Hble for a long period there is another way to open your personal page - instaxJllation and use of Tor Browser: <ol> <li>run your InteU3vrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entHIxUI2Qer or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadumk8ing;</li> <li>on the site you will be offered to do3YZnqqwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruCqPfn Tor Browser;</li> <li>connect with the buttpTMvv6T0Lwon "Connect" (if you use the English version);</li> <li>a normal Internet broEwser window will be opened after the initialization;</li> <li>type or copy the add7wress http://p27dokhpz2n7nvgr.onion/86D3-1901-8032-0091-B676 in this browser address bar;</li> <li>preb4ss ENTER;</li> <li>the site shopfraUjhyuld be loaded; if for some reason the site is not lohRPwKmading wait for a moment and try again.</li> </ol> If you have any prv7bkGoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcsXSeQ5uh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditKLQko3bBional information: You will fi6And the instrun5Fctions ("*_READ_THIS_FILE_*.hta") for rec4bqstoring your files in any fvyzamiolder with your encGZLrypted files. The instrG4q4tuctions "*_READ_THIS_FILE_*.hta" in the fp1Dpy2JgoldertJahs with your encryoPjRVDiQSpted files are not virDiGqr35uses! The instrucR1gtGBtions "*_READ_THIS_FILE_*.hta" will he347ulp you to decn7YNi1V8Jorypt your files. RemembeLUfHdeVIeDr! The worst six2NsYIHtuation already happMombF6JfdDened and now the future of your files decbpends on your determrDCB18d3ination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.1a7wnt.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1a7wnt.top/86D3-1901-8032-0091-B676</a><hr><a href="http://p27dokhpz2n7nvgr.1czh7o.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1czh7o.top/86D3-1901-8032-0091-B676</a><hr><a href="http://p27dokhpz2n7nvgr.1hpvzl.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1hpvzl.top/86D3-1901-8032-0091-B676</a><hr><a href="http://p27dokhpz2n7nvgr.1pglcs.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1pglcs.top/86D3-1901-8032-0091-B676</a><hr><a href="http://p27dokhpz2n7nvgr.1cewld.top/86D3-1901-8032-0091-B676" target="_blank">http://p27dokhpz2n7nvgr.1cewld.top/86D3-1901-8032-0091-B676</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/86D3-1901-8032-0091-B676 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضافية: سوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密之前您无法使用您的文件。 �

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_E6KY_.txt

Ransom Note

CERBER RANS0MWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/86D3-1901-8032-0091-B676 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1a7wnt.top/86D3-1901-8032-0091-B676 2. http://p27dokhpz2n7nvgr.1czh7o.top/86D3-1901-8032-0091-B676 3. http://p27dokhpz2n7nvgr.1hpvzl.top/86D3-1901-8032-0091-B676 4. http://p27dokhpz2n7nvgr.1pglcs.top/86D3-1901-8032-0091-B676 5. http://p27dokhpz2n7nvgr.1cewld.top/86D3-1901-8032-0091-B676 --- Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://p27dokhpz2n7nvgr.onion/86D3-1901-8032-0091-B676

http://p27dokhpz2n7nvgr.1a7wnt.top/86D3-1901-8032-0091-B676

http://p27dokhpz2n7nvgr.1czh7o.top/86D3-1901-8032-0091-B676

http://p27dokhpz2n7nvgr.1hpvzl.top/86D3-1901-8032-0091-B676

http://p27dokhpz2n7nvgr.1pglcs.top/86D3-1901-8032-0091-B676

http://p27dokhpz2n7nvgr.1cewld.top/86D3-1901-8032-0091-B676

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1101) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
944	netsh.exe
4452	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp24E8.bmp"	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\thunderbird	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\the bat!	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files\	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\steam	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 51 IoCs

pid	pid_target	Process	procid_target
1404	3120	WerFault.exe	82
2148	3120	WerFault.exe	82
4692	3120	WerFault.exe	82
4192	3120	WerFault.exe	82
2440	3120	WerFault.exe	82
944	3120	WerFault.exe	82
3140	3120	WerFault.exe	82
1120	3120	WerFault.exe	82
2832	3120	WerFault.exe	82
4540	3120	WerFault.exe	82
2940	3120	WerFault.exe	82
4176	3120	WerFault.exe	82
2356	3120	WerFault.exe	82
1480	3120	WerFault.exe	82
1692	3120	WerFault.exe	82
1776	3120	WerFault.exe	82
1820	3120	WerFault.exe	82
3700	3120	WerFault.exe	82
3800	3120	WerFault.exe	82
1052	3120	WerFault.exe	82
1924	3120	WerFault.exe	82
4460	3120	WerFault.exe	82
1632	3120	WerFault.exe	82
3824	3120	WerFault.exe	82
4428	3120	WerFault.exe	82
2000	3120	WerFault.exe	82
3600	3120	WerFault.exe	82
3256	3120	WerFault.exe	82
4400	3120	WerFault.exe	82
4648	3120	WerFault.exe	82
1340	3120	WerFault.exe	82
4876	3120	WerFault.exe	82
2896	3120	WerFault.exe	82
4420	3120	WerFault.exe	82
4692	3120	WerFault.exe	82
3104	3120	WerFault.exe	82
220	3120	WerFault.exe	82
4232	3120	WerFault.exe	82
2100	3120	WerFault.exe	82
1892	3120	WerFault.exe	82
2032	3120	WerFault.exe	82
3592	3120	WerFault.exe	82
4460	3120	WerFault.exe	82
2512	3120	WerFault.exe	82
3768	3120	WerFault.exe	82
3284	3120	WerFault.exe	82
2804	3120	WerFault.exe	82
4240	3120	WerFault.exe	82
768	3120	WerFault.exe	82
2304	3120	WerFault.exe	82
1524	3120	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3104	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
3472	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4804	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3104	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
Token: 33	4792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4792	AUDIODG.EXE
Token: SeDebugPrivilege	3472	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 944	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	93
PID 3120 wrote to memory of 944	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	93
PID 3120 wrote to memory of 944	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	93
PID 3120 wrote to memory of 4452	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	95
PID 3120 wrote to memory of 4452	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	95
PID 3120 wrote to memory of 4452	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	95
PID 3120 wrote to memory of 4992	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	158
PID 3120 wrote to memory of 4992	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	158
PID 3120 wrote to memory of 4992	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	158
PID 3120 wrote to memory of 4804	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	163
PID 3120 wrote to memory of 4804	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	163
PID 3120 wrote to memory of 4804	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	163
PID 3120 wrote to memory of 2988	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	206
PID 3120 wrote to memory of 2988	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	206
PID 3120 wrote to memory of 2988	3120	ddf213af2398313fbbab060f48968499_JaffaCakes118.exe	206
PID 2988 wrote to memory of 3472	2988	cmd.exe	208
PID 2988 wrote to memory of 3472	2988	cmd.exe	208
PID 2988 wrote to memory of 3472	2988	cmd.exe	208
PID 2988 wrote to memory of 3104	2988	cmd.exe	209
PID 2988 wrote to memory of 3104	2988	cmd.exe	209
PID 2988 wrote to memory of 3104	2988	cmd.exe	209

C:\Users\Admin\AppData\Local\Temp\ddf213af2398313fbbab060f48968499_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddf213af2398313fbbab060f48968499_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1144
  2⤵
  - Program crash
  PID:1404
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1288
  2⤵
  - Program crash
  PID:2148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1308
  2⤵
  - Program crash
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1332
  2⤵
  - Program crash
  PID:4192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1304
  2⤵
  - Program crash
  PID:2440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1436
  2⤵
  - Program crash
  PID:944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1544
  2⤵
  - Program crash
  PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1444
  2⤵
  - Program crash
  PID:1120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1492
  2⤵
  - Program crash
  PID:2832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1544
  2⤵
  - Program crash
  PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1552
  2⤵
  - Program crash
  PID:2940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1572
  2⤵
  - Program crash
  PID:4176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1620
  2⤵
  - Program crash
  PID:2356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1644
  2⤵
  - Program crash
  PID:1480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1672
  2⤵
  - Program crash
  PID:1692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1696
  2⤵
  - Program crash
  PID:1776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1676
  2⤵
  - Program crash
  PID:1820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1668
  2⤵
  - Program crash
  PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1708
  2⤵
  - Program crash
  PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1712
  2⤵
  - Program crash
  PID:1052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1780
  2⤵
  - Program crash
  PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1752
  2⤵
  - Program crash
  PID:4460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1748
  2⤵
  - Program crash
  PID:1632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1720
  2⤵
  - Program crash
  PID:3824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1716
  2⤵
  - Program crash
  PID:4428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1680
  2⤵
  - Program crash
  PID:2000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1720
  2⤵
  - Program crash
  PID:3600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1752
  2⤵
  - Program crash
  PID:3256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1796
  2⤵
  - Program crash
  PID:4400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1804
  2⤵
  - Program crash
  PID:4648
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_1M9XC96J_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1836
  2⤵
  - Program crash
  PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1788
  2⤵
  - Program crash
  PID:4876
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_GPOX2_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1820
  2⤵
  - Program crash
  PID:2896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1672
  2⤵
  - Program crash
  PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1840
  2⤵
  - Program crash
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1960
  2⤵
  - Program crash
  PID:3104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2332
  2⤵
  - Program crash
  PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2360
  2⤵
  - Program crash
  PID:4232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2332
  2⤵
  - Program crash
  PID:2100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2528
  2⤵
  - Program crash
  PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2392
  2⤵
  - Program crash
  PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2456
  2⤵
  - Program crash
  PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2440
  2⤵
  - Program crash
  PID:4460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2496
  2⤵
  - Program crash
  PID:2512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2536
  2⤵
  - Program crash
  PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2504
  2⤵
  - Program crash
  PID:3284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2440
  2⤵
  - Program crash
  PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 3000
  2⤵
  - Program crash
  PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1608
  2⤵
  - Program crash
  PID:768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 2824
  2⤵
  - Program crash
  PID:2304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1652
  2⤵
  - Program crash
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "ddf213af2398313fbbab060f48968499_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3120 -ip 3120
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3120 -ip 3120
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3120 -ip 3120
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3120 -ip 3120
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3120 -ip 3120
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3120 -ip 3120
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3120 -ip 3120
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3120 -ip 3120
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3120 -ip 3120
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3120 -ip 3120
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3120 -ip 3120
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3120 -ip 3120
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3120 -ip 3120
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3120 -ip 3120
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3120 -ip 3120
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3120 -ip 3120
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3120 -ip 3120
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3120 -ip 3120
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3120 -ip 3120
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3120 -ip 3120
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3120 -ip 3120
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3120 -ip 3120
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3120 -ip 3120
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3120 -ip 3120
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3120 -ip 3120
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3120 -ip 3120
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3120 -ip 3120
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3120 -ip 3120
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3120 -ip 3120
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3120 -ip 3120
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3120 -ip 3120
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3120 -ip 3120
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3120 -ip 3120
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3120 -ip 3120
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3120 -ip 3120
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3120 -ip 3120
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3120 -ip 3120
1⤵
PID:5052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x32c 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3120 -ip 3120
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3120 -ip 3120
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3120 -ip 3120
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3120 -ip 3120
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3120 -ip 3120
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3120 -ip 3120
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3120 -ip 3120
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3120 -ip 3120
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3120 -ip 3120
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_CVG9FH_.hta

Filesize
74KB

MD5
14d26f1431409990bca73310f54a41dc

SHA1
94cbaa6ca98472ee369132b51ecd24484f2ec8ab

SHA256
fe3a9fa767e9d19d2fed86df44f369f78cb0ac6f4f664b4a1602e446f475a697

SHA512
437d26a91eb3a37950374d7c5d63c7c373a96bb96eb707b9ceb749f91ce688e8b9d4fef80afa1331d765f3f649a18ecd19e405870094afcb18c217dce2786c65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_E6KY_.txt

Filesize
1KB

MD5
c8c73ac527440385ab4100bb1c955d55

SHA1
3be4d9d87283e8e6dcd730d68c442fdd2ca4749e

SHA256
43f8a7f503e8f3cab74ef9dfe0f6495df2c7a5eda0a6305b1faa28a5ad3ec08f

SHA512
a77c0b664d6dc215f13baba45d85e54d8872215b8186a079c7372f816726462736d1727bf6bdfadc50a05e09f0b648f2df43708aca88929bac6909189c54239a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THIS_FILE_V9GW9V5A_.jpeg

Filesize
151KB

MD5
f8a519030ea69f7945b4c555c23b6e31

SHA1
b2e440a97cf80472c138f98bcdc26f609ba42e9a

SHA256
13c6ee981ae7d347ed6cbca7cdbab9e7f6d6b0e0b62f5c27f267f5d48789ecb5

SHA512
60456bb0d7eb13c1cd0d8643ebf331a4d0c9b88081818b9e4ea12b6c3cb186c1d7f1235d86613969500189f64e6f2eeaf36365ff6993e4f54da6d81c6135b05d

Download Submit
memory/3120-0-0x00000000022E0000-0x000000000235B000-memory.dmp

Filesize
492KB

Download
memory/3120-1-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3120-2-0x00000000022E0000-0x000000000235B000-memory.dmp

Filesize
492KB

Download
memory/3120-3-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3120-4-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3120-6-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3120-7-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3120-8-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3120-371-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads