cerber | f10b952d03c6c2ced1d2a0ea27a6572a38227c0c66a0d80be8e7976513270bc6

Analysis

max time kernel
132s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
Size

136KB
MD5

84255e080413cc079085e8f879be7c66
SHA1

4e163a6b5fd450392e1a4a67b67bf43eb0cc80b7
SHA256

f10b952d03c6c2ced1d2a0ea27a6572a38227c0c66a0d80be8e7976513270bc6
SHA512

3272fe2329622c262765c5c6202030533ef26ccbf90ca42c5299f3816f22cceb631ec9d4fa0b1b6bf06cb9fb410e3e36042ed06d5afe93fea78cdc74a6f31492
SSDEEP

3072:+zb+xJSz6iy/eRft8ttGA/Xr3E3GKinU6tIVJ7PiOKx1gwkGXPyK:+zSxonymht4rzKAUfVpiOKxV3

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D | | 2. http://cerberhhyed5frqa.cmfhty.win/6BB2-478D-CFC0-0063-7D5D | | 3. http://cerberhhyed5frqa.dk59jg.win/6BB2-478D-CFC0-0063-7D5D | | 4. http://cerberhhyed5frqa.xmfu59.win/6BB2-478D-CFC0-0063-7D5D | | 5. http://cerberhhyed5frqa.er48rt.win/6BB2-478D-CFC0-0063-7D5D |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/6BB2-478D-CFC0-0063-7D5D | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D

http://cerberhhyed5frqa.cmfhty.win/6BB2-478D-CFC0-0063-7D5D

http://cerberhhyed5frqa.dk59jg.win/6BB2-478D-CFC0-0063-7D5D

http://cerberhhyed5frqa.xmfu59.win/6BB2-478D-CFC0-0063-7D5D

http://cerberhhyed5frqa.er48rt.win/6BB2-478D-CFC0-0063-7D5D

http://cerberhhyed5frqa.onion/6BB2-478D-CFC0-0063-7D5D

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D</a></li> <li><a href="http://cerberhhyed5frqa.cmfhty.win/6BB2-478D-CFC0-0063-7D5D" target="_blank">http://cerberhhyed5frqa.cmfhty.win/6BB2-478D-CFC0-0063-7D5D</a></li> <li><a href="http://cerberhhyed5frqa.dk59jg.win/6BB2-478D-CFC0-0063-7D5D" target="_blank">http://cerberhhyed5frqa.dk59jg.win/6BB2-478D-CFC0-0063-7D5D</a></li> <li><a href="http://cerberhhyed5frqa.xmfu59.win/6BB2-478D-CFC0-0063-7D5D" target="_blank">http://cerberhhyed5frqa.xmfu59.win/6BB2-478D-CFC0-0063-7D5D</a></li> <li><a href="http://cerberhhyed5frqa.er48rt.win/6BB2-478D-CFC0-0063-7D5D" target="_blank">http://cerberhhyed5frqa.er48rt.win/6BB2-478D-CFC0-0063-7D5D</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/6BB2-478D-CFC0-0063-7D5D</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/6BB2-478D-CFC0-0063-7D5D in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2272	bcdedit.exe
564	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\\bootcfg.exe\""	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\\bootcfg.exe\""	bootcfg.exe

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\bootcfg.lnk	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\bootcfg.lnk	bootcfg.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	bootcfg.exe

Loads dropped DLL 3 IoCs

pid	Process
2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
2052	bootcfg.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bootcfg = "\"C:\\Users\\Admin\\AppData\\Roaming\\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\\bootcfg.exe\""	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\bootcfg = "\"C:\\Users\\Admin\\AppData\\Roaming\\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\\bootcfg.exe\""	bootcfg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bootcfg = "\"C:\\Users\\Admin\\AppData\\Roaming\\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\\bootcfg.exe\""	bootcfg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\bootcfg = "\"C:\\Users\\Admin\\AppData\\Roaming\\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\\bootcfg.exe\""	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bootcfg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp80A5.bmp"	bootcfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootcfg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2576	cmd.exe
1768	PING.EXE
648	cmd.exe
2548	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2340	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2892	taskkill.exe
300	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\\bootcfg.exe\""	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop	bootcfg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\\bootcfg.exe\""	bootcfg.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000096e02ad65b07cb920a6e4ad8043091822cc5686b104b44f610114f4288654283000000000e8000000002000020000000c196271cc1b59f10652af4fac2f65860d9061ec8d3e566e9fe0462ade157599d900000004344e03e971dc43e511c87aba92baa43d0d19c09a56c13a6b05132c8b460b79e459f0ae05545d8e965e5bcf6888faf70ac30223f2a8dc8d0992bdc1fcca4e68c44e5df09c7eba04bf8dab9b9f12d50a772d5a4514fa95a46c295913f3dcd598cdaa149e0d3dcb35f6e46b95a4ee0e77f8cb115fe5af3718b72a5f854dd56819c628f300211e83943689c79097341948c40000000875e1a9ca4707937a6a86d0b49eab982be16aa1f2a442fd3c65d80bb9ac3f7df0515c307bed12e3bec489549307a19fa8834df18bffa216aea9c68fcefad3104	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB2C4981-9813-11EF-9F10-C28ADB222BBA} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000001ae51549564776a17af7bbdb04dbe5ecbfbb1874f87d764a150829ee27153fc1000000000e80000000020000200000003bc46a46526e894efa1ebbfd0338d53c7a2d9409d119c3deb4dd304b2e2fe8e220000000055c8e3cbe33b4d26cddb8d52057fab5ade3c0517cf13b498b25d546f5f5b6e3400000002e0846e33d3bee652c4e8cdc64c67e161232f202584ca8bb058ff09aaa652a84d8260f087e7be5d82080aa6666ceaf40c4b6cc078168a16a6815ac30f32ba1e9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30701a9e202cdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB193E81-9813-11EF-9F10-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436601519"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1768	PING.EXE
2548	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe
2052	bootcfg.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2052	bootcfg.exe
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2680	wmic.exe
Token: SeSecurityPrivilege	2680	wmic.exe
Token: SeTakeOwnershipPrivilege	2680	wmic.exe
Token: SeLoadDriverPrivilege	2680	wmic.exe
Token: SeSystemProfilePrivilege	2680	wmic.exe
Token: SeSystemtimePrivilege	2680	wmic.exe
Token: SeProfSingleProcessPrivilege	2680	wmic.exe
Token: SeIncBasePriorityPrivilege	2680	wmic.exe
Token: SeCreatePagefilePrivilege	2680	wmic.exe
Token: SeBackupPrivilege	2680	wmic.exe
Token: SeRestorePrivilege	2680	wmic.exe
Token: SeShutdownPrivilege	2680	wmic.exe
Token: SeDebugPrivilege	2680	wmic.exe
Token: SeSystemEnvironmentPrivilege	2680	wmic.exe
Token: SeRemoteShutdownPrivilege	2680	wmic.exe
Token: SeUndockPrivilege	2680	wmic.exe
Token: SeManageVolumePrivilege	2680	wmic.exe
Token: 33	2680	wmic.exe
Token: 34	2680	wmic.exe
Token: 35	2680	wmic.exe
Token: SeIncreaseQuotaPrivilege	2680	wmic.exe
Token: SeSecurityPrivilege	2680	wmic.exe
Token: SeTakeOwnershipPrivilege	2680	wmic.exe
Token: SeLoadDriverPrivilege	2680	wmic.exe
Token: SeSystemProfilePrivilege	2680	wmic.exe
Token: SeSystemtimePrivilege	2680	wmic.exe
Token: SeProfSingleProcessPrivilege	2680	wmic.exe
Token: SeIncBasePriorityPrivilege	2680	wmic.exe
Token: SeCreatePagefilePrivilege	2680	wmic.exe
Token: SeBackupPrivilege	2680	wmic.exe
Token: SeRestorePrivilege	2680	wmic.exe
Token: SeShutdownPrivilege	2680	wmic.exe
Token: SeDebugPrivilege	2680	wmic.exe
Token: SeSystemEnvironmentPrivilege	2680	wmic.exe
Token: SeRemoteShutdownPrivilege	2680	wmic.exe
Token: SeUndockPrivilege	2680	wmic.exe
Token: SeManageVolumePrivilege	2680	wmic.exe
Token: 33	2680	wmic.exe
Token: 34	2680	wmic.exe
Token: 35	2680	wmic.exe
Token: SeDebugPrivilege	300	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
568	iexplore.exe
2908	iexplore.exe
568	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
568	iexplore.exe
568	iexplore.exe
2908	iexplore.exe
2908	iexplore.exe
568	iexplore.exe
568	iexplore.exe
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2052	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2052	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2052	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2052	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2576	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe	29
PID 2244 wrote to memory of 2576	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe	29
PID 2244 wrote to memory of 2576	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe	29
PID 2244 wrote to memory of 2576	2244	84255e080413cc079085e8f879be7c66_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2892	2576	cmd.exe	31
PID 2576 wrote to memory of 2892	2576	cmd.exe	31
PID 2576 wrote to memory of 2892	2576	cmd.exe	31
PID 2576 wrote to memory of 2892	2576	cmd.exe	31
PID 2576 wrote to memory of 1768	2576	cmd.exe	33
PID 2576 wrote to memory of 1768	2576	cmd.exe	33
PID 2576 wrote to memory of 1768	2576	cmd.exe	33
PID 2576 wrote to memory of 1768	2576	cmd.exe	33
PID 2052 wrote to memory of 2340	2052	bootcfg.exe	34
PID 2052 wrote to memory of 2340	2052	bootcfg.exe	34
PID 2052 wrote to memory of 2340	2052	bootcfg.exe	34
PID 2052 wrote to memory of 2340	2052	bootcfg.exe	34
PID 2052 wrote to memory of 2680	2052	bootcfg.exe	38
PID 2052 wrote to memory of 2680	2052	bootcfg.exe	38
PID 2052 wrote to memory of 2680	2052	bootcfg.exe	38
PID 2052 wrote to memory of 2680	2052	bootcfg.exe	38
PID 2052 wrote to memory of 2272	2052	bootcfg.exe	40
PID 2052 wrote to memory of 2272	2052	bootcfg.exe	40
PID 2052 wrote to memory of 2272	2052	bootcfg.exe	40
PID 2052 wrote to memory of 2272	2052	bootcfg.exe	40
PID 2052 wrote to memory of 564	2052	bootcfg.exe	42
PID 2052 wrote to memory of 564	2052	bootcfg.exe	42
PID 2052 wrote to memory of 564	2052	bootcfg.exe	42
PID 2052 wrote to memory of 564	2052	bootcfg.exe	42
PID 2052 wrote to memory of 568	2052	bootcfg.exe	47
PID 2052 wrote to memory of 568	2052	bootcfg.exe	47
PID 2052 wrote to memory of 568	2052	bootcfg.exe	47
PID 2052 wrote to memory of 568	2052	bootcfg.exe	47
PID 2052 wrote to memory of 2216	2052	bootcfg.exe	48
PID 2052 wrote to memory of 2216	2052	bootcfg.exe	48
PID 2052 wrote to memory of 2216	2052	bootcfg.exe	48
PID 2052 wrote to memory of 2216	2052	bootcfg.exe	48
PID 568 wrote to memory of 2072	568	iexplore.exe	49
PID 568 wrote to memory of 2072	568	iexplore.exe	49
PID 568 wrote to memory of 2072	568	iexplore.exe	49
PID 568 wrote to memory of 2072	568	iexplore.exe	49
PID 2908 wrote to memory of 2436	2908	iexplore.exe	51
PID 2908 wrote to memory of 2436	2908	iexplore.exe	51
PID 2908 wrote to memory of 2436	2908	iexplore.exe	51
PID 2908 wrote to memory of 2436	2908	iexplore.exe	51
PID 568 wrote to memory of 2252	568	iexplore.exe	52
PID 568 wrote to memory of 2252	568	iexplore.exe	52
PID 568 wrote to memory of 2252	568	iexplore.exe	52
PID 568 wrote to memory of 2252	568	iexplore.exe	52
PID 2052 wrote to memory of 2988	2052	bootcfg.exe	53
PID 2052 wrote to memory of 2988	2052	bootcfg.exe	53
PID 2052 wrote to memory of 2988	2052	bootcfg.exe	53
PID 2052 wrote to memory of 2988	2052	bootcfg.exe	53
PID 2052 wrote to memory of 648	2052	bootcfg.exe	56
PID 2052 wrote to memory of 648	2052	bootcfg.exe	56
PID 2052 wrote to memory of 648	2052	bootcfg.exe	56
PID 2052 wrote to memory of 648	2052	bootcfg.exe	56
PID 648 wrote to memory of 300	648	cmd.exe	58
PID 648 wrote to memory of 300	648	cmd.exe	58
PID 648 wrote to memory of 300	648	cmd.exe	58
PID 648 wrote to memory of 2548	648	cmd.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\84255e080413cc079085e8f879be7c66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84255e080413cc079085e8f879be7c66_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\bootcfg.exe
  "C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\bootcfg.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2340
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2272
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:564
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2072
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:865281 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2252
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:2216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2988
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "bootcfg.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\bootcfg.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "bootcfg.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:300
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2548
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "84255e080413cc079085e8f879be7c66_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\84255e080413cc079085e8f879be7c66_JaffaCakes118.exe" > NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "84255e080413cc079085e8f879be7c66_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2436

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
6b38ee38200fc1d846a4c5ff3670e8e1

SHA1
21a8be3eaae903a7b080777e51fe43a1355044e4

SHA256
25ff451c530035024ed0697881377a08f0d8fd99ca105a79da3aae112c91f27c

SHA512
5136b7d9f75d5199a35399e4090c6c0533733ac2075575006ddc5d8d931ebc6f13fdd4b9195680bf36831cf4a01df5efe27aefb114c8f9b0c3e0d6614014be73

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
0560aa19be08be02faab16523ce86220

SHA1
55ccea5acd292c32095424a314a94e6e5dcdb4fa

SHA256
4afe828060da6bd903cc2aa6957bc96c28da5e2bbaab1c30dbf53e9db61d7bbb

SHA512
0b3b9389d83031c1b680c46c6c4557d70230906f5ddf7201d758218295685701969c80d19e083f194b5aca692a2959293ed118cf939a6cb2eccbc7b239151176

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
bbccbd287eda1cf957c99039f0976606

SHA1
ed38772a762089b107ab6f31f1d339965f93561d

SHA256
714a12c8f26e87c608feee818c9f5075d0e7842cb12d62fb4a63e95fc8b3d064

SHA512
016a095dcbe83f36ea97a15a6167c65ef6f698e1759cc5e91833864248bd06ba2494861fe9aa2ee922c7843824517b97e1c6ab81bdb7207895594078a8099669

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6440aec337724bf9d11265e298cb88ed

SHA1
7e5b58f4c5fc16fdc45e88835fbacb2e7eddd08b

SHA256
49e43bb539aaac02354063bc7948e8dd25fa2590ac4a889b62a00daeacdbfae8

SHA512
566d935316224fd190a4dd63bb813fac8cc1e44b97c9aad2875b8c8157b743ea4fa207ab0edd09cd36932ed4df531ead42782f2dd0f7638469f54fd83083fc59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a342e9ca986ac9024b9250da5b8c8b6

SHA1
90e3553c2bed9ad666bde8a3501b49f0d848d315

SHA256
cf2e01bd647864816027dbc2e4d75334472bb4e3807b98371d79fcf223ec278c

SHA512
a8f4392a559e3b6df1f0da0290cb79075169d621f5ddd790fd17550b6d96acf35b4a6c1615192c25eb25646699bea4edbf61287a94f436cbd9a674e2c4f8361f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c938f24bc84869abf9347a0a28c8d56

SHA1
479c78e60f6171720791d552c25277be83ee2820

SHA256
e6f4f64f2c49352f91f5b3d5c2ae588a6d63dc4045bb5c5b2e0f35400db00e37

SHA512
07d66f51c3478bb76dbcf90b769493db682baecaa24a223524c87255bf36fd555765d65a7cc4d5033ff85c02b887b98e501356072ab28d772cab5afa3494658f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9533c223fb7b3907500d8dcb98034408

SHA1
b6aba6a157206397728e4cf09182a2202435ef77

SHA256
76235e3df508d204dc18bcd1237479dfd4a54a275759166ee87d9afe215f9cb1

SHA512
dc8fba23390109a277d6fe355364dba9f87bc0adb949f2c3971eedac53bb7c3220ac25400b5d27bf03eb22fc2a8aea306511c3f379af33da5099a52c1d114101

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
598e92dea6d88021f58260e77fe4063a

SHA1
f453b182873cb1720f5d5e3375265e5bcda7e45c

SHA256
aadfc1a0f598b080359515957f6c8eccb2f2641323ca8c2af049c9f2fa683479

SHA512
d8e9fb16e85e564973f8fcc48c5c85be4cb6f506bc37dae3ea51752923d4c8cc02e4c36d0d5dd6ae73d0a7fb0af51e1fe7d0210db04670d65763820b10022338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01ebc1c9c783a35546de1022ce52798a

SHA1
2f44d05c5b2103a315d209b56a03a71b2928925f

SHA256
1cc50fd69a37df1d29263d725628b993795a1fbd9b21d62463baa2a73e451374

SHA512
3b488b7bdc086ff1690cf5377d9a8071d6941435b5ff8d4accae8edea6841078545087efe916f9db3db4c41a0bf78210b8293caa172609d4b362c3b2be4c9330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe8eabd49c597a677f5778d5fa1a5bb8

SHA1
128e4b48b432258a92d7d98fb38a1e01e0d6ce02

SHA256
4970b8ea39636d02bc331e4bd1066ffef162a1040d16ffea952c555fe4d695fd

SHA512
d83c94aae555c7c11cd40b8ed3b15374dfe9ced8d7385b3dc25bd5a1ee2b2af5866996d5ff3dedabd1bc0838def75f195e0c42905f81e11b38bf46162c3362e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
127b628dbe8be9ca38a03eff99543c2a

SHA1
77780ddc93323889ec7f429c67d3596418494e0c

SHA256
641fd9ef7a9778bc8d51201aea0b3e6ee3400c1686a43b3316c86aaebbdfec2e

SHA512
68d539e6ab49e5111c028158c585a5f2574c88cfa516e3aaa226aae0d38980bff6b53d63246db3ffe93c5d06a09c50476daa166791ab468efbe36d3bdb3d9fc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
957a3b36ef2325e6aadf8a24a551b6fe

SHA1
aac9438ffe7dea048cea567b0deedf84b4052d09

SHA256
310dea9e805e77fad1bb9f39b7cf22759cf1fb58b914f1b967e0517b0def427c

SHA512
56bbd85cace21a6034bfb03fa7bbd11f83456691a17dfa877280e88f40bcb1457a81a77505f7db37f8a643d9873206cbaa11131b1736910190ac5d568adb75e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3005050106a719588ca09016c325c9dd

SHA1
d340efab4059dca20d365502178e833a4fb1555d

SHA256
df35768132d37bb346ffe4a0ce11138448dd0910183a3094c041a36f5fb9e190

SHA512
48e824fd9a038dca30ee561e9c692ffd7fcde6afc86d104215637c2681734e04116f3e356e9dcca70d099dc0a56e10bd3a394841184387a70423e15831e6639d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
609595e28b46b5a789e766e0da97c957

SHA1
968885acb41cf008e3a22707dc4a50ecfe57b590

SHA256
10e98ce5b69e2a2dec6570840aed65949cd77fdef8ef5ea1e95524f804cbc24e

SHA512
afa5fb078c259c573613ab0ec3f80c477fb317406e073fdbe8476e9aacef64ee8409b55bc9fb01c233b168ebef4b7facde9b67f17d7011f10118d2920578e99a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f034380411778db9aef25048b9183802

SHA1
fc8aa56547913cb9777f4b42697473faee8784b6

SHA256
b85d16721fcb4df53b2be391554e1e9724efd274d8db20d5b5a3520a8454917b

SHA512
51b94cd3d1625dbe4351faac038b6c5a6d542502f501c3ae6a0ade2e6e780c5acc7f09abae5615bc44501960922019da806099a4e04f3aa14797a008de50c070

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a388b0f6832967e98c7214f3d580e2be

SHA1
9470ea708d0d7a2abb49a6bcf66fa9982d5bb332

SHA256
5ce1006a5f182b84648a5f068ab5280e5e759b2b0ddf355a83714821f54274ad

SHA512
e0623095e5ad6e11a691d19039a24e4446ea097ae2e7d2bcaaf41bdf482081723afb76be6b9a231d4e7e0941bd71bd8695cb1a96d1228a97c3ddca6bf8c61003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b1838a2540797425269040fdddab88d

SHA1
147ed390ca88856262f806fe70cf1c5783728104

SHA256
4f5e28ca53157b0bd7dfe38dffcfbd47d92216a1e025f8472476685b5a882817

SHA512
d49e1f8f14ff1b27f70e3cb29f7b2ca52541de454219bae5c9672747f77ead40277039610d95da06700db95697ee6e97a19a5104eb9c620f9c9a201517c9e71d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
492b18459543cfeb89a1d22ef6a3cca6

SHA1
8d77c7081d75d094ae3fd104ea2e2e9e01026030

SHA256
aadcb3b7149e7d47476da0243b06cbefed9d0ffe69c4ac8fe7c50ab95fa1d331

SHA512
b2d1437fba8ed92af47cdcf672e1dd1ae368e3dc950e8ff44c66930a41cb1f5270794729c1f04b58f300920dc78ae269d02212f6aa178bd2fd474c2358801da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1728d9ed81aeb8b2858143c04abb83d5

SHA1
74f52bec468df3c643c2b15a0eb09c2eb6c12339

SHA256
2c583df4bd4247642376991d5f9f1245142ede8e6e0670f2550463dd33880ed6

SHA512
95f3fdb36345b1be7785efddeae59b19147ede8868715434ba16af9f6418df52ec66b59b08af803135691bb237614553d94305c1f7a98747c46cfc3f4f6354eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
679336c5fb24fdf107d35e5b5d1a73e5

SHA1
36f54c8e4c4c0af41c94d7aca186b0b6f772c3f4

SHA256
1adfc51e272c420ce747bdcd513e31ab39139bcc28353c68bf0359d2e9aef452

SHA512
e178f2b712cab616cc4d4a2e933f3a1037ae0d298601576fc1dd65d25156d92c069074536a2b07088e1656f6d42bfd7850f6f10bf725fde803877a510bdc3532

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
727ec74d44f827455c66430972161009

SHA1
a5737c2d04a94cac0219fefab391f8eaa7ae397f

SHA256
d84fca854b81d1f97f5f6827752e0fafcbd950a7cb48428e26200bced0054eb5

SHA512
85951bee9f9c875e8238a3cd1e2742b1b29fb0a497663b5a97144992891c63e721cf7054adb78231bc777ef6aa285d89208eac9c672d1ec6ed5c0d217729f885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DB193E81-9813-11EF-9F10-C28ADB222BBA}.dat

Filesize
5KB

MD5
4fce1b71807abe56093991041e38330c

SHA1
beb6db595c66cf85ea22fe89e30f371458af4fca

SHA256
b2c96109a88b0894882356f6fd202adb0eaa92d48d0164389a1e257d82694d9e

SHA512
209d124e0c68b2b9eb57d327d2372d68f49928ca9f132f8fa202e310541b909d6eeae7ecce6dcadad7a9f9721e17ef60a15dbd7afd13197d44af06d328a355f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab97D0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9840.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\bootcfg.lnk

Filesize
1KB

MD5
87baec3d2cd7f29c1331b26786d614a8

SHA1
dd7675d40b8d2d19636c1dbf692352e69215fc46

SHA256
6917ae66ce47b197a79ca544e9b4fc2891749672aca5588885aa3605ceff6810

SHA512
aa5656d57e2bf56792209cbdd4ad2c13ca494a5a9eea2f06ccc328dba9c89189c1c48f895806981f8fae6165e0580625108b13b98c29ae80bfb02fac4d385d68

Download Submit
C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\bootcfg.exe

Filesize
136KB

MD5
84255e080413cc079085e8f879be7c66

SHA1
4e163a6b5fd450392e1a4a67b67bf43eb0cc80b7

SHA256
f10b952d03c6c2ced1d2a0ea27a6572a38227c0c66a0d80be8e7976513270bc6

SHA512
3272fe2329622c262765c5c6202030533ef26ccbf90ca42c5299f3816f22cceb631ec9d4fa0b1b6bf06cb9fb410e3e36042ed06d5afe93fea78cdc74a6f31492

Download Submit
memory/2052-902-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2052-762-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2052-24-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2052-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2052-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2052-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2052-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2052-458-0x00000000043C0000-0x00000000043C2000-memory.dmp

Filesize
8KB

Download
memory/2244-1-0x0000000000330000-0x0000000000346000-memory.dmp

Filesize
88KB

Download
memory/2244-16-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download