hydracrypt | afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (909) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_1d91a16c	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_1d91a16c	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe\""	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\balameky.exe\""	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\N:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\L:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\M:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\H:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\G:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\B:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\W:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\U:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\T:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\S:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\R:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\O:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\K:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\J:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\P:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\I:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\E:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\A:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\Z:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\Y:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\X:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
File opened (read-only)	\??\Q:	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3620 set thread context of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4912	4504	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3212	WMIC.exe
Token: SeSecurityPrivilege	3212	WMIC.exe
Token: SeTakeOwnershipPrivilege	3212	WMIC.exe
Token: SeLoadDriverPrivilege	3212	WMIC.exe
Token: SeSystemProfilePrivilege	3212	WMIC.exe
Token: SeSystemtimePrivilege	3212	WMIC.exe
Token: SeProfSingleProcessPrivilege	3212	WMIC.exe
Token: SeIncBasePriorityPrivilege	3212	WMIC.exe
Token: SeCreatePagefilePrivilege	3212	WMIC.exe
Token: SeBackupPrivilege	3212	WMIC.exe
Token: SeRestorePrivilege	3212	WMIC.exe
Token: SeShutdownPrivilege	3212	WMIC.exe
Token: SeDebugPrivilege	3212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3212	WMIC.exe
Token: SeRemoteShutdownPrivilege	3212	WMIC.exe
Token: SeUndockPrivilege	3212	WMIC.exe
Token: SeManageVolumePrivilege	3212	WMIC.exe
Token: 33	3212	WMIC.exe
Token: 34	3212	WMIC.exe
Token: 35	3212	WMIC.exe
Token: 36	3212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3212	WMIC.exe
Token: SeSecurityPrivilege	3212	WMIC.exe
Token: SeTakeOwnershipPrivilege	3212	WMIC.exe
Token: SeLoadDriverPrivilege	3212	WMIC.exe
Token: SeSystemProfilePrivilege	3212	WMIC.exe
Token: SeSystemtimePrivilege	3212	WMIC.exe
Token: SeProfSingleProcessPrivilege	3212	WMIC.exe
Token: SeIncBasePriorityPrivilege	3212	WMIC.exe
Token: SeCreatePagefilePrivilege	3212	WMIC.exe
Token: SeBackupPrivilege	3212	WMIC.exe
Token: SeRestorePrivilege	3212	WMIC.exe
Token: SeShutdownPrivilege	3212	WMIC.exe
Token: SeDebugPrivilege	3212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3212	WMIC.exe
Token: SeRemoteShutdownPrivilege	3212	WMIC.exe
Token: SeUndockPrivilege	3212	WMIC.exe
Token: SeManageVolumePrivilege	3212	WMIC.exe
Token: 33	3212	WMIC.exe
Token: 34	3212	WMIC.exe
Token: 35	3212	WMIC.exe
Token: 36	3212	WMIC.exe
Token: SeBackupPrivilege	3020	vssvc.exe
Token: SeRestorePrivilege	3020	vssvc.exe
Token: SeAuditPrivilege	3020	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 3620 wrote to memory of 4504	3620	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	82
PID 4504 wrote to memory of 1592	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	83
PID 4504 wrote to memory of 1592	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	83
PID 4504 wrote to memory of 1592	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	83
PID 4504 wrote to memory of 3416	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	85
PID 4504 wrote to memory of 3416	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	85
PID 4504 wrote to memory of 3416	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	85
PID 4504 wrote to memory of 336	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	87
PID 4504 wrote to memory of 336	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	87
PID 4504 wrote to memory of 336	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	87
PID 4504 wrote to memory of 1620	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	89
PID 4504 wrote to memory of 1620	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	89
PID 4504 wrote to memory of 1620	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	89
PID 1592 wrote to memory of 3660	1592	cmd.exe	90
PID 1592 wrote to memory of 3660	1592	cmd.exe	90
PID 1592 wrote to memory of 3660	1592	cmd.exe	90
PID 4504 wrote to memory of 2316	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	92
PID 4504 wrote to memory of 2316	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	92
PID 4504 wrote to memory of 2316	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	92
PID 4504 wrote to memory of 3792	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	94
PID 4504 wrote to memory of 3792	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	94
PID 4504 wrote to memory of 3792	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	94
PID 4504 wrote to memory of 3488	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	96
PID 4504 wrote to memory of 3488	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	96
PID 4504 wrote to memory of 3488	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	96
PID 4504 wrote to memory of 1716	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	97
PID 4504 wrote to memory of 1716	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	97
PID 4504 wrote to memory of 1716	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	97
PID 4504 wrote to memory of 2592	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	100
PID 4504 wrote to memory of 2592	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	100
PID 4504 wrote to memory of 2592	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	100
PID 3660 wrote to memory of 4180	3660	net.exe	99
PID 3660 wrote to memory of 4180	3660	net.exe	99
PID 3660 wrote to memory of 4180	3660	net.exe	99
PID 4504 wrote to memory of 3088	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	103
PID 4504 wrote to memory of 3088	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	103
PID 4504 wrote to memory of 3088	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	103
PID 4504 wrote to memory of 1372	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	105
PID 4504 wrote to memory of 1372	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	105
PID 4504 wrote to memory of 1372	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	105
PID 4504 wrote to memory of 4380	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	107
PID 4504 wrote to memory of 4380	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	107
PID 4504 wrote to memory of 4380	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	107
PID 336 wrote to memory of 3212	336	cmd.exe	108
PID 336 wrote to memory of 3212	336	cmd.exe	108
PID 336 wrote to memory of 3212	336	cmd.exe	108
PID 4504 wrote to memory of 868	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	109
PID 4504 wrote to memory of 868	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	109
PID 4504 wrote to memory of 868	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	109
PID 4504 wrote to memory of 1224	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	111
PID 4504 wrote to memory of 1224	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	111
PID 4504 wrote to memory of 1224	4504	08b304d01220f9de63244b4666621bba_JaffaCakes118.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1860
    3⤵
    - Program crash
    PID:4912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_1d91a16c

Filesize
126KB

MD5
b2a7ab8d40fcc56d52ca28a26de6f3be

SHA1
6c3ca9da2934efb438d43ff7681de36dd0c7a359

SHA256
0e9498126ceafe01db5b1625dd2f7f3c943e22bdb9251c6da281e7fc0424802b

SHA512
0f2e669c0293413b1bd3bb6b4d1c223e91b4273fc7f365fcf3b50d0d11d195d7616230a5bb33be78e090df3eee1e46927f0ac9d6d93c215833a3017fa91e8184

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_1d91a16c

Filesize
28KB

MD5
93ee52eb32285ebbc72122b3597c5baf

SHA1
6acc4a70b7770d54dfe07168d73aac383dfd9c4e

SHA256
4a1ae553cfcb0f58adf010e9af11e00a4583d89aa3d0ddf3ff4e207a2ac9bf8a

SHA512
73acb3302c53e52264c3166736f5339ffd96173d0836b197f78376a5c00763595f7c6be7047039ea2c91c38255a6312a349a047eb3e232e62d8605c1e94fadd9

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_1d91a16c

Filesize
1KB

MD5
051fdb656f2c5e470f45f5a96c0aea92

SHA1
e5e45c0db2bec63212b1b27ad2724bce124f7d6e

SHA256
f7d1cdf44a16cff84a1a5f927d8f405572241d5517f54e5211cbdc8d99e1af26

SHA512
4c1fbe92e611ea4a26bf790d24cda90857650da03783943ab6df8bdf4deb85d453e1be531d4b083fc664cd48ee5aca81523dbc39a91a19f44cbbe974b8503e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.hydracrypttmp_ID_1d91a16c

Filesize
332KB

MD5
a32dce07b4bf4f6d5059e56ab5a890af

SHA1
ff0aca93c78006cd8189bf50fa498c39c537ed77

SHA256
38f5dd19e3b3d5bcd2e816eaff80433f5c42fa593e37e7fe266c9e7bb45c5c16

SHA512
c2c18cba43af829084b8554f861dcc96dcd02a66df65fdca83b4d9655ccd23c7874fdfcd4c3d02e7167b590c5f4dcd8dee697c33d583468cf19db9f6c00c30dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\onenote.exe.db.hydracrypttmp_ID_1d91a16c

Filesize
24KB

MD5
a6864f0cd9d24b39567c14567b3f4599

SHA1
5a01d9d28c23776cea8738d6bfe491981ab0208d

SHA256
ce7548c2e48b273b5195b0a0065c28710a97d4c6c0f4e75425a21977465145eb

SHA512
a23549a1a89c1f780ceb13e40a2ccc021accc7862b314eb2736786e01c985cea6adf76b54ab7b3c3796c39a4ff601cc386584a35979fe92a3ea6a5577dc17d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_1d91a16c

Filesize
174B

MD5
0e110c6405b963bf35e3f5e05332a41f

SHA1
bb5ebbf42ce6d4177ce0ea250a8b76966ff9e507

SHA256
7e21939fdf304a7c7b5c57bbdbc3d2f4f8e9358aed182152301ae7ccbc0e5e40

SHA512
6e159f8d00dc55ce02ea8cdaa229e3f483678981263d60a15d215bfdeff66d537370845104e9d96bd9254429412872a9be22cc39d099d4815ea0eab5316239b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_1d91a16c

Filesize
8KB

MD5
44816f0b34269cbf23526c1e311f87e5

SHA1
ab6d88a00e4ffcc90626374ce231cb5273023e97

SHA256
b0ac0f511df3b554bcbcdcc00d6799a86044a717b9cae3cb299269cd0b8f990c

SHA512
febaeca0048e637816bcbc64318987cca3d1364b7b5441b789e6dd37ac263a96ad2445120b783bb8e403c2f671618c97c4f754094d57eb4cbf721d1b1db4da2b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_1d91a16c

Filesize
8KB

MD5
314d173b7cc39d0345a7e13451e07ed7

SHA1
012382433e274517aa582128552410054642f398

SHA256
54f69aa72dd8c6771b6acec3f4b4ffba57cd0bfb8b83265c6b09df534548ab14

SHA512
21497fcf76b9b4c24f55b270c7969df21f26209ae0703a796ccacb74bc862f425ed483d09bc1f428ad764d719100b94109f1731c12c2feff68b4ed2604cfe840

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9b8cfa01-5036-40cb-a302-ee94d0fb8189}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_1d91a16c

Filesize
5B

MD5
e5e995e66573c18ceeaab47eabe9dc65

SHA1
d96fa3c692819727fdc8351692f6d470394efd97

SHA256
76a543adddc13a5fc7f18e0071debf4484f72e1b33c2393b36b9055e50932fdc

SHA512
32becab3314b67064b1f50e6a852b530e671e1608435d582386632054a5f91282da9dc019c40f69e3d69126415271ae1580b48550391e3d30166c1a9f5fb2f92

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9b8cfa01-5036-40cb-a302-ee94d0fb8189}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_1d91a16c

Filesize
5B

MD5
70588cbab83823355e70f17a355cf890

SHA1
24d32416bf7f37c4074bccbc3d3246009da17f77

SHA256
9c4a8c4eab94dbbef6435c3db4ca709f84ecf5db00a45213f54bddb1fc98527e

SHA512
d1df2ec95166057854dcd8edd107e7a3a011976894b36eaf9fe1f3d6ce6477db60ea88ea2f59552520f94cda47c8d9d9bb55db1059bdcd86e6d6d043ace9b3f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{dbb8ad24-1824-4f41-995d-6f14cc9e2b3d}\0.1.filtertrie.intermediate.txt.hydracrypt_ID_1d91a16c

Filesize
269B

MD5
c1ed68fa9e7c86a4f4846b0b5ee72ff4

SHA1
c02fdd66778b30dd58e59f5a581eb8c2d352a1c7

SHA256
1567a274b92f033b0f31eaf64dcfd0c18ab3184b23fdf75a3fa7b25f8bcb30d7

SHA512
54a87e0861286984e8150237fecbd46d93f27bf9c81b5fdd51f0216294d65b80fb21b9e33c4aebe581a5e6efac3b9a2d42da0a7e404c3c7d1c4f098d844ac5c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{dbb8ad24-1824-4f41-995d-6f14cc9e2b3d}\0.2.filtertrie.intermediate.txt.hydracrypt_ID_1d91a16c

Filesize
269B

MD5
cdfda7a81d0bc4d09123f59a8d700a76

SHA1
2851ac21def0d74d76826aa77d13141a5a3e1898

SHA256
0cf0533ce94b79d8eb9b811ebafe57bd4cd0013f818909bb37261feb1dfda457

SHA512
954d7dceb21162c4d4c940437ae9dfe680019c0047ec16e93fc20a201ede7310efb5fb424d07426aef0bec6059a62d4fa153766376793fd3a4b174ebf3e304c8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754149735590.txt.hydracrypttmp_ID_1d91a16c

Filesize
77KB

MD5
9c55e51d2332499aeb38e6d4255bd18e

SHA1
d6594965c2f487eae4847bd4304559ba050e029e

SHA256
da2e801a5fbe182443813dadc2eeac2d35921a729c3e94d808abef31833d3e20

SHA512
81dcb9587220f8eac36d09cc236ef781c7f3032fff22a5c666295763474588cab0f3a102ab39b3ecb32de4bfc8efc2397d413f1afdb84226a9c2150a1b369945

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754678238458.txt.hydracrypttmp_ID_1d91a16c

Filesize
47KB

MD5
202678364697e05fa7c1b30e9d070665

SHA1
6009c666ac9e13e73758bc00f9177bb535f0065e

SHA256
0214ae10df51b9f3b7fd10a8c3e27e3979b7238d557c11012c2277135a77ea80

SHA512
f428f1defd4658a3a851ce4b82560b1e3497006fca0335ba75a97d2a73d2115f96630f7fa8beda6d915619753a278c19cf67fa5a22aef0c5b8038c2ec9b6b315

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670761945787825.txt.hydracrypttmp_ID_1d91a16c

Filesize
63KB

MD5
62daaa4ccb3056ee4847d8924ff67154

SHA1
0ed4217b9df58ef3ea458e80dee30cb37c37a41a

SHA256
3dddcb86fd6a0bc1f0df55d6c0018ff281365a800d053d8cd831f6cec795e7f5

SHA512
ea1167ba9360228e00530b59614a80ae4b55c9c307ec21b5e3136720bfdbe5bbecd609f7317f670682d4f76acadc102af03d30232029cdbe0de02905a93670ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764554768979.txt.hydracrypttmp_ID_1d91a16c

Filesize
74KB

MD5
1e8d7068ffbde2bd7b6005c816bff9ec

SHA1
000c5e2bd019876c7cbefdb0df3f36f6e0df501b

SHA256
8353cc24e8b638772c11d3f12d863b5f8bf71f46d55900089142541775fe7c45

SHA512
2b5c7f6e072a68c5accfd8fabdd2987316d3b4f1e226797f8cade4d3178fc0450e82abfbba17da1b6aab7f15fe5d7da1a95a08e36ad30f9d0a56a45e56c01b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240802_123619520.html.hydracrypttmp_ID_1d91a16c

Filesize
93KB

MD5
55cea88069d57ac7b4af85cf0b24e17e

SHA1
a5658df0d0805e1c0c4f8fc0cdc9abd697c6589f

SHA256
551f7920a21abc832904bc2b700db529b36762a91f28edb41eb8d0310836993f

SHA512
c174a03af42df1b6145037d0ad97458a6b2d327072795026ec730bcc1e5c813d08bd1ef15b357315292f65f031765f8f0d0076cb0d6f7176dee4151f23f06023

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct6561.tmp.hydracrypttmp_ID_1d91a16c

Filesize
63KB

MD5
439886ffa8148f0e147c16a4e956285a

SHA1
5b5ce33aaae02e97908da619f9c63d1ee716e2b4

SHA256
6410e5ed756e89aa60424ec9451cea36e4e2a984e09ed41fdcfe83ea78211a95

SHA512
aeb3cb6731b514e22f01b95599d0adc797c63b5babd7f16f2924dd133033ffee8575f372bc438f10258dbf644b3231cb83408c99f4c2c4c9c7f5cfe08321d378

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
8895e3d5a6b4a63e39de38037a9580f9

SHA1
d69144760428df2f4d2b152345af827ba2dbcfff

SHA256
1165f1929004951e7bffd5e7cadc95db48e796ebf2e80d188dba4bccc3e9e5ea

SHA512
d6afc67048fa72a7d33f7efa5a17946640d30e707e87ac3a77510ecc78fe22c6da9476cbcd481c9efcbf26ee3b03ad0416e638f488b7661e16930828220fa024

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_1d91a16c

Filesize
170B

MD5
3b611c56b70aa4b8042a0a239a15f539

SHA1
087d790536014533a7448cb17085da2661ad6535

SHA256
d436ea89553c73f03669272b27401b171531f3ae67074d69b2676e6289e6a90d

SHA512
8739eaa80b90b8bacfc04a34101d71ba532264b74f47576fe04d1ec870d2fcd7a21475b328af2acc8d395c9eac608df58eef2f2c3f0330b339c3d1556470f3ac

Download Submit
C:\Users\Public\Pictures\README_DECRYPT_HYDRA_ID_1d91a16c.txt

Filesize
915B

MD5
e0008db7fa5ab476a5c858b6b5382e05

SHA1
25768d680eadaa4248bb82997d0e841c25adc0b7

SHA256
cc7a144df364c13ee790c72d54f3c59f4abe6b0811cfd011b11fccb9f9564dfe

SHA512
f14c175183be4c7d6fd81633df4fad480658963f55494f638e70b37f8a11afee3925da80e8d8ef68be86f6d172d51b3abe38ea4d022baaffdeed736dc54642f2

Download Submit
memory/3620-0-0x0000000002250000-0x0000000002255000-memory.dmp

Filesize
20KB

Download
memory/4504-3696-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4504-4-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/4504-1-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/4504-1255-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/4504-1249-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4504-5269-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/4504-5272-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download