Analysis Overview
SHA256
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
Threat Level: Known bad
The file 08b304d01220f9de63244b4666621bba_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
HydraCrypt
Renames multiple (909) files with added filename extension
Deletes shadow copies
Renames multiple (626) files with added filename extension
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Interacts with shadow copies
Runs net.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-02 03:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-02 03:40
Reported
2024-10-02 03:43
Platform
win7-20240903-en
Max time kernel
107s
Max time network
111s
Command Line
Signatures
HydraCrypt
Deletes shadow copies
Renames multiple (626) files with added filename extension
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_339c2a33 | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_339c2a33 | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe\"" | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\hymuzece.exe\"" | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EHDN25ED\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X9WSUL7T\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TL381H8Y\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Enumerates connected drives
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1956 set thread context of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
C:\Windows\SysWOW64\net.exe
net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=Z: /All
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=Y: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=X: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=W: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=U: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=V: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=S: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=T: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=R: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=Q: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=P: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=N: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=O: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=M: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=L: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=J: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=K: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=I: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=H: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=G: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=F: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=E: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=D: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1071561941127524856317779220811680927960-1804522966293494506-562563154-844980834"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=B: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=C: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=A: /All
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 29248
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
Files
memory/1956-0-0x00000000002A0000-0x00000000002A5000-memory.dmp
memory/888-15-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-5-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-13-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-23-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/888-19-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-17-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-3-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-9-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-11-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-7-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-1-0x0000000000300000-0x0000000000400000-memory.dmp
memory/888-26-0x0000000000400000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat
| MD5 | ed3ceaac51558dcdfcbe27071dc203b8 |
| SHA1 | b32bb87be55aa40418d2f5898bcceabf6062a929 |
| SHA256 | 989ac42229c9caa96ce6c5da9a5a97ede5298282040287454c4a4f33dd466586 |
| SHA512 | 6658ba16014978f68e6f0a206b9a62dbf43938c267ea87bf5c7f4c5916c9d131a3abd5ec4ce253c8ccaa48631d27a5f357e308863df8a58aa5a95b8068f89657 |
memory/888-170-0x0000000000400000-0x000000000040E000-memory.dmp
memory/888-211-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-431-0x0000000000400000-0x000000000040E000-memory.dmp
memory/888-774-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GRU3FPRK\desktop.ini.hydracrypttmp_ID_339c2a33
| MD5 | 58073b86c007ea688a7b8adeeffe6198 |
| SHA1 | f9fe39ea08a4eb7fe1d040e706a6ad32860b002b |
| SHA256 | 0c4d5dd13b796052be9751b2f1beeb61b3829d496739c2401505dd865dc47065 |
| SHA512 | 3985497ff7f5003588cae9aec665ab27635f8be423ad3cd03f5022c7a9f51cec80bfd4b5190e416b9d13e5447e1227bd571857f878fd9ce8b1dd6695d4ab0aad |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X9WSUL7T\desktop.ini.hydracrypt_ID_339c2a33
| MD5 | 6e370b7a3151ad087354eabdbbef2c45 |
| SHA1 | d973b7ee5c8616a0201e1065c0e8807ff83e097e |
| SHA256 | 09f7f5474fab7d223a770b85110e0426e60a3f52d99d96fac456cad9502b0b5d |
| SHA512 | e7a6b427c0bbab0340c1c650387c297ca0f41bbf206d22f52610db318068b8c255adddae0833a7b271e9a76a8dda4cdc94f3a6c97c1935702f463608cc3f8f95 |
memory/888-1160-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051853366.html.hydracrypttmp_ID_339c2a33
| MD5 | fb15434f7d323ac8e542227b0ef59635 |
| SHA1 | 7179d98c18757072d9b619649e42c81b339cc19b |
| SHA256 | f51d04fcdc3050ea21f3b7ca1eb1af5962ce6c5707a1d264f96294b7160a47cc |
| SHA512 | 935b79cb2724db1ac3bf85e6908090fca7b584d1032dd41ac0b08aa54204e1a7b329c9c168dbd43fe0ee17855f272b2f92100a2708eee21e270526685285c15c |
memory/888-1424-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\homepremium\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | e2373551822fc3b08d65a6189bd8fe9a |
| SHA1 | 19208a70d1a5f4cc0bb165543941366b3317e8ae |
| SHA256 | ad1f01b98c7e91fc2c50363e4f5d503ac9491c1d10f4a605a69c58941517bc5e |
| SHA512 | 5af1556128cf51f9c2176dfc18d428a7a0fa57fac5d55ec51c58ba58ce7fda8d63288d8e0868b93462c0b4a072e559ef1ff86b91f457c6a177bfee40baf7fd70 |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\professionale\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | f94448318658fbdadbbca9cdd3bab52a |
| SHA1 | 2c41689aa4bd97681a43c0b07a6935bc051b841b |
| SHA256 | 23fd6130a12157d7ae505e50cbd4d9100437a89327c73005b2b1503d84701906 |
| SHA512 | 83ee1abe9f436986bd9528f8deb25cbff82b0421de1a0494317c4c33e52c17fe11befec10315417314ba34ff3ae4cf426b063b44f138a1910fd4a9d1c07649bb |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimate\license.rtf.hydracrypt_ID_339c2a33
| MD5 | 016a2a7a09452165c3e389efcb679e59 |
| SHA1 | 721a082d243c163a6b5f6432b0bad1577a49f562 |
| SHA256 | 32352602b1ce8f197c2a94d8d10bd1c952f16da4ac2a3d3de255ad0277fb73ca |
| SHA512 | 0ba9e6083be1eb1c9ab1ac0b941d6f71e25546a1aa64abfd61f6ca73a2523e154d058ce10bebe3ce13be3f67fa0eb96488433e854480a47557da41c4d0159de0 |
memory/888-1695-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\homepremiume\license.rtf.hydracrypt_ID_339c2a33
| MD5 | ee1b8d08b6efb15b4f81ad617fb4dd6e |
| SHA1 | d179d4880ed3c6c4d3d8448fec9445997d20ed68 |
| SHA256 | 905f5222f89616714cf730185783f8089f2a847e6095e31371b25e4e6fe967c5 |
| SHA512 | 843e92abce469de566673e605a8e71243a4fd8ced79e52f9397f92dbd74d09cd254e5e3baadf259e32dfc526140c25c39087094553a22ac66e36415401ca7d2c |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startere\license.rtf.hydracrypt_ID_339c2a33
| MD5 | 2bae11eb1fa69d6f400390a7f80c3f1a |
| SHA1 | e67b1150a6dc27dbbc987f09cba1d3e53c7fb55f |
| SHA256 | 6809caaaf67da7a3a6ff5a062a90a08e3c3cb3bc5b56e2f760d2fad3c6b02369 |
| SHA512 | 7a855f4a541fc14bb028c294e9a04c3f8ed8de70bd74067f988814ac73147846085284374edb2f792598c97ce50a3b2db68302ab728e78a1909987def0f3e1c4 |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startern\license.rtf.hydracrypt_ID_339c2a33
| MD5 | dac9dc295c201ffe54bfdfab9e5387ea |
| SHA1 | 00acdeac732f0d60bd79babad203f9680169348a |
| SHA256 | 21f12589052180777e05f6a12018981b45b97b82d726fd428fa67522ea04ac85 |
| SHA512 | 98b9ffdeea6f7b347f16e65482f9c99d735033d70c0804e369d7a6654164540480b6cb0ca777375beb1e83f86ccc3a2e379d6505922e013212e3a0de3c5bfa1f |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\starter\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | 4464e394ca7d2ccfa7ecf4ee41c71968 |
| SHA1 | e508043e062e7a02a148670259e9ea3f84bceb6a |
| SHA256 | 19805b8881bbcd00ff272f71ce6d5bd90f686141c9c9cc98a8328e6538ecb229 |
| SHA512 | 3c68ab5d1a748aae26d27737f3d74516804c94aa339c4a6a23acc50340e95c181b80dfbd50b76020d54e1c503556aa41e4aac796e18cc41bb208fe4dd0802450 |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\startere\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | 76b2bd2b6339070a466341063988c2a8 |
| SHA1 | 64a397da7df866bb8047791dbcf865f9395c4fcb |
| SHA256 | 2ef2b2bab038aaded69596d7319a221ff13e7d5677b1b822b628034e4117e7ea |
| SHA512 | 530ff8ba820ec4cdc01a77938fe86f8e585626f75fcd70cd8259754fbdd06b7cd99ea918078bfbe5c41afa5e589c254601eec3fa98a38c24e818995de31d20a3 |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\_default\professional\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | fa33e5947c4175483b54760325f356ff |
| SHA1 | 5d72f482250829fe0d2421da815ab549dc9d7531 |
| SHA256 | aeb7b7414c390cca07f6fc905e915869b1d66e1c22df7973b03c627619e0f4b5 |
| SHA512 | f493848d1dc32ef0c3076c5fc257fa65665762d66097dc8eec1c65a3264e3b27ebb0d74612a28f8a7130956d4c1c7aebd5bc73f771d1b62620d08827dc5a3bbe |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc29d5bca5556a09\lipeula.rtf.hydracrypttmp_ID_339c2a33
| MD5 | 3222da5c774e4cd3026dfdc0d88b30f6 |
| SHA1 | 24121450779062aee5349db7617a5c7e3a71fcfa |
| SHA256 | f351e6e2d382832ede295c7f3281444de0b027c35c1bd0c4430778320bcde87c |
| SHA512 | 8cfc0423edfac7cf08c8ed17aac7f748c0cdb6ecf30a4e190f4975975067c6e8e6d900009dab64b4c5d7d8d4e49948d8ef11f81b0b8ab4831b70eeb88148ca81 |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9a71deeabfc0d8da\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | cb12f75a20742b019af8d204c6bf586d |
| SHA1 | e988ab1484b86b9c4fad75c061d1fe24ed49f72a |
| SHA256 | baba9b48b831f7f0818de975c71bcd9b71a1e0a35fd8566d5cbcbdccafd6ca8f |
| SHA512 | b50e7b6f88cace5796d9111c2c59ea8004357ea74ff18a00775cd497dd224d9780b98d085adb1ec60690b02316c0645c29b671d71cb6270df5465dc72e7a8608 |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_30cf7a89f238525a\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | 9efec0bead2389962939edfe37d67aec |
| SHA1 | 82b4bc7ec59024983804ca6145bfccb4aa439cc0 |
| SHA256 | f5bc9e3a01d95cbb2064fe4ecd2098375f40368dadd7e2c4561dc051cea5f6dc |
| SHA512 | 15dd0c5a20e4838880c301e9bbca2bc0b2969a64139edf2ad4c935a1ece0e2816416d1e5d25eb860cde4a31c74195c043daf172094e8977919eab27be84a81f9 |
memory/888-2233-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16d3f6301ae8cff8\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | cfccf09aa6ef2a3329e517072c89d451 |
| SHA1 | df12e24af2b75535a3d35a06e9b00bdf2c01452b |
| SHA256 | 1841b246b1369a3c98d9ff138c1fed065dd67df0d7cc15247d6c3c02dd79cc71 |
| SHA512 | f8f8d1ff8074004fd18839a1346296a9683ec5b20fdaa55bd9c1b169f202b963a461ffe91c93c9535d48cee4ae086b93334238074b7fb064e9ae640df4144f85 |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..priseia64.resources_31bf3856ad364e35_6.1.7601.17514_es-es_382fefd2e1555940\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | f6300e01616d4ec54251c781497c2c8c |
| SHA1 | 7ddef82665af6e4e18753e44c73b48ff60f93ce1 |
| SHA256 | 0be19d912111fc984c2f4836c39f4ea3e92086cac53ff5875920b9ad1824b6b0 |
| SHA512 | 3e88519cae252901f8aeb5efe4589649db9ef6815f529545db0cccb9f572f2f5a14e7dc0a1cbc16d7220cf523b1099094e36f451acd0613600b0cb2a6ac8344c |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..rverhyper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b990ce545164c82b\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | b2ce4d598fe22eafce678de8bbc763a9 |
| SHA1 | 8dda739df89d0ff3f14f1043c2e4c9b40fc4fee4 |
| SHA256 | 18137764c4bbc16ab74cb70783defa6aa9fcfa471d30a0f6b12be10756abeb71 |
| SHA512 | 94cbb384aec7d273d73f1e0e9232ef38f4c9d59fe243fa64fdb6c115a6c21b89aa7096e2c4ac1120325cd7b5db24ae7617cb9a57bae59329e762adebfe76933c |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1cda3731d74e249\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | d03ce8d49e28d79c7ef6ea16262b8a33 |
| SHA1 | 47a3dbec92d053b69eefbe9c1181405bce34b43e |
| SHA256 | ca61444dcb8c6ca1d0a7e4f2b274d71debc8cef110d9235396d2e395c2277c50 |
| SHA512 | 3990e6cb9d0807267924b3fbc8e5e739ab506ea0ef50127b930b78fbb1b165148fa1721555b12a04cde7602da1bd0d8375a5ab79c6cb7fc1190e8a30479159d4 |
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18649662a3c65f12\license.rtf.hydracrypttmp_ID_339c2a33
| MD5 | d528a89d392e0845744aa67dc8c1a53d |
| SHA1 | 672773b253a449cacd9599ec813ecdfc7b57d4f7 |
| SHA256 | 633391a341ccbf88ce9f17d5fbaa5b7fe8f359ff04b6b6fb46a8429327af5e1e |
| SHA512 | 42bad595475572b7cd7872a70face0e52f75a88a09e38591f792116885434d2da4b7d627b7f9207aaed1e5742849e9da3b7ae41391299762d70730bd09a1567a |
memory/888-2760-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\Documents\ReadPush.xlsx.hydracrypttmp_ID_339c2a33
| MD5 | feb832fdfc12c802cfbcc6a7fa7ebe78 |
| SHA1 | 51c09aae37cefc290888e2d7c5876360d5bfd4d9 |
| SHA256 | bf022d5b59bb725e7de01a50997bced21a6a0d8f97cecd1b690634033572beae |
| SHA512 | f04677d25208241b0600eabaa6973daee4ec3e61f878b3fa59124836e88c18540939eebf360674e077e92b43d324855937537c507f2f5bd049f54caa3648cfbc |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_339c2a33
| MD5 | 6a66e3dae1aa88f805d2ef85b96aaeea |
| SHA1 | 710fadee2d7c2cba762805deed29acec4fcea2ec |
| SHA256 | 0d3123e2bb94c0c3edab967a615dfd317efbe6adb01338b4bd59b70e99ae6840 |
| SHA512 | 3b875f623abc728c4e6274df8939db69fc72c0ed44cffcb77051b634a24c018304c0625ddb5ba330d8b6b4a0849c912e99931a82f3d713b9303a51b5981e5b26 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_339c2a33
| MD5 | b89586b24930f19c9c4b4d9de50005d2 |
| SHA1 | 5ee0639ceb2df100eef687cbbf26f811b612999e |
| SHA256 | a6de1ea1d26d782de2f3641fd5faa4aab64049261bf97f4c43a9b7fa0f503173 |
| SHA512 | 6810d912c7ec2e66d2b870f64f227474dc6f673bab23d829c86167b103c79f87ab580039a8b24fdd959b92d84b9e1f05f9bf12da4cf733bd7e646fd97ee0c647 |
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_339c2a33
| MD5 | 5b447702c809d290fe4bf5c19b905f26 |
| SHA1 | 1ca1546b3bd1eed4d1b69886ee813360d0ce69ff |
| SHA256 | bbd3274bf1afee6d59d4cf55e8efc2d121aebcbb064eb85783c520f7561209ad |
| SHA512 | b5d86c394f02491f553c1e8fe6a980f78ce1e2b97c6dd8add746a9565946b9e4b3033fb4ab5a040513d8d81174f370c91eea0548df6670a05f24afd3dbcdc897 |
memory/888-3279-0x0000000000400000-0x000000000040E000-memory.dmp
memory/888-3722-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Public\Documents\README_DECRYPT_HYDRA_ID_339c2a33.txt
| MD5 | 1cb60f48539cc0bd459bbb83d010db58 |
| SHA1 | dea4df664b9590519c8bf34457a91c42385c6b7b |
| SHA256 | e0f8f1dc39b0515da2a1b7f943b2c98fff73544692499a1c66c35bd0a31808f8 |
| SHA512 | 797bde90081d1b8adbdfa95056e286b72bfb0dca04e110219b965136d25732ff404f64a2a2fb4524d1fd351880b940384aac935f758a071e35dc9c1763d7da0e |
memory/888-3752-0x0000000000400000-0x0000000000978000-memory.dmp
memory/888-3754-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-02 03:40
Reported
2024-10-02 03:43
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
HydraCrypt
Deletes shadow copies
Renames multiple (909) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_1d91a16c | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_1d91a16c | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe\"" | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\balameky.exe\"" | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Enumerates connected drives
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3620 set thread context of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
C:\Windows\SysWOW64\net.exe
net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1860
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
Files
memory/3620-0-0x0000000002250000-0x0000000002255000-memory.dmp
memory/4504-1-0x0000000000400000-0x0000000000978000-memory.dmp
memory/4504-4-0x0000000000400000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat
| MD5 | 8895e3d5a6b4a63e39de38037a9580f9 |
| SHA1 | d69144760428df2f4d2b152345af827ba2dbcfff |
| SHA256 | 1165f1929004951e7bffd5e7cadc95db48e796ebf2e80d188dba4bccc3e9e5ea |
| SHA512 | d6afc67048fa72a7d33f7efa5a17946640d30e707e87ac3a77510ecc78fe22c6da9476cbcd481c9efcbf26ee3b03ad0416e638f488b7661e16930828220fa024 |
memory/4504-1249-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4504-1255-0x0000000000400000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.hydracrypttmp_ID_1d91a16c
| MD5 | a32dce07b4bf4f6d5059e56ab5a890af |
| SHA1 | ff0aca93c78006cd8189bf50fa498c39c537ed77 |
| SHA256 | 38f5dd19e3b3d5bcd2e816eaff80433f5c42fa593e37e7fe266c9e7bb45c5c16 |
| SHA512 | c2c18cba43af829084b8554f861dcc96dcd02a66df65fdca83b4d9655ccd23c7874fdfcd4c3d02e7167b590c5f4dcd8dee697c33d583468cf19db9f6c00c30dd |
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\onenote.exe.db.hydracrypttmp_ID_1d91a16c
| MD5 | a6864f0cd9d24b39567c14567b3f4599 |
| SHA1 | 5a01d9d28c23776cea8738d6bfe491981ab0208d |
| SHA256 | ce7548c2e48b273b5195b0a0065c28710a97d4c6c0f4e75425a21977465145eb |
| SHA512 | a23549a1a89c1f780ceb13e40a2ccc021accc7862b314eb2736786e01c985cea6adf76b54ab7b3c3796c39a4ff601cc386584a35979fe92a3ea6a5577dc17d6c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_1d91a16c
| MD5 | 0e110c6405b963bf35e3f5e05332a41f |
| SHA1 | bb5ebbf42ce6d4177ce0ea250a8b76966ff9e507 |
| SHA256 | 7e21939fdf304a7c7b5c57bbdbc3d2f4f8e9358aed182152301ae7ccbc0e5e40 |
| SHA512 | 6e159f8d00dc55ce02ea8cdaa229e3f483678981263d60a15d215bfdeff66d537370845104e9d96bd9254429412872a9be22cc39d099d4815ea0eab5316239b1 |
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_1d91a16c
| MD5 | 44816f0b34269cbf23526c1e311f87e5 |
| SHA1 | ab6d88a00e4ffcc90626374ce231cb5273023e97 |
| SHA256 | b0ac0f511df3b554bcbcdcc00d6799a86044a717b9cae3cb299269cd0b8f990c |
| SHA512 | febaeca0048e637816bcbc64318987cca3d1364b7b5441b789e6dd37ac263a96ad2445120b783bb8e403c2f671618c97c4f754094d57eb4cbf721d1b1db4da2b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_1d91a16c
| MD5 | 314d173b7cc39d0345a7e13451e07ed7 |
| SHA1 | 012382433e274517aa582128552410054642f398 |
| SHA256 | 54f69aa72dd8c6771b6acec3f4b4ffba57cd0bfb8b83265c6b09df534548ab14 |
| SHA512 | 21497fcf76b9b4c24f55b270c7969df21f26209ae0703a796ccacb74bc862f425ed483d09bc1f428ad764d719100b94109f1731c12c2feff68b4ed2604cfe840 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9b8cfa01-5036-40cb-a302-ee94d0fb8189}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_1d91a16c
| MD5 | e5e995e66573c18ceeaab47eabe9dc65 |
| SHA1 | d96fa3c692819727fdc8351692f6d470394efd97 |
| SHA256 | 76a543adddc13a5fc7f18e0071debf4484f72e1b33c2393b36b9055e50932fdc |
| SHA512 | 32becab3314b67064b1f50e6a852b530e671e1608435d582386632054a5f91282da9dc019c40f69e3d69126415271ae1580b48550391e3d30166c1a9f5fb2f92 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9b8cfa01-5036-40cb-a302-ee94d0fb8189}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_1d91a16c
| MD5 | 70588cbab83823355e70f17a355cf890 |
| SHA1 | 24d32416bf7f37c4074bccbc3d3246009da17f77 |
| SHA256 | 9c4a8c4eab94dbbef6435c3db4ca709f84ecf5db00a45213f54bddb1fc98527e |
| SHA512 | d1df2ec95166057854dcd8edd107e7a3a011976894b36eaf9fe1f3d6ce6477db60ea88ea2f59552520f94cda47c8d9d9bb55db1059bdcd86e6d6d043ace9b3f3 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{dbb8ad24-1824-4f41-995d-6f14cc9e2b3d}\0.1.filtertrie.intermediate.txt.hydracrypt_ID_1d91a16c
| MD5 | c1ed68fa9e7c86a4f4846b0b5ee72ff4 |
| SHA1 | c02fdd66778b30dd58e59f5a581eb8c2d352a1c7 |
| SHA256 | 1567a274b92f033b0f31eaf64dcfd0c18ab3184b23fdf75a3fa7b25f8bcb30d7 |
| SHA512 | 54a87e0861286984e8150237fecbd46d93f27bf9c81b5fdd51f0216294d65b80fb21b9e33c4aebe581a5e6efac3b9a2d42da0a7e404c3c7d1c4f098d844ac5c5 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{dbb8ad24-1824-4f41-995d-6f14cc9e2b3d}\0.2.filtertrie.intermediate.txt.hydracrypt_ID_1d91a16c
| MD5 | cdfda7a81d0bc4d09123f59a8d700a76 |
| SHA1 | 2851ac21def0d74d76826aa77d13141a5a3e1898 |
| SHA256 | 0cf0533ce94b79d8eb9b811ebafe57bd4cd0013f818909bb37261feb1dfda457 |
| SHA512 | 954d7dceb21162c4d4c940437ae9dfe680019c0047ec16e93fc20a201ede7310efb5fb424d07426aef0bec6059a62d4fa153766376793fd3a4b174ebf3e304c8 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754149735590.txt.hydracrypttmp_ID_1d91a16c
| MD5 | 9c55e51d2332499aeb38e6d4255bd18e |
| SHA1 | d6594965c2f487eae4847bd4304559ba050e029e |
| SHA256 | da2e801a5fbe182443813dadc2eeac2d35921a729c3e94d808abef31833d3e20 |
| SHA512 | 81dcb9587220f8eac36d09cc236ef781c7f3032fff22a5c666295763474588cab0f3a102ab39b3ecb32de4bfc8efc2397d413f1afdb84226a9c2150a1b369945 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754678238458.txt.hydracrypttmp_ID_1d91a16c
| MD5 | 202678364697e05fa7c1b30e9d070665 |
| SHA1 | 6009c666ac9e13e73758bc00f9177bb535f0065e |
| SHA256 | 0214ae10df51b9f3b7fd10a8c3e27e3979b7238d557c11012c2277135a77ea80 |
| SHA512 | f428f1defd4658a3a851ce4b82560b1e3497006fca0335ba75a97d2a73d2115f96630f7fa8beda6d915619753a278c19cf67fa5a22aef0c5b8038c2ec9b6b315 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670761945787825.txt.hydracrypttmp_ID_1d91a16c
| MD5 | 62daaa4ccb3056ee4847d8924ff67154 |
| SHA1 | 0ed4217b9df58ef3ea458e80dee30cb37c37a41a |
| SHA256 | 3dddcb86fd6a0bc1f0df55d6c0018ff281365a800d053d8cd831f6cec795e7f5 |
| SHA512 | ea1167ba9360228e00530b59614a80ae4b55c9c307ec21b5e3136720bfdbe5bbecd609f7317f670682d4f76acadc102af03d30232029cdbe0de02905a93670ba |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764554768979.txt.hydracrypttmp_ID_1d91a16c
| MD5 | 1e8d7068ffbde2bd7b6005c816bff9ec |
| SHA1 | 000c5e2bd019876c7cbefdb0df3f36f6e0df501b |
| SHA256 | 8353cc24e8b638772c11d3f12d863b5f8bf71f46d55900089142541775fe7c45 |
| SHA512 | 2b5c7f6e072a68c5accfd8fabdd2987316d3b4f1e226797f8cade4d3178fc0450e82abfbba17da1b6aab7f15fe5d7da1a95a08e36ad30f9d0a56a45e56c01b3f |
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240802_123619520.html.hydracrypttmp_ID_1d91a16c
| MD5 | 55cea88069d57ac7b4af85cf0b24e17e |
| SHA1 | a5658df0d0805e1c0c4f8fc0cdc9abd697c6589f |
| SHA256 | 551f7920a21abc832904bc2b700db529b36762a91f28edb41eb8d0310836993f |
| SHA512 | c174a03af42df1b6145037d0ad97458a6b2d327072795026ec730bcc1e5c813d08bd1ef15b357315292f65f031765f8f0d0076cb0d6f7176dee4151f23f06023 |
memory/4504-3696-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wct6561.tmp.hydracrypttmp_ID_1d91a16c
| MD5 | 439886ffa8148f0e147c16a4e956285a |
| SHA1 | 5b5ce33aaae02e97908da619f9c63d1ee716e2b4 |
| SHA256 | 6410e5ed756e89aa60424ec9451cea36e4e2a984e09ed41fdcfe83ea78211a95 |
| SHA512 | aeb3cb6731b514e22f01b95599d0adc797c63b5babd7f16f2924dd133033ffee8575f372bc438f10258dbf644b3231cb83408c99f4c2c4c9c7f5cfe08321d378 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_1d91a16c
| MD5 | b2a7ab8d40fcc56d52ca28a26de6f3be |
| SHA1 | 6c3ca9da2934efb438d43ff7681de36dd0c7a359 |
| SHA256 | 0e9498126ceafe01db5b1625dd2f7f3c943e22bdb9251c6da281e7fc0424802b |
| SHA512 | 0f2e669c0293413b1bd3bb6b4d1c223e91b4273fc7f365fcf3b50d0d11d195d7616230a5bb33be78e090df3eee1e46927f0ac9d6d93c215833a3017fa91e8184 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_1d91a16c
| MD5 | 93ee52eb32285ebbc72122b3597c5baf |
| SHA1 | 6acc4a70b7770d54dfe07168d73aac383dfd9c4e |
| SHA256 | 4a1ae553cfcb0f58adf010e9af11e00a4583d89aa3d0ddf3ff4e207a2ac9bf8a |
| SHA512 | 73acb3302c53e52264c3166736f5339ffd96173d0836b197f78376a5c00763595f7c6be7047039ea2c91c38255a6312a349a047eb3e232e62d8605c1e94fadd9 |
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_1d91a16c
| MD5 | 051fdb656f2c5e470f45f5a96c0aea92 |
| SHA1 | e5e45c0db2bec63212b1b27ad2724bce124f7d6e |
| SHA256 | f7d1cdf44a16cff84a1a5f927d8f405572241d5517f54e5211cbdc8d99e1af26 |
| SHA512 | 4c1fbe92e611ea4a26bf790d24cda90857650da03783943ab6df8bdf4deb85d453e1be531d4b083fc664cd48ee5aca81523dbc39a91a19f44cbbe974b8503e80 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_1d91a16c
| MD5 | 3b611c56b70aa4b8042a0a239a15f539 |
| SHA1 | 087d790536014533a7448cb17085da2661ad6535 |
| SHA256 | d436ea89553c73f03669272b27401b171531f3ae67074d69b2676e6289e6a90d |
| SHA512 | 8739eaa80b90b8bacfc04a34101d71ba532264b74f47576fe04d1ec870d2fcd7a21475b328af2acc8d395c9eac608df58eef2f2c3f0330b339c3d1556470f3ac |
C:\Users\Public\Pictures\README_DECRYPT_HYDRA_ID_1d91a16c.txt
| MD5 | e0008db7fa5ab476a5c858b6b5382e05 |
| SHA1 | 25768d680eadaa4248bb82997d0e841c25adc0b7 |
| SHA256 | cc7a144df364c13ee790c72d54f3c59f4abe6b0811cfd011b11fccb9f9564dfe |
| SHA512 | f14c175183be4c7d6fd81633df4fad480658963f55494f638e70b37f8a11afee3925da80e8d8ef68be86f6d172d51b3abe38ea4d022baaffdeed736dc54642f2 |
memory/4504-5269-0x0000000000400000-0x0000000000978000-memory.dmp
memory/4504-5272-0x0000000000400000-0x000000000040E000-memory.dmp