Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 03:40
Static task
static1
Behavioral task
behavioral1
Sample
08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
-
Size
164KB
-
MD5
08b304d01220f9de63244b4666621bba
-
SHA1
b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
-
SHA256
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
-
SHA512
162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
-
SSDEEP
3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn
Malware Config
Signatures
-
HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_339c2a33 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_339c2a33 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe\"" 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\hymuzece.exe\"" 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Downloads\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Documents\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Music\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Links\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EHDN25ED\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Music\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Videos\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X9WSUL7T\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TL381H8Y\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\K: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\J: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\H: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\G: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\V: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\R: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\P: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\B: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\I: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\E: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\Z: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\Y: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\W: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\T: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\S: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\N: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\A: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\X: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\U: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\Q: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\O: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe File opened (read-only) \??\L: 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1956 set thread context of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1696 888 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 61 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 27 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2872 vssadmin.exe 3016 vssadmin.exe 992 vssadmin.exe 2128 vssadmin.exe 564 vssadmin.exe 1796 vssadmin.exe 2980 vssadmin.exe 1912 vssadmin.exe 644 vssadmin.exe 1496 vssadmin.exe 820 vssadmin.exe 2776 vssadmin.exe 2588 vssadmin.exe 2512 vssadmin.exe 1688 vssadmin.exe 1620 vssadmin.exe 600 vssadmin.exe 3048 vssadmin.exe 864 vssadmin.exe 2712 vssadmin.exe 1644 vssadmin.exe 2816 vssadmin.exe 2920 vssadmin.exe 792 vssadmin.exe 1308 vssadmin.exe 2496 vssadmin.exe 872 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeBackupPrivilege 2620 vssvc.exe Token: SeRestorePrivilege 2620 vssvc.exe Token: SeAuditPrivilege 2620 vssvc.exe Token: SeIncreaseQuotaPrivilege 2668 WMIC.exe Token: SeSecurityPrivilege 2668 WMIC.exe Token: SeTakeOwnershipPrivilege 2668 WMIC.exe Token: SeLoadDriverPrivilege 2668 WMIC.exe Token: SeSystemProfilePrivilege 2668 WMIC.exe Token: SeSystemtimePrivilege 2668 WMIC.exe Token: SeProfSingleProcessPrivilege 2668 WMIC.exe Token: SeIncBasePriorityPrivilege 2668 WMIC.exe Token: SeCreatePagefilePrivilege 2668 WMIC.exe Token: SeBackupPrivilege 2668 WMIC.exe Token: SeRestorePrivilege 2668 WMIC.exe Token: SeShutdownPrivilege 2668 WMIC.exe Token: SeDebugPrivilege 2668 WMIC.exe Token: SeSystemEnvironmentPrivilege 2668 WMIC.exe Token: SeRemoteShutdownPrivilege 2668 WMIC.exe Token: SeUndockPrivilege 2668 WMIC.exe Token: SeManageVolumePrivilege 2668 WMIC.exe Token: 33 2668 WMIC.exe Token: 34 2668 WMIC.exe Token: 35 2668 WMIC.exe Token: SeIncreaseQuotaPrivilege 2668 WMIC.exe Token: SeSecurityPrivilege 2668 WMIC.exe Token: SeTakeOwnershipPrivilege 2668 WMIC.exe Token: SeLoadDriverPrivilege 2668 WMIC.exe Token: SeSystemProfilePrivilege 2668 WMIC.exe Token: SeSystemtimePrivilege 2668 WMIC.exe Token: SeProfSingleProcessPrivilege 2668 WMIC.exe Token: SeIncBasePriorityPrivilege 2668 WMIC.exe Token: SeCreatePagefilePrivilege 2668 WMIC.exe Token: SeBackupPrivilege 2668 WMIC.exe Token: SeRestorePrivilege 2668 WMIC.exe Token: SeShutdownPrivilege 2668 WMIC.exe Token: SeDebugPrivilege 2668 WMIC.exe Token: SeSystemEnvironmentPrivilege 2668 WMIC.exe Token: SeRemoteShutdownPrivilege 2668 WMIC.exe Token: SeUndockPrivilege 2668 WMIC.exe Token: SeManageVolumePrivilege 2668 WMIC.exe Token: 33 2668 WMIC.exe Token: 34 2668 WMIC.exe Token: 35 2668 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 1956 wrote to memory of 888 1956 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 29 PID 888 wrote to memory of 2180 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 116 PID 888 wrote to memory of 2180 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 116 PID 888 wrote to memory of 2180 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 116 PID 888 wrote to memory of 2180 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 116 PID 888 wrote to memory of 2764 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 32 PID 888 wrote to memory of 2764 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 32 PID 888 wrote to memory of 2764 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 32 PID 888 wrote to memory of 2764 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 32 PID 2180 wrote to memory of 2828 2180 cmd.exe 33 PID 2180 wrote to memory of 2828 2180 cmd.exe 33 PID 2180 wrote to memory of 2828 2180 cmd.exe 33 PID 2180 wrote to memory of 2828 2180 cmd.exe 33 PID 888 wrote to memory of 2996 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 35 PID 888 wrote to memory of 2996 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 35 PID 888 wrote to memory of 2996 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 35 PID 888 wrote to memory of 2996 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 35 PID 2764 wrote to memory of 2920 2764 cmd.exe 36 PID 2764 wrote to memory of 2920 2764 cmd.exe 36 PID 2764 wrote to memory of 2920 2764 cmd.exe 36 PID 2764 wrote to memory of 2920 2764 cmd.exe 36 PID 888 wrote to memory of 2804 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 38 PID 888 wrote to memory of 2804 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 38 PID 888 wrote to memory of 2804 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 38 PID 888 wrote to memory of 2804 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 38 PID 2828 wrote to memory of 2780 2828 net.exe 39 PID 2828 wrote to memory of 2780 2828 net.exe 39 PID 2828 wrote to memory of 2780 2828 net.exe 39 PID 2828 wrote to memory of 2780 2828 net.exe 39 PID 888 wrote to memory of 2956 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 41 PID 888 wrote to memory of 2956 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 41 PID 888 wrote to memory of 2956 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 41 PID 888 wrote to memory of 2956 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 41 PID 2996 wrote to memory of 2668 2996 cmd.exe 43 PID 2996 wrote to memory of 2668 2996 cmd.exe 43 PID 2996 wrote to memory of 2668 2996 cmd.exe 43 PID 2996 wrote to memory of 2668 2996 cmd.exe 43 PID 2804 wrote to memory of 2816 2804 cmd.exe 44 PID 2804 wrote to memory of 2816 2804 cmd.exe 44 PID 2804 wrote to memory of 2816 2804 cmd.exe 44 PID 2804 wrote to memory of 2816 2804 cmd.exe 44 PID 888 wrote to memory of 2616 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 46 PID 888 wrote to memory of 2616 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 46 PID 888 wrote to memory of 2616 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 46 PID 888 wrote to memory of 2616 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 46 PID 2956 wrote to memory of 644 2956 cmd.exe 48 PID 2956 wrote to memory of 644 2956 cmd.exe 48 PID 2956 wrote to memory of 644 2956 cmd.exe 48 PID 2956 wrote to memory of 644 2956 cmd.exe 48 PID 888 wrote to memory of 2312 888 08b304d01220f9de63244b4666621bba_JaffaCakes118.exe 49 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop vss3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\net.exenet stop vss4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vss5⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=Z: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=Y: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:644
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All3⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=X: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All3⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=W: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:792
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All3⤵
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=V: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All3⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=U: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All3⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=T: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All3⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=S: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1308
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All3⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=R: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All3⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=Q: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All3⤵
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=P: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All3⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=O: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All3⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=N: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:820
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All3⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=M: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All3⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=L: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All3⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=K: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:992
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All3⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=J: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All3⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=I: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All3⤵
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=H: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:872
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All3⤵
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=G: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All3⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=F: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All3⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=E: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All3⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=D: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All3⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=C: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:564
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All3⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=B: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All3⤵
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /For=A: /All4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1912
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 292483⤵
- Program crash
PID:1696
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1071561941127524856317779220811680927960-1804522966293494506-562563154-844980834"1⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_339c2a33
Filesize126KB
MD56a66e3dae1aa88f805d2ef85b96aaeea
SHA1710fadee2d7c2cba762805deed29acec4fcea2ec
SHA2560d3123e2bb94c0c3edab967a615dfd317efbe6adb01338b4bd59b70e99ae6840
SHA5123b875f623abc728c4e6274df8939db69fc72c0ed44cffcb77051b634a24c018304c0625ddb5ba330d8b6b4a0849c912e99931a82f3d713b9303a51b5981e5b26
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_339c2a33
Filesize28KB
MD5b89586b24930f19c9c4b4d9de50005d2
SHA15ee0639ceb2df100eef687cbbf26f811b612999e
SHA256a6de1ea1d26d782de2f3641fd5faa4aab64049261bf97f4c43a9b7fa0f503173
SHA5126810d912c7ec2e66d2b870f64f227474dc6f673bab23d829c86167b103c79f87ab580039a8b24fdd959b92d84b9e1f05f9bf12da4cf733bd7e646fd97ee0c647
-
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_339c2a33
Filesize1KB
MD55b447702c809d290fe4bf5c19b905f26
SHA11ca1546b3bd1eed4d1b69886ee813360d0ce69ff
SHA256bbd3274bf1afee6d59d4cf55e8efc2d121aebcbb064eb85783c520f7561209ad
SHA512b5d86c394f02491f553c1e8fe6a980f78ce1e2b97c6dd8add746a9565946b9e4b3033fb4ab5a040513d8d81174f370c91eea0548df6670a05f24afd3dbcdc897
-
Filesize
67B
MD558073b86c007ea688a7b8adeeffe6198
SHA1f9fe39ea08a4eb7fe1d040e706a6ad32860b002b
SHA2560c4d5dd13b796052be9751b2f1beeb61b3829d496739c2401505dd865dc47065
SHA5123985497ff7f5003588cae9aec665ab27635f8be423ad3cd03f5022c7a9f51cec80bfd4b5190e416b9d13e5447e1227bd571857f878fd9ce8b1dd6695d4ab0aad
-
Filesize
331B
MD56e370b7a3151ad087354eabdbbef2c45
SHA1d973b7ee5c8616a0201e1065c0e8807ff83e097e
SHA25609f7f5474fab7d223a770b85110e0426e60a3f52d99d96fac456cad9502b0b5d
SHA512e7a6b427c0bbab0340c1c650387c297ca0f41bbf206d22f52610db318068b8c255adddae0833a7b271e9a76a8dda4cdc94f3a6c97c1935702f463608cc3f8f95
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051853366.html.hydracrypttmp_ID_339c2a33
Filesize1.1MB
MD5fb15434f7d323ac8e542227b0ef59635
SHA17179d98c18757072d9b619649e42c81b339cc19b
SHA256f51d04fcdc3050ea21f3b7ca1eb1af5962ce6c5707a1d264f96294b7160a47cc
SHA512935b79cb2724db1ac3bf85e6908090fca7b584d1032dd41ac0b08aa54204e1a7b329c9c168dbd43fe0ee17855f272b2f92100a2708eee21e270526685285c15c
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\homepremium\license.rtf.hydracrypttmp_ID_339c2a33
Filesize35KB
MD5e2373551822fc3b08d65a6189bd8fe9a
SHA119208a70d1a5f4cc0bb165543941366b3317e8ae
SHA256ad1f01b98c7e91fc2c50363e4f5d503ac9491c1d10f4a605a69c58941517bc5e
SHA5125af1556128cf51f9c2176dfc18d428a7a0fa57fac5d55ec51c58ba58ce7fda8d63288d8e0868b93462c0b4a072e559ef1ff86b91f457c6a177bfee40baf7fd70
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\professionale\license.rtf.hydracrypttmp_ID_339c2a33
Filesize28KB
MD5f94448318658fbdadbbca9cdd3bab52a
SHA12c41689aa4bd97681a43c0b07a6935bc051b841b
SHA25623fd6130a12157d7ae505e50cbd4d9100437a89327c73005b2b1503d84701906
SHA51283ee1abe9f436986bd9528f8deb25cbff82b0421de1a0494317c4c33e52c17fe11befec10315417314ba34ff3ae4cf426b063b44f138a1910fd4a9d1c07649bb
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimate\license.rtf.hydracrypt_ID_339c2a33
Filesize35KB
MD5016a2a7a09452165c3e389efcb679e59
SHA1721a082d243c163a6b5f6432b0bad1577a49f562
SHA25632352602b1ce8f197c2a94d8d10bd1c952f16da4ac2a3d3de255ad0277fb73ca
SHA5120ba9e6083be1eb1c9ab1ac0b941d6f71e25546a1aa64abfd61f6ca73a2523e154d058ce10bebe3ce13be3f67fa0eb96488433e854480a47557da41c4d0159de0
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\_default\professional\license.rtf.hydracrypttmp_ID_339c2a33
Filesize221KB
MD5fa33e5947c4175483b54760325f356ff
SHA15d72f482250829fe0d2421da815ab549dc9d7531
SHA256aeb7b7414c390cca07f6fc905e915869b1d66e1c22df7973b03c627619e0f4b5
SHA512f493848d1dc32ef0c3076c5fc257fa65665762d66097dc8eec1c65a3264e3b27ebb0d74612a28f8a7130956d4c1c7aebd5bc73f771d1b62620d08827dc5a3bbe
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\homepremiume\license.rtf.hydracrypt_ID_339c2a33
Filesize28KB
MD5ee1b8d08b6efb15b4f81ad617fb4dd6e
SHA1d179d4880ed3c6c4d3d8448fec9445997d20ed68
SHA256905f5222f89616714cf730185783f8089f2a847e6095e31371b25e4e6fe967c5
SHA512843e92abce469de566673e605a8e71243a4fd8ced79e52f9397f92dbd74d09cd254e5e3baadf259e32dfc526140c25c39087094553a22ac66e36415401ca7d2c
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startere\license.rtf.hydracrypt_ID_339c2a33
Filesize28KB
MD52bae11eb1fa69d6f400390a7f80c3f1a
SHA1e67b1150a6dc27dbbc987f09cba1d3e53c7fb55f
SHA2566809caaaf67da7a3a6ff5a062a90a08e3c3cb3bc5b56e2f760d2fad3c6b02369
SHA5127a855f4a541fc14bb028c294e9a04c3f8ed8de70bd74067f988814ac73147846085284374edb2f792598c97ce50a3b2db68302ab728e78a1909987def0f3e1c4
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startern\license.rtf.hydracrypt_ID_339c2a33
Filesize35KB
MD5dac9dc295c201ffe54bfdfab9e5387ea
SHA100acdeac732f0d60bd79babad203f9680169348a
SHA25621f12589052180777e05f6a12018981b45b97b82d726fd428fa67522ea04ac85
SHA51298b9ffdeea6f7b347f16e65482f9c99d735033d70c0804e369d7a6654164540480b6cb0ca777375beb1e83f86ccc3a2e379d6505922e013212e3a0de3c5bfa1f
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\starter\license.rtf.hydracrypttmp_ID_339c2a33
Filesize174KB
MD54464e394ca7d2ccfa7ecf4ee41c71968
SHA1e508043e062e7a02a148670259e9ea3f84bceb6a
SHA25619805b8881bbcd00ff272f71ce6d5bd90f686141c9c9cc98a8328e6538ecb229
SHA5123c68ab5d1a748aae26d27737f3d74516804c94aa339c4a6a23acc50340e95c181b80dfbd50b76020d54e1c503556aa41e4aac796e18cc41bb208fe4dd0802450
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\startere\license.rtf.hydracrypttmp_ID_339c2a33
Filesize41KB
MD576b2bd2b6339070a466341063988c2a8
SHA164a397da7df866bb8047791dbcf865f9395c4fcb
SHA2562ef2b2bab038aaded69596d7319a221ff13e7d5677b1b822b628034e4117e7ea
SHA512530ff8ba820ec4cdc01a77938fe86f8e585626f75fcd70cd8259754fbdd06b7cd99ea918078bfbe5c41afa5e589c254601eec3fa98a38c24e818995de31d20a3
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc29d5bca5556a09\lipeula.rtf.hydracrypttmp_ID_339c2a33
Filesize9KB
MD53222da5c774e4cd3026dfdc0d88b30f6
SHA124121450779062aee5349db7617a5c7e3a71fcfa
SHA256f351e6e2d382832ede295c7f3281444de0b027c35c1bd0c4430778320bcde87c
SHA5128cfc0423edfac7cf08c8ed17aac7f748c0cdb6ecf30a4e190f4975975067c6e8e6d900009dab64b4c5d7d8d4e49948d8ef11f81b0b8ab4831b70eeb88148ca81
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9a71deeabfc0d8da\license.rtf.hydracrypttmp_ID_339c2a33
Filesize39KB
MD5cb12f75a20742b019af8d204c6bf586d
SHA1e988ab1484b86b9c4fad75c061d1fe24ed49f72a
SHA256baba9b48b831f7f0818de975c71bcd9b71a1e0a35fd8566d5cbcbdccafd6ca8f
SHA512b50e7b6f88cace5796d9111c2c59ea8004357ea74ff18a00775cd497dd224d9780b98d085adb1ec60690b02316c0645c29b671d71cb6270df5465dc72e7a8608
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_30cf7a89f238525a\license.rtf.hydracrypttmp_ID_339c2a33
Filesize43KB
MD59efec0bead2389962939edfe37d67aec
SHA182b4bc7ec59024983804ca6145bfccb4aa439cc0
SHA256f5bc9e3a01d95cbb2064fe4ecd2098375f40368dadd7e2c4561dc051cea5f6dc
SHA51215dd0c5a20e4838880c301e9bbca2bc0b2969a64139edf2ad4c935a1ece0e2816416d1e5d25eb860cde4a31c74195c043daf172094e8977919eab27be84a81f9
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16d3f6301ae8cff8\license.rtf.hydracrypttmp_ID_339c2a33
Filesize758B
MD5cfccf09aa6ef2a3329e517072c89d451
SHA1df12e24af2b75535a3d35a06e9b00bdf2c01452b
SHA2561841b246b1369a3c98d9ff138c1fed065dd67df0d7cc15247d6c3c02dd79cc71
SHA512f8f8d1ff8074004fd18839a1346296a9683ec5b20fdaa55bd9c1b169f202b963a461ffe91c93c9535d48cee4ae086b93334238074b7fb064e9ae640df4144f85
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..priseia64.resources_31bf3856ad364e35_6.1.7601.17514_es-es_382fefd2e1555940\license.rtf.hydracrypttmp_ID_339c2a33
Filesize68KB
MD5f6300e01616d4ec54251c781497c2c8c
SHA17ddef82665af6e4e18753e44c73b48ff60f93ce1
SHA2560be19d912111fc984c2f4836c39f4ea3e92086cac53ff5875920b9ad1824b6b0
SHA5123e88519cae252901f8aeb5efe4589649db9ef6815f529545db0cccb9f572f2f5a14e7dc0a1cbc16d7220cf523b1099094e36f451acd0613600b0cb2a6ac8344c
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..rverhyper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b990ce545164c82b\license.rtf.hydracrypttmp_ID_339c2a33
Filesize62KB
MD5b2ce4d598fe22eafce678de8bbc763a9
SHA18dda739df89d0ff3f14f1043c2e4c9b40fc4fee4
SHA25618137764c4bbc16ab74cb70783defa6aa9fcfa471d30a0f6b12be10756abeb71
SHA51294cbb384aec7d273d73f1e0e9232ef38f4c9d59fe243fa64fdb6c115a6c21b89aa7096e2c4ac1120325cd7b5db24ae7617cb9a57bae59329e762adebfe76933c
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1cda3731d74e249\license.rtf.hydracrypttmp_ID_339c2a33
Filesize780B
MD5d03ce8d49e28d79c7ef6ea16262b8a33
SHA147a3dbec92d053b69eefbe9c1181405bce34b43e
SHA256ca61444dcb8c6ca1d0a7e4f2b274d71debc8cef110d9235396d2e395c2277c50
SHA5123990e6cb9d0807267924b3fbc8e5e739ab506ea0ef50127b930b78fbb1b165148fa1721555b12a04cde7602da1bd0d8375a5ab79c6cb7fc1190e8a30479159d4
-
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18649662a3c65f12\license.rtf.hydracrypttmp_ID_339c2a33
Filesize780B
MD5d528a89d392e0845744aa67dc8c1a53d
SHA1672773b253a449cacd9599ec813ecdfc7b57d4f7
SHA256633391a341ccbf88ce9f17d5fbaa5b7fe8f359ff04b6b6fb46a8429327af5e1e
SHA51242bad595475572b7cd7872a70face0e52f75a88a09e38591f792116885434d2da4b7d627b7f9207aaed1e5742849e9da3b7ae41391299762d70730bd09a1567a
-
Filesize
1KB
MD5ed3ceaac51558dcdfcbe27071dc203b8
SHA1b32bb87be55aa40418d2f5898bcceabf6062a929
SHA256989ac42229c9caa96ce6c5da9a5a97ede5298282040287454c4a4f33dd466586
SHA5126658ba16014978f68e6f0a206b9a62dbf43938c267ea87bf5c7f4c5916c9d131a3abd5ec4ce253c8ccaa48631d27a5f357e308863df8a58aa5a95b8068f89657
-
Filesize
10KB
MD5feb832fdfc12c802cfbcc6a7fa7ebe78
SHA151c09aae37cefc290888e2d7c5876360d5bfd4d9
SHA256bf022d5b59bb725e7de01a50997bced21a6a0d8f97cecd1b690634033572beae
SHA512f04677d25208241b0600eabaa6973daee4ec3e61f878b3fa59124836e88c18540939eebf360674e077e92b43d324855937537c507f2f5bd049f54caa3648cfbc
-
Filesize
915B
MD51cb60f48539cc0bd459bbb83d010db58
SHA1dea4df664b9590519c8bf34457a91c42385c6b7b
SHA256e0f8f1dc39b0515da2a1b7f943b2c98fff73544692499a1c66c35bd0a31808f8
SHA512797bde90081d1b8adbdfa95056e286b72bfb0dca04e110219b965136d25732ff404f64a2a2fb4524d1fd351880b940384aac935f758a071e35dc9c1763d7da0e