cerber | db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

Analysis

max time kernel
128s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Size

344KB
MD5

270b70bad151a515136f553e5bc880ac
SHA1

77b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256

db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512

c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
SSDEEP

3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A | | 2. http://cerberhhyed5frqa.45tori.win/B98B-5B46-9A4B-0073-172A | | 3. http://cerberhhyed5frqa.fkr84i.win/B98B-5B46-9A4B-0073-172A | | 4. http://cerberhhyed5frqa.fkri48.win/B98B-5B46-9A4B-0073-172A | | 5. http://cerberhhyed5frqa.djre89.win/B98B-5B46-9A4B-0073-172A |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/B98B-5B46-9A4B-0073-172A | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A

http://cerberhhyed5frqa.45tori.win/B98B-5B46-9A4B-0073-172A

http://cerberhhyed5frqa.fkr84i.win/B98B-5B46-9A4B-0073-172A

http://cerberhhyed5frqa.fkri48.win/B98B-5B46-9A4B-0073-172A

http://cerberhhyed5frqa.djre89.win/B98B-5B46-9A4B-0073-172A

http://cerberhhyed5frqa.onion/B98B-5B46-9A4B-0073-172A

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A" target="_blank">http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A</a></li> <li><a href="http://cerberhhyed5frqa.45tori.win/B98B-5B46-9A4B-0073-172A" target="_blank">http://cerberhhyed5frqa.45tori.win/B98B-5B46-9A4B-0073-172A</a></li> <li><a href="http://cerberhhyed5frqa.fkr84i.win/B98B-5B46-9A4B-0073-172A" target="_blank">http://cerberhhyed5frqa.fkr84i.win/B98B-5B46-9A4B-0073-172A</a></li> <li><a href="http://cerberhhyed5frqa.fkri48.win/B98B-5B46-9A4B-0073-172A" target="_blank">http://cerberhhyed5frqa.fkri48.win/B98B-5B46-9A4B-0073-172A</a></li> <li><a href="http://cerberhhyed5frqa.djre89.win/B98B-5B46-9A4B-0073-172A" target="_blank">http://cerberhhyed5frqa.djre89.win/B98B-5B46-9A4B-0073-172A</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A" target="_blank">http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A" target="_blank">http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A" target="_blank">http://cerberhhyed5frqa.vmfu48.win/B98B-5B46-9A4B-0073-172A</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/B98B-5B46-9A4B-0073-172A in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2676	bcdedit.exe
1656	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\eventcreate.exe\""	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\eventcreate.exe\""	eventcreate.exe

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\eventcreate.lnk	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\eventcreate.lnk	eventcreate.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	eventcreate.exe

Loads dropped DLL 3 IoCs

pid	Process
2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
2772	eventcreate.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\eventcreate = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\eventcreate.exe\""	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eventcreate = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\eventcreate.exe\""	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\eventcreate = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\eventcreate.exe\""	eventcreate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eventcreate = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\eventcreate.exe\""	eventcreate.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eventcreate.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp5FDC.bmp"	eventcreate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eventcreate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2640	cmd.exe
2192	PING.EXE
1600	cmd.exe
1788	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2644	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2636	taskkill.exe
1260	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\eventcreate.exe\""	eventcreate.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\eventcreate.exe\""	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop	eventcreate.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000900688a2895ee94589da2401400e28fb00000000020000000000106600000001000020000000dbdd6a695381ee0b05d57d9f4379264602110835e685e2eae19ba86aa391baa9000000000e8000000002000020000000a6d97ec4b53ba7fbca0e6142274c551ad7767337d1bfb3687b213cab1ebaadfc2000000085012fbf20b6b379f1371d1e176c6d9d67a7b569b2d1040c65e23aeb1c6e9cab4000000030c01ff243f8e6c0eca24d815b9bebfc06b566b13ead17336487a10b80fda58241eec324d45d102a1f751d7324ebf49a4177ec8be4cbd58b89f4b3c282507c3d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9EE0A41-8606-11EF-A3CD-E6140BA5C80C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9F9F121-8606-11EF-A3CD-E6140BA5C80C} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000900688a2895ee94589da2401400e28fb00000000020000000000106600000001000020000000ce0d640166b2ccd48c7450e7d028630b7086d637f52d51ce30db748a91a08878000000000e80000000020000200000001a99486397e30211eb17be1771a09c7ded02acf77c2b7d28c484eb92b20d9e5b900000002fdc6925439609b5fe33e7b728392308feed932261676f88d6641d279a55078207cb95808ff4b583d62a0053f69134a69fdef6a5d9ea19c7bd992d6ddf8b9fc06d46cea80560a250335890e5a1380107e74ce0b5266bf846eb65ad06de28c927a3b8108155c2ae2e1b27d0ca70660b0f0443fcb33be0a1717d888165d9abd07367a173b056ebc8a82f5c9c8a7228fab240000000cee6443ae704b09fae6ea9de07a869ab382f97c4fd7dfb8af438b162bad6e19f014c3837d9e2417ac1d44b30787a7072b898e1d095bf98a906754fe8cfa6569a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c4c6ac131adb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434616840"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1788	PING.EXE
2192	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe
2772	eventcreate.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Token: SeDebugPrivilege	2772	eventcreate.exe
Token: SeBackupPrivilege	2692	vssvc.exe
Token: SeRestorePrivilege	2692	vssvc.exe
Token: SeAuditPrivilege	2692	vssvc.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2976	wmic.exe
Token: SeSecurityPrivilege	2976	wmic.exe
Token: SeTakeOwnershipPrivilege	2976	wmic.exe
Token: SeLoadDriverPrivilege	2976	wmic.exe
Token: SeSystemProfilePrivilege	2976	wmic.exe
Token: SeSystemtimePrivilege	2976	wmic.exe
Token: SeProfSingleProcessPrivilege	2976	wmic.exe
Token: SeIncBasePriorityPrivilege	2976	wmic.exe
Token: SeCreatePagefilePrivilege	2976	wmic.exe
Token: SeBackupPrivilege	2976	wmic.exe
Token: SeRestorePrivilege	2976	wmic.exe
Token: SeShutdownPrivilege	2976	wmic.exe
Token: SeDebugPrivilege	2976	wmic.exe
Token: SeSystemEnvironmentPrivilege	2976	wmic.exe
Token: SeRemoteShutdownPrivilege	2976	wmic.exe
Token: SeUndockPrivilege	2976	wmic.exe
Token: SeManageVolumePrivilege	2976	wmic.exe
Token: 33	2976	wmic.exe
Token: 34	2976	wmic.exe
Token: 35	2976	wmic.exe
Token: SeIncreaseQuotaPrivilege	2976	wmic.exe
Token: SeSecurityPrivilege	2976	wmic.exe
Token: SeTakeOwnershipPrivilege	2976	wmic.exe
Token: SeLoadDriverPrivilege	2976	wmic.exe
Token: SeSystemProfilePrivilege	2976	wmic.exe
Token: SeSystemtimePrivilege	2976	wmic.exe
Token: SeProfSingleProcessPrivilege	2976	wmic.exe
Token: SeIncBasePriorityPrivilege	2976	wmic.exe
Token: SeCreatePagefilePrivilege	2976	wmic.exe
Token: SeBackupPrivilege	2976	wmic.exe
Token: SeRestorePrivilege	2976	wmic.exe
Token: SeShutdownPrivilege	2976	wmic.exe
Token: SeDebugPrivilege	2976	wmic.exe
Token: SeSystemEnvironmentPrivilege	2976	wmic.exe
Token: SeRemoteShutdownPrivilege	2976	wmic.exe
Token: SeUndockPrivilege	2976	wmic.exe
Token: SeManageVolumePrivilege	2976	wmic.exe
Token: 33	2976	wmic.exe
Token: 34	2976	wmic.exe
Token: 35	2976	wmic.exe
Token: SeDebugPrivilege	1260	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2880	iexplore.exe
2752	iexplore.exe
2880	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2880	iexplore.exe
2880	iexplore.exe
2880	iexplore.exe
2880	iexplore.exe
2752	iexplore.exe
2752	iexplore.exe
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
1188	IEXPLORE.EXE
1188	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
2772	eventcreate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2772	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2772	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2772	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2772	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2644	2772	eventcreate.exe	31
PID 2772 wrote to memory of 2644	2772	eventcreate.exe	31
PID 2772 wrote to memory of 2644	2772	eventcreate.exe	31
PID 2772 wrote to memory of 2644	2772	eventcreate.exe	31
PID 2720 wrote to memory of 2640	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2640	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2640	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2640	2720	270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe	32
PID 2640 wrote to memory of 2636	2640	cmd.exe	35
PID 2640 wrote to memory of 2636	2640	cmd.exe	35
PID 2640 wrote to memory of 2636	2640	cmd.exe	35
PID 2640 wrote to memory of 2636	2640	cmd.exe	35
PID 2640 wrote to memory of 2192	2640	cmd.exe	39
PID 2640 wrote to memory of 2192	2640	cmd.exe	39
PID 2640 wrote to memory of 2192	2640	cmd.exe	39
PID 2640 wrote to memory of 2192	2640	cmd.exe	39
PID 2772 wrote to memory of 2976	2772	eventcreate.exe	40
PID 2772 wrote to memory of 2976	2772	eventcreate.exe	40
PID 2772 wrote to memory of 2976	2772	eventcreate.exe	40
PID 2772 wrote to memory of 2976	2772	eventcreate.exe	40
PID 2772 wrote to memory of 2676	2772	eventcreate.exe	42
PID 2772 wrote to memory of 2676	2772	eventcreate.exe	42
PID 2772 wrote to memory of 2676	2772	eventcreate.exe	42
PID 2772 wrote to memory of 2676	2772	eventcreate.exe	42
PID 2772 wrote to memory of 1656	2772	eventcreate.exe	44
PID 2772 wrote to memory of 1656	2772	eventcreate.exe	44
PID 2772 wrote to memory of 1656	2772	eventcreate.exe	44
PID 2772 wrote to memory of 1656	2772	eventcreate.exe	44
PID 2772 wrote to memory of 2880	2772	eventcreate.exe	48
PID 2772 wrote to memory of 2880	2772	eventcreate.exe	48
PID 2772 wrote to memory of 2880	2772	eventcreate.exe	48
PID 2772 wrote to memory of 2880	2772	eventcreate.exe	48
PID 2772 wrote to memory of 2740	2772	eventcreate.exe	49
PID 2772 wrote to memory of 2740	2772	eventcreate.exe	49
PID 2772 wrote to memory of 2740	2772	eventcreate.exe	49
PID 2772 wrote to memory of 2740	2772	eventcreate.exe	49
PID 2880 wrote to memory of 2420	2880	iexplore.exe	50
PID 2880 wrote to memory of 2420	2880	iexplore.exe	50
PID 2880 wrote to memory of 2420	2880	iexplore.exe	50
PID 2880 wrote to memory of 2420	2880	iexplore.exe	50
PID 2752 wrote to memory of 1188	2752	iexplore.exe	52
PID 2752 wrote to memory of 1188	2752	iexplore.exe	52
PID 2752 wrote to memory of 1188	2752	iexplore.exe	52
PID 2752 wrote to memory of 1188	2752	iexplore.exe	52
PID 2880 wrote to memory of 2192	2880	iexplore.exe	53
PID 2880 wrote to memory of 2192	2880	iexplore.exe	53
PID 2880 wrote to memory of 2192	2880	iexplore.exe	53
PID 2880 wrote to memory of 2192	2880	iexplore.exe	53
PID 2772 wrote to memory of 1192	2772	eventcreate.exe	54
PID 2772 wrote to memory of 1192	2772	eventcreate.exe	54
PID 2772 wrote to memory of 1192	2772	eventcreate.exe	54
PID 2772 wrote to memory of 1192	2772	eventcreate.exe	54
PID 2772 wrote to memory of 1600	2772	eventcreate.exe	57
PID 2772 wrote to memory of 1600	2772	eventcreate.exe	57
PID 2772 wrote to memory of 1600	2772	eventcreate.exe	57
PID 2772 wrote to memory of 1600	2772	eventcreate.exe	57
PID 1600 wrote to memory of 1260	1600	cmd.exe	59
PID 1600 wrote to memory of 1260	1600	cmd.exe	59
PID 1600 wrote to memory of 1260	1600	cmd.exe	59
PID 1600 wrote to memory of 1788	1600	cmd.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\eventcreate.exe
  "C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\eventcreate.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2644
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2676
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1656
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2420
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:537601 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2192
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2740
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:1192
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "eventcreate.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\eventcreate.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "eventcreate.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1788
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1188

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
d0a70635c4bb64500bf663dae7ac5259

SHA1
3c97b53910a8bbad325bc3de49e4fac18b2a9958

SHA256
a6c252395710507d3b1abf4cebc6205b05618293f9d9d0960637fe19cf340000

SHA512
505687b0ede04e00169016991dd1001459e2b875ad918f8ee225b43144110ff506629fe0171b790c7d2c15f5b48870a3cfb0096a36a188452dc05e26cd34ad01

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
157bf3f7f0c873b83e9966e4f5a54764

SHA1
8fa0bbf9b7f05ca7576d3173d72d8b4c1ce03284

SHA256
82db58cc2b2f2d93bf5c0cc12f87170752eaad345ceb78af25f66d700cb9547c

SHA512
903f19ae1f9e9a134a44e1291720891f3caa43e292bf4834b1b4d5c5fdafd6219052f16ea13882832267a530276b5f6b3cbdc4f54beae65ac01bc0b297a872ef

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
81bf72ee9e90fe1ed9c8cff7815415a3

SHA1
6e4467634759ad802c06c5e7c53beaab77f9207c

SHA256
8cd257c643a9eca84c1c033fd8d522516856819e9e7d2af0967afcc7b4802759

SHA512
183d90415596752b7776789ab7ff414b880dfee7886c63025a76cfb22a46a04c566f3c467f85fbb8455b7f5c60f46b6ac4e3d23f2283d499b42679a2b8008f8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
779dd3a0e89e2f526cd2a9d3452bcdbc

SHA1
d97176938b24f20d750471af63ea52be15b9ff26

SHA256
da37cfd2d54c6f31f4897da8028194fb0ca2ad5280e8dd06bb9de74163cb15b3

SHA512
4187969771dc28e98e65e2c884b85b9e9f8d7a1ba9d29b2ea6c326fae0e47b688334ea58bcb54eb7b3ea78af296eee2a16c799a2dc3037d122ec627d5b4968ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b048f303c42fc0ebb1001d0cfe04099c

SHA1
10e88cd1baaa14ce5b596c5fac81628ef4fb9fab

SHA256
88c63776484985269b540582436e40d9e6417a096f5dfa1ce41025a2fb52f7e4

SHA512
83cc03bc61560a18bfd0a3ae29afb4b058841f18868894f2c5897b5a6957764cd6c8c334ea0deee54964310eb954b6d12134ba87ed2ce90d5fcaf0c8014548c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47f37b2dc68b69e125f5d2c9961f011e

SHA1
2083ae737a83f99546c74cb0b392664e38537786

SHA256
70cf884d3fafbd25bf222e4db6917ee2c2443dc7689fb46dff78557c4ec72f55

SHA512
0c695917ce1a90e0dd8e4586bbebc692df2b7acc0fdd95f63b7e89f5224583c5853c6b4dcd78a0606fcfd6aca3c01a67281c8940311f3e7b5555f277f62f46ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a19f10b2ed5e971f2262fa0174f9f046

SHA1
8554656cbb588781a783895617d7c534ffa16aa9

SHA256
7a76082f886a9c055e4d4db6a676f1d4bff9a8c6f7e43dfd152394d4ea322fed

SHA512
385ae086d39fa78eceebe39acd91d34a8b90c02acd32ee07af8034769bd71dcc6e58cadcede358846cbe58c1fc669dca3be700266affd6a2040e151ececdfc77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e5566e7a53d8e4c8c467c3b204fcac2

SHA1
a8bbf3d52d2195a86b8a8ffd6efba781245f71e9

SHA256
63d16bbc6b1a42693337821201f33151ac9c8ac8be79b7334ffa2810e8dd1e59

SHA512
f09bf284d6ea6ee625f59da7d0b8286773e20a0376e98f4424cefb0b56d704806e48c8279b106e3b0e784d9177a8dba4f1e26d289a06799151f3a32b1b5bd9b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79ad62cf50c9fe284206a80028b04c29

SHA1
ed20cfd8381cad288a511c81796169139e68e7cb

SHA256
cc0b37ceaa5a462ec02acaeacb0e45ba3aadb6ad254c302ef395438eea52f5f5

SHA512
5e74870aa7c0caea2f7f2fa6e69c8b316e44d9b81c10d0807a465df64e23780b9d3a03523c299e9d91a445c565fccabe14dcb08971320e9d6e528e32cb4282da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
093ca21537c72791285a9215777e19a4

SHA1
50a610b8687ae1ecce8539cd94b284c07d5c36b2

SHA256
6d9bcbf853c84e7ed6a6ce9973ac5cdd23037f16a50c64cf51520d890875c37e

SHA512
adff686a74add5c73f1288c8be44f1880f0223fd3b48153d03ec04da59be53848d66ae7abba70fb018750d96e1648eb35b56cc3cae89c83a99d7d4588667f91b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39647f8f965ebd18974567cc609e937b

SHA1
f3f61f8156cacf95af6743847826f5d556a15225

SHA256
8bbb9866440c64212d9640c85a257326c3c9f6f6e78e87805a4444669aa430e9

SHA512
21c3bde10ead683eb0744391aad5fcfdd832bc49a4c1df7ec4c8213708c45af8faffec2e398ec95d8fc39f9b1c25ab33ee41bef0a94f0ce660aa25284f983f17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9950bf78abb40ce754b7a0af9361f9b2

SHA1
7c47ff2230734ea77e6559d3b503705af6c1b279

SHA256
87a229fe282579ec0296a8b9535b337ad1a22f7f1ca7686c9370c1bd8fc73743

SHA512
0478d7e2e2f8b932f2a3064b76f491a318823d83e25fdcd9352c2d940eb116eb25330bb8da8da4b1fed7654dfb442fbac93690bee621dda0cab09841267aa62f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0beada72573c559f5ded87017a311ec0

SHA1
745246d1ac1f8c865492394bf0734238f1d57f30

SHA256
346d5219a3ba526294e468d0ceee97fac38e1e1a0a85f50e02da4bfb2d1c78b2

SHA512
6cda5d46accd9a1274092b629c68b013bf81733d94334dafff5d6d31c8da0c5cb0dab9b3417464e97803ec6c230811afcf5e6411345e1ae1dd15b7c8ce4aa039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ebc46af94c640ad01441375a7d93300

SHA1
7d12a1e116a9a6076154f22972171f93b89002af

SHA256
f716c624b07db5ad70315648bbef7457e9787dd6976c1d1d0d19b6d8abea6b5b

SHA512
a5ff8dc0ffe3125e5a218e4e1cdb15300a49c32eaf7f12dd94a838ca49de146a9b8d96cd5b42b3f032baa01c54e41f70d061a15ddc476b9f7c6cd189bab5be22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b8ccc2e26fb66b3bec085bc07c8ab29

SHA1
faf6b1398c425a911eb5391ce20807d80f316e57

SHA256
9ea675447c37e59f1ddfbf1ffc55b4f26f598c130ea900ae1b0546e7d7a71824

SHA512
5fed8602f38dde58e759574e4f93a937bd5e645b7c3ea75451892a6b3b7aabf983ccb00bc4102e636c89b90098dbad8a81efd39573948e25f7aaa6376a9c4aab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84ea0c2129487d12a79cfdeadc4025cc

SHA1
52537d16173722b65fe1a0c1836b832ec6de1f57

SHA256
4aa404d96ff09556c57e450511de4513a75317246d9f511ac76b9af59ab4099a

SHA512
869cef6904d32c48efa5bf078a8b004b4dab2563a6fd52dd2b991ea0651e24c8dffa9041d356de4e20ce4999eab3de4480ada478a01fe3a327e999b3aef8f697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc8a3374bfeabbbcb9b3e3a4c43f6ef0

SHA1
94ba558d8dc165d0add8e94af49e42821bdbbac0

SHA256
17e0b7c01d585f0ef597f79809bddcf1cb8a7985c59ff4abf8938a7ef082bf2c

SHA512
01e1c584b2f15bde62ba718c4af766b582b37d81d8b5393a1db966f52f2a96aad52181f43b3e8e797b1bba34a3350143d71482fa8c681fc226786cd9c68ad238

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01e2cc53106ab0f3dcf037512358177f

SHA1
0ce891adeb6de99bd30bfd51baf873a49a96fc55

SHA256
704939db2f6f71b9d1bf8209a6a68f3c35e6225ec27712de9a0e33c98ae14393

SHA512
32c599261082865387bcb4ef36acfd5b178b6581d685178540831885ea35246037e8f670460c3a8329e828e5359b0089bbc58339a099052d37186d18b80761c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee42492126e25eb1f2655b988280aa0d

SHA1
93f14912679f20cde25e67d9eb73584f495c23b4

SHA256
9c9def84f82ae1962194f517155dc75fe543842d913ede1e0e73c09508b08faf

SHA512
cf301ad5915da72e76fc35d7a0610358eae1747fbd1ea9b9b53666c64ce3359e66be9d9f11b7b2e82af26bcd53e7dfb0c092077f3073de83dd30b635aa229d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f96d35b761534c2ad92f29cad59aeef

SHA1
0e1b01c6aba7706b094c415c6e8c566258edb78a

SHA256
91ccb4a10e20257b6fd63a18f8e97839b3f974340d605bf6332806763d7f980d

SHA512
d37b132f60196ae5a7c7d7c72dd44f58045bc3a982f015398039b73ab66300881b24061e865370ebd24f14a30674fb1563de88b88536c2d1482f8d63e16639f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73123c14673677f890914be9fd5e1cfb

SHA1
82ded239b56838d44bd661062b68c5e714a7e91f

SHA256
d8719637e8fab6e73baabc57a2b2bd8f9ab6c1e27191344fa0bd4a196c772afb

SHA512
d3c6daff9aa7a516c35f7c0d7edcf045cae03ddbf16d00fc318d6a3b12e84bb9353fd917364f6c8af7fc244dd101905602bfa999ee2fecce0724a9de89dc8f6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f2a88215d3d4ab2d84d2211a577fd95

SHA1
d0123fb5d098f0305bdb97d2fd7454ba17945846

SHA256
6ba4f4d3f7558001d6235eda631a823a6a3cac02926122da7432d659a5981f41

SHA512
b3b4ad4ea124535f97145f94a818cab876eff6ca5da42b9c2b02cf0d4ce50db01006625494f583b9d9468656805b2e929d751dc703a7aa17768bdccbbbe5a74e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b644913028279007890f8157a63e55f1

SHA1
9f65f0610e6dbac15f8860e1759cd6c1f1b77f06

SHA256
cdbac569f5f3d0e307145c5284c5b945dc813374c8fb37f9dbc43064a45caf83

SHA512
e56aa9c5b98f5e224e09d1f82c35f2722868cf20a8193893b51fd2bab610483b6268a60387de2bf44fa87c757c8300533fc2a934ebdc4b650ac45ebe75d8031b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E9EE0A41-8606-11EF-A3CD-E6140BA5C80C}.dat

Filesize
5KB

MD5
c2abfe9b44869bf63a2770c408c6c300

SHA1
79a0ca7951c7da485922cee74f1b88c56c71621a

SHA256
ac21df595539b75825baae1265b816cc4c1cea2bb3982643828395fb5084e3c4

SHA512
455f99c0d89a17a295ac4cefd7376ffde24cd43e9375e48c5969557270625a2804b44c304ddba1dcbd278e80edb72a902918201f8435b3e4b7bc8b5fd95eea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7800.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7890.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\eventcreate.lnk

Filesize
1KB

MD5
d2d5b844084dcaf7c2a70efe1448d48a

SHA1
68df175b85c8f93142e3fc12c25d513ab1f154b4

SHA256
e2754762494b79e0d1748ba99b112e00ba218f4ca160ab91801cbf6816e90457

SHA512
5f83e747826de850e96ccd7808e063a9f6cc55c29e5691e9d6aa77c0d548dc32f2768bfd9ec4b924d6c375b852ebac9a5700f37bbea22d40dd9a2ebf733fa1d7

Download Submit
\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\eventcreate.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
memory/2720-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-0-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download
memory/2720-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-472-0x0000000004EC0000-0x0000000004EC2000-memory.dmp

Filesize
8KB

Download
memory/2772-430-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-454-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-462-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-463-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-435-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-440-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-446-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-459-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-460-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-912-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-461-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-451-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-436-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2772-22-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2772-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download