cerber | 7f63612cc2675d72bbc7b82ea3b6ceda6864ce32e811d7ac2031567c6fab6173

Analysis

max time kernel
134s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
Size

170KB
MD5

d05405526a2bf70635cd621ca4a3c4f9
SHA1

e69de5152d5a6099160b5bc2f8b4cac7561ba61a
SHA256

7f63612cc2675d72bbc7b82ea3b6ceda6864ce32e811d7ac2031567c6fab6173
SHA512

a0011679c1de0b4dd8d340a8fa1a8baa9a713ce73754091054b0f91604025271813974b69d73b93b777a9a1e32d23b1b42ec56f38120510981f6208029410b99
SSDEEP

3072:Wt/AEbb4tj2D8J7UA6bQZRBuNaR0XIdATAQ6a4fY:WRAkPIUA0Yuk04iNsY

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB" target="_blank">http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB</a></li> <li><a href="http://cerberhhyed5frqa.zgf48j.win/E15B-0EBD-A9C5-0063-76BB" target="_blank">http://cerberhhyed5frqa.zgf48j.win/E15B-0EBD-A9C5-0063-76BB</a></li> <li><a href="http://cerberhhyed5frqa.xltnet.win/E15B-0EBD-A9C5-0063-76BB" target="_blank">http://cerberhhyed5frqa.xltnet.win/E15B-0EBD-A9C5-0063-76BB</a></li> <li><a href="http://cerberhhyed5frqa.dk59jg.win/E15B-0EBD-A9C5-0063-76BB" target="_blank">http://cerberhhyed5frqa.dk59jg.win/E15B-0EBD-A9C5-0063-76BB</a></li> <li><a href="http://cerberhhyed5frqa.xmfu59.win/E15B-0EBD-A9C5-0063-76BB" target="_blank">http://cerberhhyed5frqa.xmfu59.win/E15B-0EBD-A9C5-0063-76BB</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB" target="_blank">http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB" target="_blank">http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB" target="_blank">http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/E15B-0EBD-A9C5-0063-76BB in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB | | 2. http://cerberhhyed5frqa.zgf48j.win/E15B-0EBD-A9C5-0063-76BB | | 3. http://cerberhhyed5frqa.xltnet.win/E15B-0EBD-A9C5-0063-76BB | | 4. http://cerberhhyed5frqa.dk59jg.win/E15B-0EBD-A9C5-0063-76BB | | 5. http://cerberhhyed5frqa.xmfu59.win/E15B-0EBD-A9C5-0063-76BB |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/E15B-0EBD-A9C5-0063-76BB | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.ret5kr.win/E15B-0EBD-A9C5-0063-76BB

http://cerberhhyed5frqa.zgf48j.win/E15B-0EBD-A9C5-0063-76BB

http://cerberhhyed5frqa.xltnet.win/E15B-0EBD-A9C5-0063-76BB

http://cerberhhyed5frqa.dk59jg.win/E15B-0EBD-A9C5-0063-76BB

http://cerberhhyed5frqa.xmfu59.win/E15B-0EBD-A9C5-0063-76BB

http://cerberhhyed5frqa.onion/E15B-0EBD-A9C5-0063-76BB

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1164	bcdedit.exe
572	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\isoburn.exe\""	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\isoburn.exe\""	isoburn.exe

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\isoburn.lnk	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\isoburn.lnk	isoburn.exe

Executes dropped EXE 1 IoCs

pid	Process
1940	isoburn.exe

Loads dropped DLL 3 IoCs

pid	Process
2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
1940	isoburn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\isoburn = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\isoburn.exe\""	isoburn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\isoburn = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\isoburn.exe\""	isoburn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\isoburn = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\isoburn.exe\""	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\isoburn = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\isoburn.exe\""	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEA01.bmp"	isoburn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isoburn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2620	PING.EXE
2588	cmd.exe
920	PING.EXE
3064	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2664	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2660	taskkill.exe
2140	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\isoburn.exe\""	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop	isoburn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\isoburn.exe\""	isoburn.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6EFDBC1-6C88-11EF-9AA4-4E0B11BE40FD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ecb7699500db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000f5ca4c118d67d2c216064c334bf144d3e2142a4c85f434e3623761ade5b988c2000000000e80000000020000200000007f93f401eaf756fcd6fea27d531e2cab27894a61a0b9f9768d57aaebca9914a19000000007869ebd95ee000f3996ab4ad55e374487dd8515d7abfe1920ca03e7b05a98559e7047811a342a623393790d87b9d02cca36f441158be65c7e486bf67bd08e2d94767690a329afbc3f6e8b612cec50988c257d66d712f162178fb6558c07a642fa6076a627dce8564c7b123675f7713dcc73002f40970dbf6ebe9591026eb9c7f7ed8ece89a51a434f193825b8ae71e2400000009535313e4e60a8e24891e343be164f233a357e64d3ca51a9d153aa31005671b454678a1ae14e4cc01d56984f623f326a49cd32a78b26654004edf4d6c8eef986	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6FBC2A1-6C88-11EF-9AA4-4E0B11BE40FD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000f3b76e907ad757cdcafae10e9f4be311d0cf84442cb2ec988e9aa8692d6dabd1000000000e80000000020000200000000be3f836f324ced198d074489d3e92696da0d3dbbaad8aad7367a95f8281987e200000007d972e3e16d64042cfe952271934f733168b37fcdc4f2c871743b71ae1e3d3be400000004e16eb5fb5f1f53f3fa18cb2966063f46df9b06f30f5e573afbb09f987fb2ea58c364b01e739382fe57fbbf07aa91b94db7daccc40b4e4d6ac443e3ed731095e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431813832"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2620	PING.EXE
920	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe
1940	isoburn.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
Token: SeDebugPrivilege	1940	isoburn.exe
Token: SeBackupPrivilege	2360	vssvc.exe
Token: SeRestorePrivilege	2360	vssvc.exe
Token: SeAuditPrivilege	2360	vssvc.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1188	wmic.exe
Token: SeSecurityPrivilege	1188	wmic.exe
Token: SeTakeOwnershipPrivilege	1188	wmic.exe
Token: SeLoadDriverPrivilege	1188	wmic.exe
Token: SeSystemProfilePrivilege	1188	wmic.exe
Token: SeSystemtimePrivilege	1188	wmic.exe
Token: SeProfSingleProcessPrivilege	1188	wmic.exe
Token: SeIncBasePriorityPrivilege	1188	wmic.exe
Token: SeCreatePagefilePrivilege	1188	wmic.exe
Token: SeBackupPrivilege	1188	wmic.exe
Token: SeRestorePrivilege	1188	wmic.exe
Token: SeShutdownPrivilege	1188	wmic.exe
Token: SeDebugPrivilege	1188	wmic.exe
Token: SeSystemEnvironmentPrivilege	1188	wmic.exe
Token: SeRemoteShutdownPrivilege	1188	wmic.exe
Token: SeUndockPrivilege	1188	wmic.exe
Token: SeManageVolumePrivilege	1188	wmic.exe
Token: 33	1188	wmic.exe
Token: 34	1188	wmic.exe
Token: 35	1188	wmic.exe
Token: SeIncreaseQuotaPrivilege	1188	wmic.exe
Token: SeSecurityPrivilege	1188	wmic.exe
Token: SeTakeOwnershipPrivilege	1188	wmic.exe
Token: SeLoadDriverPrivilege	1188	wmic.exe
Token: SeSystemProfilePrivilege	1188	wmic.exe
Token: SeSystemtimePrivilege	1188	wmic.exe
Token: SeProfSingleProcessPrivilege	1188	wmic.exe
Token: SeIncBasePriorityPrivilege	1188	wmic.exe
Token: SeCreatePagefilePrivilege	1188	wmic.exe
Token: SeBackupPrivilege	1188	wmic.exe
Token: SeRestorePrivilege	1188	wmic.exe
Token: SeShutdownPrivilege	1188	wmic.exe
Token: SeDebugPrivilege	1188	wmic.exe
Token: SeSystemEnvironmentPrivilege	1188	wmic.exe
Token: SeRemoteShutdownPrivilege	1188	wmic.exe
Token: SeUndockPrivilege	1188	wmic.exe
Token: SeManageVolumePrivilege	1188	wmic.exe
Token: 33	1188	wmic.exe
Token: 34	1188	wmic.exe
Token: 35	1188	wmic.exe
Token: 33	1688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1688	AUDIODG.EXE
Token: 33	1688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1688	AUDIODG.EXE
Token: SeDebugPrivilege	2140	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2236	iexplore.exe
2280	iexplore.exe
2236	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2236	iexplore.exe
2236	iexplore.exe
2280	iexplore.exe
2280	iexplore.exe
2236	iexplore.exe
2236	iexplore.exe
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
208	IEXPLORE.EXE
208	IEXPLORE.EXE
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
208	IEXPLORE.EXE
208	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
1940	isoburn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1940	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe	31
PID 2280 wrote to memory of 1940	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe	31
PID 2280 wrote to memory of 1940	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe	31
PID 2280 wrote to memory of 1940	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe	31
PID 2280 wrote to memory of 3064	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe	32
PID 2280 wrote to memory of 3064	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe	32
PID 2280 wrote to memory of 3064	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe	32
PID 2280 wrote to memory of 3064	2280	d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe	32
PID 1940 wrote to memory of 2664	1940	isoburn.exe	33
PID 1940 wrote to memory of 2664	1940	isoburn.exe	33
PID 1940 wrote to memory of 2664	1940	isoburn.exe	33
PID 1940 wrote to memory of 2664	1940	isoburn.exe	33
PID 3064 wrote to memory of 2660	3064	cmd.exe	36
PID 3064 wrote to memory of 2660	3064	cmd.exe	36
PID 3064 wrote to memory of 2660	3064	cmd.exe	36
PID 3064 wrote to memory of 2660	3064	cmd.exe	36
PID 3064 wrote to memory of 2620	3064	cmd.exe	40
PID 3064 wrote to memory of 2620	3064	cmd.exe	40
PID 3064 wrote to memory of 2620	3064	cmd.exe	40
PID 3064 wrote to memory of 2620	3064	cmd.exe	40
PID 1940 wrote to memory of 1188	1940	isoburn.exe	41
PID 1940 wrote to memory of 1188	1940	isoburn.exe	41
PID 1940 wrote to memory of 1188	1940	isoburn.exe	41
PID 1940 wrote to memory of 1188	1940	isoburn.exe	41
PID 1940 wrote to memory of 1164	1940	isoburn.exe	43
PID 1940 wrote to memory of 1164	1940	isoburn.exe	43
PID 1940 wrote to memory of 1164	1940	isoburn.exe	43
PID 1940 wrote to memory of 1164	1940	isoburn.exe	43
PID 1940 wrote to memory of 572	1940	isoburn.exe	45
PID 1940 wrote to memory of 572	1940	isoburn.exe	45
PID 1940 wrote to memory of 572	1940	isoburn.exe	45
PID 1940 wrote to memory of 572	1940	isoburn.exe	45
PID 1940 wrote to memory of 2236	1940	isoburn.exe	48
PID 1940 wrote to memory of 2236	1940	isoburn.exe	48
PID 1940 wrote to memory of 2236	1940	isoburn.exe	48
PID 1940 wrote to memory of 2236	1940	isoburn.exe	48
PID 1940 wrote to memory of 1044	1940	isoburn.exe	49
PID 1940 wrote to memory of 1044	1940	isoburn.exe	49
PID 1940 wrote to memory of 1044	1940	isoburn.exe	49
PID 1940 wrote to memory of 1044	1940	isoburn.exe	49
PID 2236 wrote to memory of 2308	2236	iexplore.exe	51
PID 2236 wrote to memory of 2308	2236	iexplore.exe	51
PID 2236 wrote to memory of 2308	2236	iexplore.exe	51
PID 2236 wrote to memory of 2308	2236	iexplore.exe	51
PID 2280 wrote to memory of 2248	2280	iexplore.exe	52
PID 2280 wrote to memory of 2248	2280	iexplore.exe	52
PID 2280 wrote to memory of 2248	2280	iexplore.exe	52
PID 2280 wrote to memory of 2248	2280	iexplore.exe	52
PID 2236 wrote to memory of 208	2236	iexplore.exe	53
PID 2236 wrote to memory of 208	2236	iexplore.exe	53
PID 2236 wrote to memory of 208	2236	iexplore.exe	53
PID 2236 wrote to memory of 208	2236	iexplore.exe	53
PID 1940 wrote to memory of 2976	1940	isoburn.exe	54
PID 1940 wrote to memory of 2976	1940	isoburn.exe	54
PID 1940 wrote to memory of 2976	1940	isoburn.exe	54
PID 1940 wrote to memory of 2976	1940	isoburn.exe	54
PID 1940 wrote to memory of 2588	1940	isoburn.exe	59
PID 1940 wrote to memory of 2588	1940	isoburn.exe	59
PID 1940 wrote to memory of 2588	1940	isoburn.exe	59
PID 1940 wrote to memory of 2588	1940	isoburn.exe	59
PID 2588 wrote to memory of 2140	2588	cmd.exe	61
PID 2588 wrote to memory of 2140	2588	cmd.exe	61
PID 2588 wrote to memory of 2140	2588	cmd.exe	61
PID 2588 wrote to memory of 920	2588	cmd.exe	63

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\isoburn.exe
  "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\isoburn.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2664
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1164
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:572
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2308
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:668673 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:208
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:1044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2976
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "isoburn.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\isoburn.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "isoburn.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2140
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:920
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe" > NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "d05405526a2bf70635cd621ca4a3c4f9_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2248

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
2d71478afa4b2f392c456d9c8c7bb278

SHA1
5cbfcae65f39e806174f6b48eb926f38bf150a45

SHA256
e3f0e77cffe9d804a798a25623e8c4f5e2ed2e0f112af5669d46544f523df512

SHA512
a82024f4ed865d3dc8a9c11d3690052abb86ec8710deb0be5064eece4849de763d6ad05b6d38a0d8669678e7bdb4ad26c6e8ea0e02e9d862009a49086902e151

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
ec753a030ddc8160b8fd96c13d7ebe0c

SHA1
fd72ad575c8fc56aa71c6cbab8aee3bfc4892644

SHA256
2f7dd9930f1621066757cc6d3aa898e37111f1479144e97832662fa46a277ea9

SHA512
8b93e700c3e652646bb13239164f11a34f368f721e40bc5e7ed997960fedf29122e32ae50518b29be3b0dc8ffdcff0325e01aeee982489a247ac8c9f6766a071

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19bed24cff1983b224bedd2ec346fcf7

SHA1
f23743679d993ceb67e705e9e579924755c2785c

SHA256
28db788e272105559ccace1d1edc3ff9c744114e7bf209e7b8e3f855d8d7b51b

SHA512
778da4332cac3a4a441985c19fdcd194f7b3480be49034dbad79b9f46c31e7e54aa346fac53e9ff2fd02cad90d10e30c2cbf4ccda703fd8d3b469ef2cfdccf06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c8e975bbc9e44256162d80bfb160047

SHA1
f21fa62009c8f7720f00fdf973a7bedae641b560

SHA256
4d5fe3ffc2b75cee955af264fd7957767b6ec0193f9e191303ecd3980a2a2c34

SHA512
23ff02ffd232f01c1a6296be37f236bf273844d12a272f1a8caff7694ca670d645d79ed7bacdfe7c5874b703a06c118027415ce1765af2664a1d39be9d226a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bac8e047c77dd8754b2eb8fbea39021d

SHA1
f4603c0e552487c7088d24f1d496b094a087dfee

SHA256
0070b7554b11f3c600cf1f7c7c82f739d205754a1d64cd616abe7274f8781fb2

SHA512
0d05b5d8cb3e2a83f9393b43645d4eb09c2aad0b7cf46e074b6db6efdf84a6030c3a4027c0ddba8ec9351e5d814eed2aa3c083a6c594eb89bec427ff8bc49a2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e977783c4d77a4bcce22421a784f2335

SHA1
a0f146b6a978a0d54eae5358268800280b9018dd

SHA256
b40b09e9db86c38db357149d9aac3d3ad498b172701f3b630451f9e2db997c36

SHA512
b7e818e09339688f2c2aac5badef62885d0f7be8f894d827f64c282379d44ca820fbcfa3641962639c124050f15da7f3ea89b63b43028d7a19d580e90753ee0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb22e611302002f1ee8b5478d1b754f5

SHA1
8ef060bf458cc7f9e03c1bc19f76fc219776327f

SHA256
da08772084bfbc074999ebfc39f2f7efec82c3c83e902f89b0166c2b0c7d0411

SHA512
4881b189fbb142f4258fe34dcbe7f25d3fe921ed06f31aafd9992f282d5db0364c6bd80ef925b83d3577b83a97be5af8ca9a7de8c5f4946bb74b7da802b2252d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4f8a4b5b347f790ea4c6b32e5069582

SHA1
5139df5b21662cbc54191ec3372a5a8670ba7a0c

SHA256
a123e61767b9b855260d73a22f36103f322eaf91340ac67001e7ca0035e54c8c

SHA512
4bc3646534c65902eb7912df48cb2da8b12ee7b1b661a5e2c651190e43bb5de0c108ad5ab5059264a4e5b6cc16466755811c2fde881eeac6d441f5a947a39862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4636489591e405889df6da122b88645

SHA1
0b6333351fc5c21a72fb5520998becd47fcf26b6

SHA256
780546b49aa5c5eb136b13bc04e70fca21582501d52179fc1945e1947b6888af

SHA512
3d0c281a21f39445d4d39dfb05a16d08a6487ff1fd12c0e2336bf1f2def06346e5d9a7a0aff6b929783aec7a8747236d2cab21e73875e63dddaa3b1e1fb55b9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72f13edf53f581464b31f24eb8e6233c

SHA1
a4e75821c815a76067c932dc7585735fb4e482a6

SHA256
fbde3b95b988316915693afabd860e2c731ecc224c5069b14dfa8e7fb14ede73

SHA512
72d87df4469cbc8ad560101773cb64a4715fcd80a83cfbd8b7546e17c073a7303af374e6e5300b31ab651fb0d4a3a2001a78627ea184f0a8576eef966a4c70b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddd69d64b0eba3efe25826b6075a8569

SHA1
02c0e9ea3d9371843e7749031dff5f5a7227524c

SHA256
578ae262570b7af76c5ff045e45796c857b6fabb60124e36724c079b9aadcab8

SHA512
bf6fa2cb2933c57594e04d055d92450caa13d086c19c06e60fbdaeb2889914ae8d06afa8ae9963a77798fb805b2aae9e79a7def2d2443271d50809b3b99bc144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f290f86eee3ad8b5d17abee14ac7656d

SHA1
6ba22b5e01c0df752e1b439e992ae298b3e6a591

SHA256
ee70b837fc28e856dbbbb2f39f6e65b5d0d4318fb3117597489adee1eaecb11f

SHA512
d7abb2de6206283eb0b2b45d09bb64cd43465538624e464f1091a16694a425914bdada0078c102ef39d8f64efc517710fd1034312973ab4375deec44d401378c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7b6f721889b1f582bbf134acf55330f

SHA1
a79599545edc94a23ff708fc8e201adc0e0c96bf

SHA256
9fbf1dd300f4471bac0fa800a773766d7268d1c76e9a9d3373d9e7813bc33879

SHA512
c853517dd981ab4553d190e9ac44c30b7b6472554b0df89ed46460bcb5529418e2ad0d1226111d00d231e57a71baf08090317a1554d355590e457b80cecaae82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8ef207446e80b4577958fe85357a5e1

SHA1
3726bc19a924b28dfba9226ef5f85c019fe114f8

SHA256
dca43be209a4cfc0adc833d968358ee421e12c3315d16904be0f0a3b2644d0fd

SHA512
639a5675863a5ffe10772da22cf451cf50f876422eb91dae309d289797e5b719bedc7ddcb190141b6228b94e6aa4beef122e4975aa4fef81149bd9e261bcc7c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de7ce4c04462f3ae1e1831962d74f2e3

SHA1
6c748fc4c13fec745566b7e7471b79646a85101c

SHA256
fb91e34eefa7f16b79170c6418e6f118e8b08af77b5f502b8fb1efe3fa34bfea

SHA512
d68de191d23bb121fe2dcf3c323a39853da02013a7717d1bdddb94684de84350df458bcf043a2c8a363c900c4f984b7b21fc1d86a4dd7d2a5050479661ead89e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d21b58e672b9844d1dcb8a8d17ea0edf

SHA1
fd7616bd0898034a97033292a241a53df466c539

SHA256
324f5669c280ca3f438c61ac3c5da77e678dfad7131c5fd5adeae6045d113bec

SHA512
dc487caab035b1f6f9a2164e50a2f608f25e320006446bf31c6342209fefca9096853b0ac4242413c930ae6690b1eec0d60ff05b647f66631817b2e746504ec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed89788bc3212024652f4bf270a7e089

SHA1
f1d8199918a48b1fddaf185b966b738415c0fbfc

SHA256
5bd99e04ea72dc133f5ecc89a4ef345900b325779d104045bee7a48076b3e96e

SHA512
f66a98004ceaccf669b37e920b8482881844e5905c77f3bf3930a8e711c919e7cf7f22f8a474a7f61b506b7bb486c5d1aaaa5df28f95b744b48bdc8aeb444c2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec6c96c6eea11f670e271e724215e539

SHA1
533769a65355bb5cdfd2bd3cd9f9925fedea307c

SHA256
510ecc79b3e612c26b0a3d416c94cff33d499b826cf106a84d0f0119f19c3960

SHA512
3e7a71764af31e2511eadaf16af86c58da9c3cff7cc5d7cfb819a6bf902d229b977c7a6f3ead96d464f20ad27fbc962ce79b5459ea17253a181eba3172bb5027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c38553e8cc2f29865d424d57f72ab08b

SHA1
11284ac0624c35c833d91f660c245f49e7ab897a

SHA256
35b3d19de7066a6460a0a0030c6f689024c587cb5d4f568564e3f6137bff9748

SHA512
2c0cf03cfa8b7f58e7d4eb164b24ad3fb313f908ca71e562270f37e589c731e91a0bdea2274a43d9449983fca7378a67f86e13c7b11d71c0053b2e175b0deaf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f49f90cb2a41aa1961ea1559580b4710

SHA1
6923fc5f1a2da1ef36f19162d06d38d6454fafa7

SHA256
610d2cfcee7301a8f2bc80e44eaa75abfc6a1b95dfcaa7d76adf0e1fe09f471f

SHA512
9c90f5901a92a83cb6ff6a10948d855c2baa965f71c38194cefde913d1cd414323337200e53113b326f22b735396620097db5ba575db79484368e3fa1390080a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1770f1f722330388f72fc70d07f027bf

SHA1
31751b0e18a85662d9637a80b09bde4318ca6bec

SHA256
8ecaf24ba9d9071db85fa0bda04438fa29e52a49d6158a0682296003890d0a42

SHA512
d44b97faff74a3a5aca68afa28df2292519daea5f89bd352474b2d8a4e3dcec5223fb8b6db3a145fa97b2a87a5da20d10de01ff07aca4e015ebae9770c424201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6EFDBC1-6C88-11EF-9AA4-4E0B11BE40FD}.dat

Filesize
5KB

MD5
d78024ff6ffebf0b5ceda17831646f67

SHA1
4cb8a06e2f0dee7760a1c5c8d998d1bfa077fefb

SHA256
483cebb50c59125e0781edd3e0ef64dca7298e676352517db0df7b0ea40f2160

SHA512
2446a9423b833258df4203a2dc56bef494995d59965cb9c443380dcbdc32ebd0d26195a5c1162b7fee6a1a93ca5e836cf7b870412b99ca517df625ddf1f3607f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6FBC2A1-6C88-11EF-9AA4-4E0B11BE40FD}.dat

Filesize
3KB

MD5
65a0f52d1d5f45b879a486157f377f28

SHA1
f49345e3be210aa5434312c0b84bab683ad6dc01

SHA256
e6b034cce3c57fea7d39312484b9afb6b4b96d18c324f83fcd142c92435cd5ba

SHA512
9ee9c7f528664c3337026b82bc54e952118cea59ebfde185538fbb2b0892f10ad1a21642593828021b5dc242523dc0810470fa3465b434e0aa0e3c1d0d732ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar120.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
74aa0f157a63d5bc219e55ed91a2214e

SHA1
bb9ac8f28545e2ec8b4a1426f22f4ed2cde058ce

SHA256
cf0ae278e0927ee313dafc9c9ef9c9ce6f6f5a0438b355935a31a6b3995de74d

SHA512
d046c9cdd9d5daa9bef370726aed3d30e2e0f7e014be78432f95f7bee5d4f1ee08b97f98e86f2a77d305d88a06615a6f8e30dc0ecf6d435080d7b6d0246ca896

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\isoburn.lnk

Filesize
1KB

MD5
b4c8833c1552b3e49a06a5ef4129fc7d

SHA1
fc638ac493875ee4d4247297cb30c793f913ee80

SHA256
1bf009a123730d7432cc46d9fdd603226da007756d62bf043091e6dc481d7a22

SHA512
a31a31407b67de46fca441e818a95d45a76257c627bef0dfd1e3b395e0be85c4c515e2c3f015ccd02518a666798fd88f4e07e924836d31231782a9cc69d05a79

Download Submit
\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\isoburn.exe

Filesize
170KB

MD5
d05405526a2bf70635cd621ca4a3c4f9

SHA1
e69de5152d5a6099160b5bc2f8b4cac7561ba61a

SHA256
7f63612cc2675d72bbc7b82ea3b6ceda6864ce32e811d7ac2031567c6fab6173

SHA512
a0011679c1de0b4dd8d340a8fa1a8baa9a713ce73754091054b0f91604025271813974b69d73b93b777a9a1e32d23b1b42ec56f38120510981f6208029410b99

Download Submit
memory/1940-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-453-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-469-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-467-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-488-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-477-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-479-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-499-0x00000000041B0000-0x00000000041B2000-memory.dmp

Filesize
8KB

Download
memory/1940-481-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-483-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-485-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-487-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-473-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-475-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-450-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-471-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-447-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-939-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-25-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1940-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1940-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2280-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2280-0-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/2280-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2280-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download