cerber | 66a05692cf2ff6b0abcd97a5d4b37b61700a21fb93eee4338d87b4ebe79e32b0

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Size

211KB
MD5

eaf34a7d9a24baf248e4b5da247a384e
SHA1

ff4ccb35e4311fefdd7f0a7251570c51ab9ab224
SHA256

66a05692cf2ff6b0abcd97a5d4b37b61700a21fb93eee4338d87b4ebe79e32b0
SHA512

a50b36fff27c74c7049be98e4e2f312c825fae52f9aa9161e830e0703e476e7cb4a2947466fda1ebca0244b2e5d6e3b086fc1e884e22b468416416ebb11637b3
SSDEEP

6144:z8dNXSE4z6Jl8TKkPrX81t1YVIgZDWENiEDpwjALIlhT:4fJl8TfPrX81t1RoWZfl

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA | | 2. http://cerberhhyed5frqa.xzcfr4.win/2B69-2253-60F6-0063-7BFA | | 3. http://cerberhhyed5frqa.asxce4.win/2B69-2253-60F6-0063-7BFA | | 4. http://cerberhhyed5frqa.45kgok.win/2B69-2253-60F6-0063-7BFA | | 5. http://cerberhhyed5frqa.ad34ft.win/2B69-2253-60F6-0063-7BFA |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/2B69-2253-60F6-0063-7BFA | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA

http://cerberhhyed5frqa.xzcfr4.win/2B69-2253-60F6-0063-7BFA

http://cerberhhyed5frqa.asxce4.win/2B69-2253-60F6-0063-7BFA

http://cerberhhyed5frqa.45kgok.win/2B69-2253-60F6-0063-7BFA

http://cerberhhyed5frqa.ad34ft.win/2B69-2253-60F6-0063-7BFA

http://cerberhhyed5frqa.onion/2B69-2253-60F6-0063-7BFA

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA" target="_blank">http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA</a></li> <li><a href="http://cerberhhyed5frqa.xzcfr4.win/2B69-2253-60F6-0063-7BFA" target="_blank">http://cerberhhyed5frqa.xzcfr4.win/2B69-2253-60F6-0063-7BFA</a></li> <li><a href="http://cerberhhyed5frqa.asxce4.win/2B69-2253-60F6-0063-7BFA" target="_blank">http://cerberhhyed5frqa.asxce4.win/2B69-2253-60F6-0063-7BFA</a></li> <li><a href="http://cerberhhyed5frqa.45kgok.win/2B69-2253-60F6-0063-7BFA" target="_blank">http://cerberhhyed5frqa.45kgok.win/2B69-2253-60F6-0063-7BFA</a></li> <li><a href="http://cerberhhyed5frqa.ad34ft.win/2B69-2253-60F6-0063-7BFA" target="_blank">http://cerberhhyed5frqa.ad34ft.win/2B69-2253-60F6-0063-7BFA</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA" target="_blank">http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA" target="_blank">http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA" target="_blank">http://cerberhhyed5frqa.azlto5.win/2B69-2253-60F6-0063-7BFA</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/2B69-2253-60F6-0063-7BFA in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
560	bcdedit.exe
1744	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\rdrleakdiag.exe\""	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\rdrleakdiag.exe\""	rdrleakdiag.exe

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk	rdrleakdiag.exe

Executes dropped EXE 4 IoCs

pid	Process
2716	rdrleakdiag.exe
1492	rdrleakdiag.exe
1636	rdrleakdiag.exe
2392	rdrleakdiag.exe

Loads dropped DLL 8 IoCs

pid	Process
2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
2716	rdrleakdiag.exe
2716	rdrleakdiag.exe
1492	rdrleakdiag.exe
1636	rdrleakdiag.exe
1636	rdrleakdiag.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\rdrleakdiag.exe\""	rdrleakdiag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\rdrleakdiag.exe\""	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\rdrleakdiag.exe\""	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\rdrleakdiag.exe\""	rdrleakdiag.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2716 set thread context of 1492	2716	rdrleakdiag.exe	38
PID 1636 set thread context of 2392	1636	rdrleakdiag.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdrleakdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdrleakdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdrleakdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1980	PING.EXE
2952	cmd.exe
2688	PING.EXE
1624	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a000000016d5e-35.dat	nsis_installer_1
behavioral1/files/0x000a000000016d5e-35.dat	nsis_installer_2

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
892	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1480	taskkill.exe
2892	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\rdrleakdiag.exe\""	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop	rdrleakdiag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\\rdrleakdiag.exe\""	rdrleakdiag.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1B09EA1-7661-11EF-8920-7AF2B84EB3D8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000e07c4bda19048d24d3f9869c2b179aae88c19cad3efa1074801926cc4d84d729000000000e800000000200002000000072cad6073906bb6026c5cfecd24425cb4ff8dcf3e2205cba5d9ce10be68db48190000000ce51cc114727c231a5e75294f9c5933d56b1e67e82fc9453777d169ac17e27a0b4999ff48ace11a65e060ce52e9c7a0684e8e6f868e4ed3003f15f6f3aca845a769263fa6dd1a85a3d9e12ea72fa69ab9fd72adc9041326a8a4951f08da0e005f6de3d248e9a8bd23dbc0dcae15953de96810f90497b1a002a6ecc3a99735b343b86830e58c2989132059f0324025ed940000000036cc0f4b237dcfd5c4b2cdbeffcbb2f876eccf262c319d343b5b9b613b48c57ed4036f3691c813e62232bb263b83322df08a2a3706af1b2efa807f839f08907	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000f078b68b44015d3d4e6bbe4a8e37af838a511d17a54a381ddbe15948a3ead4f1000000000e800000000200002000000094ceeb716cab4d2bd1f43642be00b12a33a36cc891a1d5bd0bcdb1999152e22520000000ea27b2e93ace22b7e89290a52cf4ac31bd62fbd8f74568318dc17f1cea1a635a40000000bddcc2dbbd4e32668190b71cebcd968eb8e14b53e5baaaa104d3a2c5459f4826f45e0cc48a21b4cc051574ef96f2b790d9cf18a3514b55616fe6178383404cae	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1BEE6E1-7661-11EF-8920-7AF2B84EB3D8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01ea1b46e0adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2688	PING.EXE
1980	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe
1492	rdrleakdiag.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	1492	rdrleakdiag.exe
Token: SeBackupPrivilege	2832	vssvc.exe
Token: SeRestorePrivilege	2832	vssvc.exe
Token: SeAuditPrivilege	2832	vssvc.exe
Token: SeIncreaseQuotaPrivilege	576	wmic.exe
Token: SeSecurityPrivilege	576	wmic.exe
Token: SeTakeOwnershipPrivilege	576	wmic.exe
Token: SeLoadDriverPrivilege	576	wmic.exe
Token: SeSystemProfilePrivilege	576	wmic.exe
Token: SeSystemtimePrivilege	576	wmic.exe
Token: SeProfSingleProcessPrivilege	576	wmic.exe
Token: SeIncBasePriorityPrivilege	576	wmic.exe
Token: SeCreatePagefilePrivilege	576	wmic.exe
Token: SeBackupPrivilege	576	wmic.exe
Token: SeRestorePrivilege	576	wmic.exe
Token: SeShutdownPrivilege	576	wmic.exe
Token: SeDebugPrivilege	576	wmic.exe
Token: SeSystemEnvironmentPrivilege	576	wmic.exe
Token: SeRemoteShutdownPrivilege	576	wmic.exe
Token: SeUndockPrivilege	576	wmic.exe
Token: SeManageVolumePrivilege	576	wmic.exe
Token: 33	576	wmic.exe
Token: 34	576	wmic.exe
Token: 35	576	wmic.exe
Token: SeIncreaseQuotaPrivilege	576	wmic.exe
Token: SeSecurityPrivilege	576	wmic.exe
Token: SeTakeOwnershipPrivilege	576	wmic.exe
Token: SeLoadDriverPrivilege	576	wmic.exe
Token: SeSystemProfilePrivilege	576	wmic.exe
Token: SeSystemtimePrivilege	576	wmic.exe
Token: SeProfSingleProcessPrivilege	576	wmic.exe
Token: SeIncBasePriorityPrivilege	576	wmic.exe
Token: SeCreatePagefilePrivilege	576	wmic.exe
Token: SeBackupPrivilege	576	wmic.exe
Token: SeRestorePrivilege	576	wmic.exe
Token: SeShutdownPrivilege	576	wmic.exe
Token: SeDebugPrivilege	576	wmic.exe
Token: SeSystemEnvironmentPrivilege	576	wmic.exe
Token: SeRemoteShutdownPrivilege	576	wmic.exe
Token: SeUndockPrivilege	576	wmic.exe
Token: SeManageVolumePrivilege	576	wmic.exe
Token: 33	576	wmic.exe
Token: 34	576	wmic.exe
Token: 35	576	wmic.exe
Token: 33	228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	228	AUDIODG.EXE
Token: 33	228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	228	AUDIODG.EXE
Token: SeDebugPrivilege	2392	rdrleakdiag.exe
Token: SeDebugPrivilege	1480	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1500	iexplore.exe
1460	iexplore.exe
1460	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1460	iexplore.exe
1460	iexplore.exe
1500	iexplore.exe
1500	iexplore.exe
1460	iexplore.exe
1460	iexplore.exe
596	IEXPLORE.EXE
596	IEXPLORE.EXE
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
448	IEXPLORE.EXE
448	IEXPLORE.EXE
448	IEXPLORE.EXE
448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1672	2172	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2716	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	32
PID 1672 wrote to memory of 2716	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	32
PID 1672 wrote to memory of 2716	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	32
PID 1672 wrote to memory of 2716	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	32
PID 1672 wrote to memory of 2952	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	33
PID 1672 wrote to memory of 2952	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	33
PID 1672 wrote to memory of 2952	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	33
PID 1672 wrote to memory of 2952	1672	eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe	33
PID 2952 wrote to memory of 2892	2952	cmd.exe	35
PID 2952 wrote to memory of 2892	2952	cmd.exe	35
PID 2952 wrote to memory of 2892	2952	cmd.exe	35
PID 2952 wrote to memory of 2892	2952	cmd.exe	35
PID 2952 wrote to memory of 2688	2952	cmd.exe	37
PID 2952 wrote to memory of 2688	2952	cmd.exe	37
PID 2952 wrote to memory of 2688	2952	cmd.exe	37
PID 2952 wrote to memory of 2688	2952	cmd.exe	37
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 2716 wrote to memory of 1492	2716	rdrleakdiag.exe	38
PID 1492 wrote to memory of 892	1492	rdrleakdiag.exe	39
PID 1492 wrote to memory of 892	1492	rdrleakdiag.exe	39
PID 1492 wrote to memory of 892	1492	rdrleakdiag.exe	39
PID 1492 wrote to memory of 892	1492	rdrleakdiag.exe	39
PID 1492 wrote to memory of 576	1492	rdrleakdiag.exe	43
PID 1492 wrote to memory of 576	1492	rdrleakdiag.exe	43
PID 1492 wrote to memory of 576	1492	rdrleakdiag.exe	43
PID 1492 wrote to memory of 576	1492	rdrleakdiag.exe	43
PID 1492 wrote to memory of 560	1492	rdrleakdiag.exe	45
PID 1492 wrote to memory of 560	1492	rdrleakdiag.exe	45
PID 1492 wrote to memory of 560	1492	rdrleakdiag.exe	45
PID 1492 wrote to memory of 560	1492	rdrleakdiag.exe	45
PID 1492 wrote to memory of 1744	1492	rdrleakdiag.exe	47
PID 1492 wrote to memory of 1744	1492	rdrleakdiag.exe	47
PID 1492 wrote to memory of 1744	1492	rdrleakdiag.exe	47
PID 1492 wrote to memory of 1744	1492	rdrleakdiag.exe	47
PID 1716 wrote to memory of 1636	1716	taskeng.exe	51
PID 1716 wrote to memory of 1636	1716	taskeng.exe	51
PID 1716 wrote to memory of 1636	1716	taskeng.exe	51
PID 1716 wrote to memory of 1636	1716	taskeng.exe	51
PID 1636 wrote to memory of 2392	1636	rdrleakdiag.exe	52
PID 1636 wrote to memory of 2392	1636	rdrleakdiag.exe	52
PID 1636 wrote to memory of 2392	1636	rdrleakdiag.exe	52
PID 1636 wrote to memory of 2392	1636	rdrleakdiag.exe	52
PID 1636 wrote to memory of 2392	1636	rdrleakdiag.exe	52
PID 1636 wrote to memory of 2392	1636	rdrleakdiag.exe	52
PID 1636 wrote to memory of 2392	1636	rdrleakdiag.exe	52
PID 1636 wrote to memory of 2392	1636	rdrleakdiag.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe
    "C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe
      "C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:892
    - - C:\Windows\system32\wbem\wmic.exe
        
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:560
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1744
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1460
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:596
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:996353 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:448
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:2396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:2816
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "rdrleakdiag.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1624
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "rdrleakdiag.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "eaf34a7d9a24baf248e4b5da247a384e_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\taskeng.exe
taskeng.exe {72FF3D04-EE00-475D-BF58-1C26BDB70954} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe
  C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe
    C:\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2208

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
48a5961fd49dfbc1b827c38d0efc4132

SHA1
bb4b47f8bb027ec6d52120c62ca3822352d4d06c

SHA256
572ddc973cb5168b04435e99f677f735454069260d87c4f3aa31d3ebf4a944c7

SHA512
2dd8c325c5bd17d4f1bfa357f28d65803ee8f1c63febeecad743f6c4906b84d825935dec3592fd276ce884645763b3428e89b226b6a6af059f8c6a9256263bb3

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
4e16d33df720ab2341046bdff0a32113

SHA1
2c863da8a220c85e67b4811bc70c81c94cc95d90

SHA256
e7e481b1c4d606033033fbe36fddbd94dae29cc3cb8c78b62430016dd5b75785

SHA512
8902881922ebd23a0c5169a0d66cbfabd4fa8661e519fb5c05ae7e49b572776dae2d15edc2208b2f65ab95b60630683cb7fc1fb62e6643867395067d0c3b6e92

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
30c4e191e3f8e1496b14de11d6cf4b48

SHA1
0c5606356414065c0b53482a302887eae5876634

SHA256
613002c8c874681f94366bd07d2ebcb248502f55b3f88851f31adfb00ff28aa4

SHA512
e6cd969a81b1e93b8432786fda3d1479abcaa09d296c26337878985709161d4c1a216364ae6ca69916cb760ea11b9d300d84bde45603816ec87e293c1b4ea911

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
216B

MD5
48ac29422570636cae371b68c858b988

SHA1
ff86dea198c93a8ae49ee52c6eb919fcbd259aab

SHA256
3926b08f205999c2f1a24121117ecfeed31557bf6f0529416f3432321292c6b0

SHA512
75019e6fd4b53528aab1af668149540e1bc372e58e4786eda1da75e7c9718dbc274cbf3f37cd38fbe7e618ea9c1b24c2534d18aecfcc3264ec55f83f206faaa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f506c7bf7b5fecf039b217aaa87d429

SHA1
b67b0cbf383f4a2005c3db57c0de74cf88b5992c

SHA256
b942e9db3aff1478ebebbc5e1e8dee0657df092694d158d6420f860ab0b823fa

SHA512
c41fa272c3bf827ea580eaf53cadb4f4c6866253121ad90d08ef693283c2529aa0601141c9add129af8d232b851de55bade3c4e9c79ecfb0fb9f41d1cb3d3c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e45e4b0887ea9b0335fbb0c3d503d574

SHA1
11c50f9eb930ef110758c5d5d55cbaeae552fdc6

SHA256
26d1b7b1f5db3f56d505bfa82e5d0b98b1ab3dd51f62f70641958461a9a9172c

SHA512
282ddbc400c8dd039ebdd497f2bf1fbba687f97b26a0bade645ad1de93c92e1caf435fdd52971d616d688411e1d287261313f2f7514de4be3bcbf82add07bf7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
966e0b1e5929297b031ad74494ba227d

SHA1
5fa534cd86f25793be891cacaf67e7772e0ac67e

SHA256
cbe70f91706a94ea26459e6a73fe0c6ac3ee1e0b65ace01bb8eaca73b0281510

SHA512
e5b47a4d7c1f49eda049f3cded4a8b21d7a24bf912c1fc736d24797424b49bbf5ddbffe5982cb798fd6a1f3bdc30a169b6cb77f24af19189cc45bd0eab5add0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dd5fb69c6e9d81168cd95d91a22e8bb

SHA1
abb0c999bdbfef5ad9c91bb20d6a0840467b8026

SHA256
1e6606b4cfb0a2c138896c7af0b2f570afd3ae046056a5201cb791c9e9252c3d

SHA512
0d6975061fc27c7a26f203b5f616c962c36c483c499ec2d0ab220c55383651bd0bf8ebfefb86571dd29c3f8cdd7b6b61e0e8ee37a32c517fc6388be3b206fa49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c38a28008801ecaa03a65103b9d65c7

SHA1
f124b3453e9ed2a0b6c2c2c2c0e1e2c95c50cb2a

SHA256
11927236a371180fedc9cab2771bbde570c0f86e9a66f842395da80806e75376

SHA512
4b4f6938c6fc8b9cf7276fe23a05512d072e6d5b161e41aa5cad0464ca8c9c3a92900c9da10a356807d2a4e24d2e32abab34b5d10122647780815f45a705832d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8803525b2f6638d77dc22f8a3238bc80

SHA1
99de976b77f46a99b00d27e2bd41f7ea2a462e6f

SHA256
01da7e779b39d1e89aa71ec38fa47c3d22837b9fb1924e172b90b5ded2fc7c84

SHA512
162005d4b24b357949c56d4cf3940b7b3f23cb76f759d69ace2b90d2d577fe5da395b6593de5c194d1791c633487fc727b0fa3fd505f7eb89ea486b475d69466

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00fc09a2fc076cfd02a759115e996ec8

SHA1
b9e3b6995b19e5951b02716c9dd415b4d2c8d68d

SHA256
0fc590adc947aca5732d024441c6909e853f5c90252c54b3f563b2597e75009d

SHA512
af1720ca6ec1cf92a7254e1939a64ea978cebdf5094e45e69492c5700864510ad34fcfa7bcfb1ee4eb30d46b77bb9e560f58b490623deada1fe9422967d96409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2832e157496f2b2cae08a77ce751d840

SHA1
23fbd5ab3b11fc39c8edfabd5142618f702599bf

SHA256
a62d4172924468734711940b773b4464d8223b455516db125356d2a2e010604f

SHA512
0eac10b4d5318e1d787b3c10338619695f6e65936aae2b396f52240898690457e69ce47af2f5d736261cccb5746041a2f9fdb62c2de6bd2e99469aa953e90126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f4c5ec5ca61479b31ea7a01f8a9fa31

SHA1
42843f98e5e1f63afea318b58441411f9cb50561

SHA256
4299d7ec65ca9691bcc8952359e42f24e46baeb7e59c0fe1bd9746ca1d05b1bf

SHA512
b15c0bde9f36a9fac7dd8c2f23f931a0180fa7aaccafa8a5bd78aec622d49850d07254af538333c3d91929301f8ca5e33e847253622408f89b7396fd12c4d7e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F1B09EA1-7661-11EF-8920-7AF2B84EB3D8}.dat

Filesize
5KB

MD5
076d6cc767afa24153d142b901d92bc9

SHA1
302b0abe829942a1be1a0182c7c5c216ae39418f

SHA256
46dee8cef11361beb3eaa2fce386d172600adf5ea1146c6c97ee70708ec73f78

SHA512
e188c870c0bbfeda419a3d9f9ad089c4c260f99db97b3cd5c294e76682c8c8d092873e1c533e115e905093746784d062fa80540927646c3c34905d4c8bd72b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab42EB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43AB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Kinship.E

Filesize
36KB

MD5
725b04bb5645e70d9ae2ee72a8b23e82

SHA1
11a6403b90e9430f9fdc3b22344d1c5d2cbddd94

SHA256
27a0c5b9f60c6dede610dea56dc6cc009c7d0ac312031272547c546ffc39c80e

SHA512
a2e301456036785b040a1ff4d6e143c09c762089bd12fd26d3b3172820e37e70b3a51d74bfcebf0ef267f0b289c5622f5f6a3b7455c0639f2a35ecfe41c37493

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk

Filesize
1KB

MD5
147d5f86e3625c63e660991a70583a13

SHA1
cdbba2212580403e6409cb00fef582eeaec21d56

SHA256
7a07772b8afb941d3643faca17a040e98c73dc51962bea1a0b0062127f50b1de

SHA512
939104557445a2a0eec101feba4a6a6212c895a7cee263a0da9da5b20f34ffbbb78adfffe7befa6f4f4663e2eedb33bde12912bdd043a447769319977921dfd8

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB9EE.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\SFhelper.dll

Filesize
90KB

MD5
05fc8bccccdabed0243488f3d7a30a75

SHA1
dfafc4da35a1182e7e1f5d4f32e6d600482b8a13

SHA256
ff553449b2d4b769a25b8b6c639d8b5d962ddce24b4601a1bff41b8fc7697376

SHA512
e326ef5f312c9a3c2ff7e09fc276e4b14aebfe17563ae44e47f7184b8c0dc9ac89f78d56e785b099e897945871a7dcd04747c0cd457128bca539baeca388f968

Download Submit
\Users\Admin\AppData\Roaming\{6017E6B0-989C-669C-F2CA-0F60A68A98B2}\rdrleakdiag.exe

Filesize
211KB

MD5
eaf34a7d9a24baf248e4b5da247a384e

SHA1
ff4ccb35e4311fefdd7f0a7251570c51ab9ab224

SHA256
66a05692cf2ff6b0abcd97a5d4b37b61700a21fb93eee4338d87b4ebe79e32b0

SHA512
a50b36fff27c74c7049be98e4e2f312c825fae52f9aa9161e830e0703e476e7cb4a2947466fda1ebca0244b2e5d6e3b086fc1e884e22b468416416ebb11637b3

Download Submit
memory/1492-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-74-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-77-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-78-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1492-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-117-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-118-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-75-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1636-99-0x00000000003D0000-0x00000000003F2000-memory.dmp

Filesize
136KB

Download
memory/1636-116-0x00000000003D0000-0x00000000003F2000-memory.dmp

Filesize
136KB

Download
memory/1672-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-12-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-14-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-28-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1672-40-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1672-20-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2172-25-0x0000000002950000-0x0000000002972000-memory.dmp

Filesize
136KB

Download
memory/2172-9-0x0000000002950000-0x0000000002972000-memory.dmp

Filesize
136KB

Download
memory/2716-56-0x0000000001E70000-0x0000000001E92000-memory.dmp

Filesize
136KB

Download
memory/2716-71-0x0000000001E70000-0x0000000001E92000-memory.dmp

Filesize
136KB

Download