hydracrypt | afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

Analysis

max time kernel
107s
max time network
111s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_339c2a33	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_339c2a33	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe\""	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\hymuzece.exe\""	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EHDN25ED\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X9WSUL7T\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TL381H8Y\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\K:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\J:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\H:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\G:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\V:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\R:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\P:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\B:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\I:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\E:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\Z:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\Y:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\W:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\T:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\S:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\N:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\A:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\X:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\U:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\Q:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\O:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\L:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	888	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2872	vssadmin.exe
3016	vssadmin.exe
992	vssadmin.exe
2128	vssadmin.exe
564	vssadmin.exe
1796	vssadmin.exe
2980	vssadmin.exe
1912	vssadmin.exe
644	vssadmin.exe
1496	vssadmin.exe
820	vssadmin.exe
2776	vssadmin.exe
2588	vssadmin.exe
2512	vssadmin.exe
1688	vssadmin.exe
1620	vssadmin.exe
600	vssadmin.exe
3048	vssadmin.exe
864	vssadmin.exe
2712	vssadmin.exe
1644	vssadmin.exe
2816	vssadmin.exe
2920	vssadmin.exe
792	vssadmin.exe
1308	vssadmin.exe
2496	vssadmin.exe
872	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	2620	vssvc.exe
Token: SeRestorePrivilege	2620	vssvc.exe
Token: SeAuditPrivilege	2620	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2668	WMIC.exe
Token: SeSecurityPrivilege	2668	WMIC.exe
Token: SeTakeOwnershipPrivilege	2668	WMIC.exe
Token: SeLoadDriverPrivilege	2668	WMIC.exe
Token: SeSystemProfilePrivilege	2668	WMIC.exe
Token: SeSystemtimePrivilege	2668	WMIC.exe
Token: SeProfSingleProcessPrivilege	2668	WMIC.exe
Token: SeIncBasePriorityPrivilege	2668	WMIC.exe
Token: SeCreatePagefilePrivilege	2668	WMIC.exe
Token: SeBackupPrivilege	2668	WMIC.exe
Token: SeRestorePrivilege	2668	WMIC.exe
Token: SeShutdownPrivilege	2668	WMIC.exe
Token: SeDebugPrivilege	2668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2668	WMIC.exe
Token: SeRemoteShutdownPrivilege	2668	WMIC.exe
Token: SeUndockPrivilege	2668	WMIC.exe
Token: SeManageVolumePrivilege	2668	WMIC.exe
Token: 33	2668	WMIC.exe
Token: 34	2668	WMIC.exe
Token: 35	2668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2668	WMIC.exe
Token: SeSecurityPrivilege	2668	WMIC.exe
Token: SeTakeOwnershipPrivilege	2668	WMIC.exe
Token: SeLoadDriverPrivilege	2668	WMIC.exe
Token: SeSystemProfilePrivilege	2668	WMIC.exe
Token: SeSystemtimePrivilege	2668	WMIC.exe
Token: SeProfSingleProcessPrivilege	2668	WMIC.exe
Token: SeIncBasePriorityPrivilege	2668	WMIC.exe
Token: SeCreatePagefilePrivilege	2668	WMIC.exe
Token: SeBackupPrivilege	2668	WMIC.exe
Token: SeRestorePrivilege	2668	WMIC.exe
Token: SeShutdownPrivilege	2668	WMIC.exe
Token: SeDebugPrivilege	2668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2668	WMIC.exe
Token: SeRemoteShutdownPrivilege	2668	WMIC.exe
Token: SeUndockPrivilege	2668	WMIC.exe
Token: SeManageVolumePrivilege	2668	WMIC.exe
Token: 33	2668	WMIC.exe
Token: 34	2668	WMIC.exe
Token: 35	2668	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 1956 wrote to memory of 888	1956	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	29
PID 888 wrote to memory of 2180	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	116
PID 888 wrote to memory of 2180	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	116
PID 888 wrote to memory of 2180	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	116
PID 888 wrote to memory of 2180	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	116
PID 888 wrote to memory of 2764	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	32
PID 888 wrote to memory of 2764	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	32
PID 888 wrote to memory of 2764	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	32
PID 888 wrote to memory of 2764	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2828	2180	cmd.exe	33
PID 2180 wrote to memory of 2828	2180	cmd.exe	33
PID 2180 wrote to memory of 2828	2180	cmd.exe	33
PID 2180 wrote to memory of 2828	2180	cmd.exe	33
PID 888 wrote to memory of 2996	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	35
PID 888 wrote to memory of 2996	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	35
PID 888 wrote to memory of 2996	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	35
PID 888 wrote to memory of 2996	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	35
PID 2764 wrote to memory of 2920	2764	cmd.exe	36
PID 2764 wrote to memory of 2920	2764	cmd.exe	36
PID 2764 wrote to memory of 2920	2764	cmd.exe	36
PID 2764 wrote to memory of 2920	2764	cmd.exe	36
PID 888 wrote to memory of 2804	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	38
PID 888 wrote to memory of 2804	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	38
PID 888 wrote to memory of 2804	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	38
PID 888 wrote to memory of 2804	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	38
PID 2828 wrote to memory of 2780	2828	net.exe	39
PID 2828 wrote to memory of 2780	2828	net.exe	39
PID 2828 wrote to memory of 2780	2828	net.exe	39
PID 2828 wrote to memory of 2780	2828	net.exe	39
PID 888 wrote to memory of 2956	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	41
PID 888 wrote to memory of 2956	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	41
PID 888 wrote to memory of 2956	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	41
PID 888 wrote to memory of 2956	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	41
PID 2996 wrote to memory of 2668	2996	cmd.exe	43
PID 2996 wrote to memory of 2668	2996	cmd.exe	43
PID 2996 wrote to memory of 2668	2996	cmd.exe	43
PID 2996 wrote to memory of 2668	2996	cmd.exe	43
PID 2804 wrote to memory of 2816	2804	cmd.exe	44
PID 2804 wrote to memory of 2816	2804	cmd.exe	44
PID 2804 wrote to memory of 2816	2804	cmd.exe	44
PID 2804 wrote to memory of 2816	2804	cmd.exe	44
PID 888 wrote to memory of 2616	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	46
PID 888 wrote to memory of 2616	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	46
PID 888 wrote to memory of 2616	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	46
PID 888 wrote to memory of 2616	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	46
PID 2956 wrote to memory of 644	2956	cmd.exe	48
PID 2956 wrote to memory of 644	2956	cmd.exe	48
PID 2956 wrote to memory of 644	2956	cmd.exe	48
PID 2956 wrote to memory of 644	2956	cmd.exe	48
PID 888 wrote to memory of 2312	888	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Z: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Y: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=X: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=W: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=V: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=U: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=T: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=S: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=R: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Q: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1288
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=P: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=O: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=N: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=M: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=L: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=K: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1444
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=J: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=I: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1396
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=H: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=G: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=F: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=E: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=D: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=C: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=B: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:928
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=A: /All
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 29248
    3⤵
    - Program crash
    PID:1696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1071561941127524856317779220811680927960-1804522966293494506-562563154-844980834"
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_339c2a33

Filesize
126KB

MD5
6a66e3dae1aa88f805d2ef85b96aaeea

SHA1
710fadee2d7c2cba762805deed29acec4fcea2ec

SHA256
0d3123e2bb94c0c3edab967a615dfd317efbe6adb01338b4bd59b70e99ae6840

SHA512
3b875f623abc728c4e6274df8939db69fc72c0ed44cffcb77051b634a24c018304c0625ddb5ba330d8b6b4a0849c912e99931a82f3d713b9303a51b5981e5b26

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_339c2a33

Filesize
28KB

MD5
b89586b24930f19c9c4b4d9de50005d2

SHA1
5ee0639ceb2df100eef687cbbf26f811b612999e

SHA256
a6de1ea1d26d782de2f3641fd5faa4aab64049261bf97f4c43a9b7fa0f503173

SHA512
6810d912c7ec2e66d2b870f64f227474dc6f673bab23d829c86167b103c79f87ab580039a8b24fdd959b92d84b9e1f05f9bf12da4cf733bd7e646fd97ee0c647

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_339c2a33

Filesize
1KB

MD5
5b447702c809d290fe4bf5c19b905f26

SHA1
1ca1546b3bd1eed4d1b69886ee813360d0ce69ff

SHA256
bbd3274bf1afee6d59d4cf55e8efc2d121aebcbb064eb85783c520f7561209ad

SHA512
b5d86c394f02491f553c1e8fe6a980f78ce1e2b97c6dd8add746a9565946b9e4b3033fb4ab5a040513d8d81174f370c91eea0548df6670a05f24afd3dbcdc897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GRU3FPRK\desktop.ini.hydracrypttmp_ID_339c2a33

Filesize
67B

MD5
58073b86c007ea688a7b8adeeffe6198

SHA1
f9fe39ea08a4eb7fe1d040e706a6ad32860b002b

SHA256
0c4d5dd13b796052be9751b2f1beeb61b3829d496739c2401505dd865dc47065

SHA512
3985497ff7f5003588cae9aec665ab27635f8be423ad3cd03f5022c7a9f51cec80bfd4b5190e416b9d13e5447e1227bd571857f878fd9ce8b1dd6695d4ab0aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X9WSUL7T\desktop.ini.hydracrypt_ID_339c2a33

Filesize
331B

MD5
6e370b7a3151ad087354eabdbbef2c45

SHA1
d973b7ee5c8616a0201e1065c0e8807ff83e097e

SHA256
09f7f5474fab7d223a770b85110e0426e60a3f52d99d96fac456cad9502b0b5d

SHA512
e7a6b427c0bbab0340c1c650387c297ca0f41bbf206d22f52610db318068b8c255adddae0833a7b271e9a76a8dda4cdc94f3a6c97c1935702f463608cc3f8f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051853366.html.hydracrypttmp_ID_339c2a33

Filesize
1.1MB

MD5
fb15434f7d323ac8e542227b0ef59635

SHA1
7179d98c18757072d9b619649e42c81b339cc19b

SHA256
f51d04fcdc3050ea21f3b7ca1eb1af5962ce6c5707a1d264f96294b7160a47cc

SHA512
935b79cb2724db1ac3bf85e6908090fca7b584d1032dd41ac0b08aa54204e1a7b329c9c168dbd43fe0ee17855f272b2f92100a2708eee21e270526685285c15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\homepremium\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
35KB

MD5
e2373551822fc3b08d65a6189bd8fe9a

SHA1
19208a70d1a5f4cc0bb165543941366b3317e8ae

SHA256
ad1f01b98c7e91fc2c50363e4f5d503ac9491c1d10f4a605a69c58941517bc5e

SHA512
5af1556128cf51f9c2176dfc18d428a7a0fa57fac5d55ec51c58ba58ce7fda8d63288d8e0868b93462c0b4a072e559ef1ff86b91f457c6a177bfee40baf7fd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\professionale\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
28KB

MD5
f94448318658fbdadbbca9cdd3bab52a

SHA1
2c41689aa4bd97681a43c0b07a6935bc051b841b

SHA256
23fd6130a12157d7ae505e50cbd4d9100437a89327c73005b2b1503d84701906

SHA512
83ee1abe9f436986bd9528f8deb25cbff82b0421de1a0494317c4c33e52c17fe11befec10315417314ba34ff3ae4cf426b063b44f138a1910fd4a9d1c07649bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimate\license.rtf.hydracrypt_ID_339c2a33

Filesize
35KB

MD5
016a2a7a09452165c3e389efcb679e59

SHA1
721a082d243c163a6b5f6432b0bad1577a49f562

SHA256
32352602b1ce8f197c2a94d8d10bd1c952f16da4ac2a3d3de255ad0277fb73ca

SHA512
0ba9e6083be1eb1c9ab1ac0b941d6f71e25546a1aa64abfd61f6ca73a2523e154d058ce10bebe3ce13be3f67fa0eb96488433e854480a47557da41c4d0159de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\_default\professional\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
221KB

MD5
fa33e5947c4175483b54760325f356ff

SHA1
5d72f482250829fe0d2421da815ab549dc9d7531

SHA256
aeb7b7414c390cca07f6fc905e915869b1d66e1c22df7973b03c627619e0f4b5

SHA512
f493848d1dc32ef0c3076c5fc257fa65665762d66097dc8eec1c65a3264e3b27ebb0d74612a28f8a7130956d4c1c7aebd5bc73f771d1b62620d08827dc5a3bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\homepremiume\license.rtf.hydracrypt_ID_339c2a33

Filesize
28KB

MD5
ee1b8d08b6efb15b4f81ad617fb4dd6e

SHA1
d179d4880ed3c6c4d3d8448fec9445997d20ed68

SHA256
905f5222f89616714cf730185783f8089f2a847e6095e31371b25e4e6fe967c5

SHA512
843e92abce469de566673e605a8e71243a4fd8ced79e52f9397f92dbd74d09cd254e5e3baadf259e32dfc526140c25c39087094553a22ac66e36415401ca7d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startere\license.rtf.hydracrypt_ID_339c2a33

Filesize
28KB

MD5
2bae11eb1fa69d6f400390a7f80c3f1a

SHA1
e67b1150a6dc27dbbc987f09cba1d3e53c7fb55f

SHA256
6809caaaf67da7a3a6ff5a062a90a08e3c3cb3bc5b56e2f760d2fad3c6b02369

SHA512
7a855f4a541fc14bb028c294e9a04c3f8ed8de70bd74067f988814ac73147846085284374edb2f792598c97ce50a3b2db68302ab728e78a1909987def0f3e1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startern\license.rtf.hydracrypt_ID_339c2a33

Filesize
35KB

MD5
dac9dc295c201ffe54bfdfab9e5387ea

SHA1
00acdeac732f0d60bd79babad203f9680169348a

SHA256
21f12589052180777e05f6a12018981b45b97b82d726fd428fa67522ea04ac85

SHA512
98b9ffdeea6f7b347f16e65482f9c99d735033d70c0804e369d7a6654164540480b6cb0ca777375beb1e83f86ccc3a2e379d6505922e013212e3a0de3c5bfa1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\starter\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
174KB

MD5
4464e394ca7d2ccfa7ecf4ee41c71968

SHA1
e508043e062e7a02a148670259e9ea3f84bceb6a

SHA256
19805b8881bbcd00ff272f71ce6d5bd90f686141c9c9cc98a8328e6538ecb229

SHA512
3c68ab5d1a748aae26d27737f3d74516804c94aa339c4a6a23acc50340e95c181b80dfbd50b76020d54e1c503556aa41e4aac796e18cc41bb208fe4dd0802450

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\startere\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
41KB

MD5
76b2bd2b6339070a466341063988c2a8

SHA1
64a397da7df866bb8047791dbcf865f9395c4fcb

SHA256
2ef2b2bab038aaded69596d7319a221ff13e7d5677b1b822b628034e4117e7ea

SHA512
530ff8ba820ec4cdc01a77938fe86f8e585626f75fcd70cd8259754fbdd06b7cd99ea918078bfbe5c41afa5e589c254601eec3fa98a38c24e818995de31d20a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc29d5bca5556a09\lipeula.rtf.hydracrypttmp_ID_339c2a33

Filesize
9KB

MD5
3222da5c774e4cd3026dfdc0d88b30f6

SHA1
24121450779062aee5349db7617a5c7e3a71fcfa

SHA256
f351e6e2d382832ede295c7f3281444de0b027c35c1bd0c4430778320bcde87c

SHA512
8cfc0423edfac7cf08c8ed17aac7f748c0cdb6ecf30a4e190f4975975067c6e8e6d900009dab64b4c5d7d8d4e49948d8ef11f81b0b8ab4831b70eeb88148ca81

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9a71deeabfc0d8da\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
39KB

MD5
cb12f75a20742b019af8d204c6bf586d

SHA1
e988ab1484b86b9c4fad75c061d1fe24ed49f72a

SHA256
baba9b48b831f7f0818de975c71bcd9b71a1e0a35fd8566d5cbcbdccafd6ca8f

SHA512
b50e7b6f88cace5796d9111c2c59ea8004357ea74ff18a00775cd497dd224d9780b98d085adb1ec60690b02316c0645c29b671d71cb6270df5465dc72e7a8608

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_30cf7a89f238525a\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
43KB

MD5
9efec0bead2389962939edfe37d67aec

SHA1
82b4bc7ec59024983804ca6145bfccb4aa439cc0

SHA256
f5bc9e3a01d95cbb2064fe4ecd2098375f40368dadd7e2c4561dc051cea5f6dc

SHA512
15dd0c5a20e4838880c301e9bbca2bc0b2969a64139edf2ad4c935a1ece0e2816416d1e5d25eb860cde4a31c74195c043daf172094e8977919eab27be84a81f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16d3f6301ae8cff8\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
758B

MD5
cfccf09aa6ef2a3329e517072c89d451

SHA1
df12e24af2b75535a3d35a06e9b00bdf2c01452b

SHA256
1841b246b1369a3c98d9ff138c1fed065dd67df0d7cc15247d6c3c02dd79cc71

SHA512
f8f8d1ff8074004fd18839a1346296a9683ec5b20fdaa55bd9c1b169f202b963a461ffe91c93c9535d48cee4ae086b93334238074b7fb064e9ae640df4144f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..priseia64.resources_31bf3856ad364e35_6.1.7601.17514_es-es_382fefd2e1555940\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
68KB

MD5
f6300e01616d4ec54251c781497c2c8c

SHA1
7ddef82665af6e4e18753e44c73b48ff60f93ce1

SHA256
0be19d912111fc984c2f4836c39f4ea3e92086cac53ff5875920b9ad1824b6b0

SHA512
3e88519cae252901f8aeb5efe4589649db9ef6815f529545db0cccb9f572f2f5a14e7dc0a1cbc16d7220cf523b1099094e36f451acd0613600b0cb2a6ac8344c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..rverhyper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b990ce545164c82b\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
62KB

MD5
b2ce4d598fe22eafce678de8bbc763a9

SHA1
8dda739df89d0ff3f14f1043c2e4c9b40fc4fee4

SHA256
18137764c4bbc16ab74cb70783defa6aa9fcfa471d30a0f6b12be10756abeb71

SHA512
94cbb384aec7d273d73f1e0e9232ef38f4c9d59fe243fa64fdb6c115a6c21b89aa7096e2c4ac1120325cd7b5db24ae7617cb9a57bae59329e762adebfe76933c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1cda3731d74e249\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
780B

MD5
d03ce8d49e28d79c7ef6ea16262b8a33

SHA1
47a3dbec92d053b69eefbe9c1181405bce34b43e

SHA256
ca61444dcb8c6ca1d0a7e4f2b274d71debc8cef110d9235396d2e395c2277c50

SHA512
3990e6cb9d0807267924b3fbc8e5e739ab506ea0ef50127b930b78fbb1b165148fa1721555b12a04cde7602da1bd0d8375a5ab79c6cb7fc1190e8a30479159d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18649662a3c65f12\license.rtf.hydracrypttmp_ID_339c2a33

Filesize
780B

MD5
d528a89d392e0845744aa67dc8c1a53d

SHA1
672773b253a449cacd9599ec813ecdfc7b57d4f7

SHA256
633391a341ccbf88ce9f17d5fbaa5b7fe8f359ff04b6b6fb46a8429327af5e1e

SHA512
42bad595475572b7cd7872a70face0e52f75a88a09e38591f792116885434d2da4b7d627b7f9207aaed1e5742849e9da3b7ae41391299762d70730bd09a1567a

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
ed3ceaac51558dcdfcbe27071dc203b8

SHA1
b32bb87be55aa40418d2f5898bcceabf6062a929

SHA256
989ac42229c9caa96ce6c5da9a5a97ede5298282040287454c4a4f33dd466586

SHA512
6658ba16014978f68e6f0a206b9a62dbf43938c267ea87bf5c7f4c5916c9d131a3abd5ec4ce253c8ccaa48631d27a5f357e308863df8a58aa5a95b8068f89657

Download Submit
C:\Users\Admin\Documents\ReadPush.xlsx.hydracrypttmp_ID_339c2a33

Filesize
10KB

MD5
feb832fdfc12c802cfbcc6a7fa7ebe78

SHA1
51c09aae37cefc290888e2d7c5876360d5bfd4d9

SHA256
bf022d5b59bb725e7de01a50997bced21a6a0d8f97cecd1b690634033572beae

SHA512
f04677d25208241b0600eabaa6973daee4ec3e61f878b3fa59124836e88c18540939eebf360674e077e92b43d324855937537c507f2f5bd049f54caa3648cfbc

Download Submit
C:\Users\Public\Documents\README_DECRYPT_HYDRA_ID_339c2a33.txt

Filesize
915B

MD5
1cb60f48539cc0bd459bbb83d010db58

SHA1
dea4df664b9590519c8bf34457a91c42385c6b7b

SHA256
e0f8f1dc39b0515da2a1b7f943b2c98fff73544692499a1c66c35bd0a31808f8

SHA512
797bde90081d1b8adbdfa95056e286b72bfb0dca04e110219b965136d25732ff404f64a2a2fb4524d1fd351880b940384aac935f758a071e35dc9c1763d7da0e

Download Submit
memory/888-26-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-13-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-774-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/888-7-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-11-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-9-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-3-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-17-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-19-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/888-2233-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-23-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-3754-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-170-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-211-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-1424-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-2760-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-431-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-1695-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-5-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-15-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/888-3279-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-3722-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-1160-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/888-3752-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1956-0-0x00000000002A0000-0x00000000002A5000-memory.dmp

Filesize
20KB

Download