Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
13-10-2024 20:14
General
-
Target
41dd108ada487cb93a6e099e074f605b_JaffaCakes118.exe
-
Size
382KB
-
MD5
41dd108ada487cb93a6e099e074f605b
-
SHA1
354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
-
SHA256
aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
-
SHA512
33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
SSDEEP
6144:n0Ly6qr9+br6u1yvZgQHhEaBTuPwyQ9Hmdy1MsZ:nxF9FZhH+aBaPUGY1M+
Score
10/10
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
Family
cerber
Ransom Note
C E R B E R R A N S O M W A R E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable?
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!!!
You have turned to be a part of a big community #Cerber_Ransomware.
#########################################################################
!!! If you are reading this message it means the software
!!! "Cerber Rans0mware" has been removed from your computer.
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to get back your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F
|
| 2. http://4kqd3hmqgptupi3p.we34re.top/5172-FC6C-66A7-0078-1A4F
|
| 3. http://4kqd3hmqgptupi3p.5kti58.top/5172-FC6C-66A7-0078-1A4F
|
| 4. http://4kqd3hmqgptupi3p.vmckfi.top/5172-FC6C-66A7-0078-1A4F
|
| 5. http://4kqd3hmqgptupi3p.onion.to/5172-FC6C-66A7-0078-1A4F
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://4kqd3hmqgptupi3p.onion/5172-FC6C-66A7-0078-1A4F |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F
http://4kqd3hmqgptupi3p.we34re.top/5172-FC6C-66A7-0078-1A4F
http://4kqd3hmqgptupi3p.5kti58.top/5172-FC6C-66A7-0078-1A4F
http://4kqd3hmqgptupi3p.vmckfi.top/5172-FC6C-66A7-0078-1A4F
http://4kqd3hmqgptupi3p.onion.to/5172-FC6C-66A7-0078-1A4F
http://4kqd3hmqgptupi3p.onion/5172-FC6C-66A7-0078-1A4F
Extracted
Path
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.tor {
padding: 10px 0;
text-align: center;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files.</p>
<p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><a href="http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F</a></li>
<li><a href="http://4kqd3hmqgptupi3p.we34re.top/5172-FC6C-66A7-0078-1A4F" target="_blank">http://4kqd3hmqgptupi3p.we34re.top/5172-FC6C-66A7-0078-1A4F</a></li>
<li><a href="http://4kqd3hmqgptupi3p.5kti58.top/5172-FC6C-66A7-0078-1A4F" target="_blank">http://4kqd3hmqgptupi3p.5kti58.top/5172-FC6C-66A7-0078-1A4F</a></li>
<li><a href="http://4kqd3hmqgptupi3p.vmckfi.top/5172-FC6C-66A7-0078-1A4F" target="_blank">http://4kqd3hmqgptupi3p.vmckfi.top/5172-FC6C-66A7-0078-1A4F</a></li>
<li><a href="http://4kqd3hmqgptupi3p.onion.to/5172-FC6C-66A7-0078-1A4F" target="_blank">http://4kqd3hmqgptupi3p.onion.to/5172-FC6C-66A7-0078-1A4F</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <a href="http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <a href="http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F" target="_blank">http://4kqd3hmqgptupi3p.wins4n.win/5172-FC6C-66A7-0078-1A4F</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://4kqd3hmqgptupi3p.onion/5172-FC6C-66A7-0078-1A4F</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
</body>
</html>
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 1 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of UnmapMainImage 4 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41dd108ada487cb93a6e099e074f605b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\41dd108ada487cb93a6e099e074f605b_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\ARP.EXE"C:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\ARP.EXE"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:406530 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "41dd108ada487cb93a6e099e074f605b_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\41dd108ada487cb93a6e099e074f605b_JaffaCakes118.exe" > NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "41dd108ada487cb93a6e099e074f605b_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6667BD84-89AA-488C-90C6-09CC14478DC0} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\ARP.EXEC:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\ARP.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
-
C:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\ARP.EXEC:\Users\Admin\AppData\Roaming\{597428CD-E3C0-EB4B-E446-8C8911820BC1}\ARP.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xd01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD503787648da874bdd94a73d5e888a6338
SHA16636e51f13ec39a3fbde51342249ec047923d8fa
SHA256b1ef9f8e2bcae5357e5d70a8705d81b426e07e869ef4d9205cb64efec70b59aa
SHA5122fbdd8ada988ae0c0f79173e4e56cd285923f9460b1e5596397af3ebfc407424ebf1ac14068b04f85428764dcbf167f62cee481ef2ce13c3e41f663ca3819399
-
Filesize
10KB
MD567033c93baca651869b234fcc36e36c4
SHA1a2c7c5401a6f8f808eb8e7eeda10e0dad1498b32
SHA2566c112b0c49b6bd0c57d890a37efa859c406240efc628fbe54a06e4b0c351bdd6
SHA512ec3aa3d40e9f90ca29442cc25dd8f46a153b31eae89dff990ffc256382a448eb8c078f82f938dbd641ad6292476c41507d74debd650ac252dd96b13fe3041781
-
Filesize
85B
MD58221850eb3808a80296b793a340cda76
SHA1cb0ed48747cabc87b4c545f18bae15c8fbe325ce
SHA256f9616b245550b48faaf08c3999a6609c907d6f923ba9f8f1be244fc7786748c1
SHA5122eb5dc0fd566c53462753f23c1cf29b0220daafd824f502ed9e7171f8c5e51f4b4789a13a4209be26d1bcc433f485cdfd8fe175a37c5899f0c44305f97308fda
-
Filesize
231B
MD59d8c4bfbd009c4d6001e2125abaa8b02
SHA1cd040558172b5fca5b200447a281843956243741
SHA256a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0
SHA512c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f
-
Filesize
342B
MD5e1d0c9e897d2796abbef5bcb3adfcaa5
SHA143e63f36fe284f4eba5d6ae866990f9f42dd6180
SHA256727eb7b3d8c47fe20baaa7e9b4fe07953c41a892637a228546d5b59eda3f8231
SHA51286cf56fd9d0b9df8e6f6d8c9ddcb05e12e37d3b72c0704dda3d120476500d022afd95c53aa07bcee427fe708dde74dd95dfe0e743869aa029dd1594c02e47fb0
-
Filesize
342B
MD5f2ae1b5448088601be3ba8207c14d2f0
SHA1ff63aa34416e49fafa1349f04d88a2381c3e4c32
SHA2566395c626627ac1c0cfa4625c8a2ee7550aa19107807f0a7f795db3cc4cf8b92b
SHA5122e7c6af70f805af03495253c0211c717485bab52b60c69a087cd14ac687eb2721ead6a9368f1fbf974f241e504b62407cba95298fa810f25247709284ea6e004
-
Filesize
342B
MD513b0b54288e609f7a986cbbc8ad76bc9
SHA1f43640b42f8becc5de333cad5066df43e4b870e1
SHA2569cec47f6e7018a51b92d76185da7ea42c1b73883f6db18fc7f24f885d3af9f5d
SHA5121622d34d8044078c33790c9186b975befc867954e024fed3e710b67f1b6a4214b557c7d48faee61f5b1c1b2d07d190a6b172e6dc4337144d361cb17cc832dba7
-
Filesize
342B
MD52c00b33ddb9f3e429cb3f1b7ba7f37b7
SHA13372e282f2c9ffda5103c7c6b0cb91845aa0e57e
SHA2567b0b0a1e2c22171ea9179ac90314e254d497cc0c3aaca6342e09bab245faebf6
SHA512de91100942d1a4b4922ffd5b026fec00dc55a3db84f57d36a387202998660b510632e55d45b4fef50589c85ab71e5b6092a99d7b413d55f2a8bb32b27a74a3c4
-
Filesize
342B
MD5902c672975d9001f87fe98ef6e7d1814
SHA159469017a67b018656aea1925a3d25ecb6dd90b5
SHA256db680abd9158a185ddc4c9ca339c45269f83c03ec2162cb60b5f156967ce7501
SHA512cbbd51172b1b63988b6da44fba66e247dbb124adf124c156778f621089cb57778795685a3679a6390eee2549a4a182b79e558f6f904cd2ce926142310654edeb
-
Filesize
342B
MD517fc087ec57206106afbd44ff246cd2f
SHA14333b77061ddb7ab73ec3a48633bc29654398133
SHA256b19913fff61ab13a93d1b9518c24a3fda45c9d9e41ff13d3cf83043a4fdda23a
SHA51257c4ad103fa962d41266d8a60431ccafe5db43c2083f3d79544dee397046d256d6bcf5c99ca4552ba38c36d68c9f395ad7d342d5469f18ab9fd2197635355dba
-
Filesize
342B
MD5d2879b1cbcd8916cf2b7ad3228576340
SHA185cb3091ab2812d205a27387d5fca119048c9acf
SHA2562cb06e8a830fec35c49c6ff34e51f022299b56cd6e728842bb270d8374277da2
SHA512e0d2f4401f66d336b3e5ad22d69c8d34097d484be6265f4ca904b856116556e9224a9f1d91e2ccdeb83338f78b80327a3318db1a89910b2798c18fe840784db5
-
Filesize
342B
MD52770d83d64e23f0817c469847d361bd0
SHA1ffa7cafef426195759085efe43b96ea6322481ea
SHA256351fae0c778aab7b78cbb601474fd7c329b93a4ca72f1589e5555b30a0f86bfd
SHA5127414d28799f04850e204a22fe0b032ffc983c347c163833b981c23b33708558a10136553ca1bd4c9a7701d141433aea099eebabb2570c6dc767196c64adf34ad
-
Filesize
342B
MD59791d142d262270bfbfffe4f2c7bf2de
SHA18e0448b7c1527b97eb3532468d31deeb9dd90e9d
SHA2565acf96367ca81c58a4c35d0495f9580974a08faf5f1d57e5316d1995950d0261
SHA5122f67497d8622d10de672bef0530dbb9a037a4aaba44c721b26b1bff6d1ddb8e452b8221874dcd4a89991d5d5f6cdf79c0ac2f1f66dff44385168e51e7c2ff722
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD5997e19195911830c3bd41992e5421c95
SHA17eaa3d41d329f6bd4cf884cc39fe104aa693e694
SHA256237c5eb2cfe35ded142b44b7760d44a2ecfead2a18f2da7df3a970ff8186adaf
SHA5128d5578f121e3ec934a6105f63fea0897a1b3fb1dfb91922ba0321ee43a6b2a5ce2b7600b9787aa1d1442ada746163e8fc8b4ec8925e5e3cdd6845fa7c8cbc926
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
132KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
8KB
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB