hydracrypt | afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

Analysis

max time kernel
141s
max time network
67s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\DisconnectSkip.crw.hydracrypt_ID_869a271f	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveApprove.tiff	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\ResolveApprove.tiff.hydracrypttmp_ID_869a271f	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\ResolveApprove.tiff.hydracrypt_ID_869a271f	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\ResolveUnblock.crw.hydracrypttmp_ID_869a271f	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\ResolveUnblock.crw.hydracrypt_ID_869a271f	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\DisconnectSkip.crw.hydracrypttmp_ID_869a271f	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Drops startup file 3 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_869a271f	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_869a271f	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe\""	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\losihizi.exe\""	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4EJGXEBJ\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BZB8KC7X\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A6DSJQQJ\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCT3UJZ1\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
File opened (read-only)	\??\F:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\E:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\T:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\Q:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\N:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\I:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\L:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\K:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\J:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\H:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\Z:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\X:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\V:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\P:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\G:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\W:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\U:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\A:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\M:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\B:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\Y:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\S:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\R:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\O:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	pid	process	target process
PID 1260 set thread context of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2096 1712 WerFault.exe 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid	pid_target	process	target process
2096	1712	WerFault.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1088	vssadmin.exe
1028	vssadmin.exe
1604	vssadmin.exe
1816	vssadmin.exe
2316	vssadmin.exe
2384	vssadmin.exe
2204	vssadmin.exe
2216	vssadmin.exe
636	vssadmin.exe
1472	vssadmin.exe
2004	vssadmin.exe
1260	vssadmin.exe
1920	vssadmin.exe
2252	vssadmin.exe
1524	vssadmin.exe
1348	vssadmin.exe
844	vssadmin.exe
2572	vssadmin.exe
2484	vssadmin.exe
1488	vssadmin.exe
1000	vssadmin.exe
848	vssadmin.exe
2120	vssadmin.exe
2536	vssadmin.exe
2148	vssadmin.exe
2400	vssadmin.exe
296	vssadmin.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid process

1260 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid	process
1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	808	WMIC.exe
Token: SeSecurityPrivilege	808	WMIC.exe
Token: SeTakeOwnershipPrivilege	808	WMIC.exe
Token: SeLoadDriverPrivilege	808	WMIC.exe
Token: SeSystemProfilePrivilege	808	WMIC.exe
Token: SeSystemtimePrivilege	808	WMIC.exe
Token: SeProfSingleProcessPrivilege	808	WMIC.exe
Token: SeIncBasePriorityPrivilege	808	WMIC.exe
Token: SeCreatePagefilePrivilege	808	WMIC.exe
Token: SeBackupPrivilege	808	WMIC.exe
Token: SeRestorePrivilege	808	WMIC.exe
Token: SeShutdownPrivilege	808	WMIC.exe
Token: SeDebugPrivilege	808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	808	WMIC.exe
Token: SeRemoteShutdownPrivilege	808	WMIC.exe
Token: SeUndockPrivilege	808	WMIC.exe
Token: SeManageVolumePrivilege	808	WMIC.exe
Token: 33	808	WMIC.exe
Token: 34	808	WMIC.exe
Token: 35	808	WMIC.exe
Token: SeBackupPrivilege	2544	vssvc.exe
Token: SeRestorePrivilege	2544	vssvc.exe
Token: SeAuditPrivilege	2544	vssvc.exe
Token: SeIncreaseQuotaPrivilege	808	WMIC.exe
Token: SeSecurityPrivilege	808	WMIC.exe
Token: SeTakeOwnershipPrivilege	808	WMIC.exe
Token: SeLoadDriverPrivilege	808	WMIC.exe
Token: SeSystemProfilePrivilege	808	WMIC.exe
Token: SeSystemtimePrivilege	808	WMIC.exe
Token: SeProfSingleProcessPrivilege	808	WMIC.exe
Token: SeIncBasePriorityPrivilege	808	WMIC.exe
Token: SeCreatePagefilePrivilege	808	WMIC.exe
Token: SeBackupPrivilege	808	WMIC.exe
Token: SeRestorePrivilege	808	WMIC.exe
Token: SeShutdownPrivilege	808	WMIC.exe
Token: SeDebugPrivilege	808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	808	WMIC.exe
Token: SeRemoteShutdownPrivilege	808	WMIC.exe
Token: SeUndockPrivilege	808	WMIC.exe
Token: SeManageVolumePrivilege	808	WMIC.exe
Token: 33	808	WMIC.exe
Token: 34	808	WMIC.exe
Token: 35	808	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid process

1260 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
1260 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid	process
1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.execonhost.exenet.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712	1260	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1712 wrote to memory of 772	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	conhost.exe
PID 1712 wrote to memory of 772	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	conhost.exe
PID 1712 wrote to memory of 772	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	conhost.exe
PID 1712 wrote to memory of 772	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	conhost.exe
PID 1712 wrote to memory of 676	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 676	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 676	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 676	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 772 wrote to memory of 868	772	conhost.exe	net.exe
PID 772 wrote to memory of 868	772	conhost.exe	net.exe
PID 772 wrote to memory of 868	772	conhost.exe	net.exe
PID 772 wrote to memory of 868	772	conhost.exe	net.exe
PID 1712 wrote to memory of 1112	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1112	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1112	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1112	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1772	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1772	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1772	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1772	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1884	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1884	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1884	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1884	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 868 wrote to memory of 1216	868	net.exe	conhost.exe
PID 868 wrote to memory of 1216	868	net.exe	conhost.exe
PID 868 wrote to memory of 1216	868	net.exe	conhost.exe
PID 868 wrote to memory of 1216	868	net.exe	conhost.exe
PID 1772 wrote to memory of 848	1772	cmd.exe	vssadmin.exe
PID 1772 wrote to memory of 848	1772	cmd.exe	vssadmin.exe
PID 1772 wrote to memory of 848	1772	cmd.exe	vssadmin.exe
PID 1772 wrote to memory of 848	1772	cmd.exe	vssadmin.exe
PID 676 wrote to memory of 1524	676	cmd.exe	vssadmin.exe
PID 676 wrote to memory of 1524	676	cmd.exe	vssadmin.exe
PID 676 wrote to memory of 1524	676	cmd.exe	vssadmin.exe
PID 676 wrote to memory of 1524	676	cmd.exe	vssadmin.exe
PID 1712 wrote to memory of 1008	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1008	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1008	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 1008	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 952	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 952	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 952	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1712 wrote to memory of 952	1712	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 1884 wrote to memory of 296	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 296	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 296	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 296	1884	cmd.exe	vssadmin.exe
PID 1112 wrote to memory of 808	1112	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
  C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
  2⤵
  - Modifies extensions of user files
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All
      4⤵
      Interacts with shadow copies
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Z: /All
      4⤵
      Interacts with shadow copies
      PID:848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Y: /All
      4⤵
      Interacts with shadow copies
      PID:296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    PID:1008
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=X: /All
      4⤵
      Interacts with shadow copies
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    PID:484
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=V: /All
      4⤵
      Interacts with shadow copies
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    PID:1632
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=U: /All
      4⤵
      Interacts with shadow copies
      PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=W: /All
      4⤵
      Interacts with shadow copies
      PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=T: /All
      4⤵
      Interacts with shadow copies
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    PID:1204
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=S: /All
      4⤵
      Interacts with shadow copies
      PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=R: /All
      4⤵
      Interacts with shadow copies
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    PID:948
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=Q: /All
      4⤵
      Interacts with shadow copies
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=P: /All
      4⤵
      Interacts with shadow copies
      PID:844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=O: /All
      4⤵
      Interacts with shadow copies
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    PID:1336
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=N: /All
      4⤵
      Interacts with shadow copies
      PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=M: /All
      4⤵
      Interacts with shadow copies
      PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=L: /All
      4⤵
      Interacts with shadow copies
      PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=K: /All
      4⤵
      Interacts with shadow copies
      PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=J: /All
      4⤵
      Interacts with shadow copies
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=I: /All
      4⤵
      Interacts with shadow copies
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=H: /All
      4⤵
      Interacts with shadow copies
      PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=G: /All
      4⤵
      Interacts with shadow copies
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    PID:2180
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=F: /All
      4⤵
      Interacts with shadow copies
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    PID:2224
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=E: /All
      4⤵
      Interacts with shadow copies
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=D: /All
      4⤵
      Interacts with shadow copies
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=C: /All
      4⤵
      Interacts with shadow copies
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=B: /All
      4⤵
      Interacts with shadow copies
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    PID:2368
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /For=A: /All
      4⤵
      Interacts with shadow copies
      PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 7972
    3⤵
    - Program crash
    PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8506824032135155593630421923-469705759-6137301091508827591212962404682656589"
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9475992671378339094-5832242751180845862-213370082747187124918212332495356582"
1⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A6DSJQQJ\desktop.ini.hydracrypttmp_ID_869a271f

Filesize
67B

MD5
b4c2311fb5b666691d7109f5a7db2908

SHA1
f4ce151c375ce4a822fe1a01c7b67e102a29f3ec

SHA256
0847951242c7c44af41bd974264a5ff7d05f8f86eec606e9aa7019460bf321cd

SHA512
e59dc17d8436908c968935197e583d0616870953534d9f62ae9caf043da092f9ed175df38d86979f9f1a105e6520b2814978d47e553043d5d76a29984b338152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCT3UJZ1\desktop.ini.hydracrypt_ID_869a271f

Filesize
331B

MD5
791eacbdd2a9cbb9ac3c55c3e5f6aff7

SHA1
90096e9836c45a83bc2efd0a71c1720006ecd006

SHA256
ac8bcbef665f421aa8d4a2b1b2ad9cdc6e5d91ae29926d4e036354a0390e1675

SHA512
60981e15d62e35053bfedc25553c33024b5c09d620acba9b3729fc6500c755ff3fd42dd39678c94f2432c538c0f2878bfeded41342fe924621af0a9319d60759

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230220_185731908.html.hydracrypttmp_ID_869a271f

Filesize
1.1MB

MD5
666355e96e7540a6f8f607c7767f89e2

SHA1
fe4c5a4e4ac89797834e444c2f4a86c4351bc4f9

SHA256
a7503edaed07bb5ce9fd1094f2fb268501d1c58ccfbe160369e59186c67c4e67

SHA512
f08f46d66a6231c19875bfd43ba509b90e50aea6fb757a7ba5562b4eaa3ee1d021390fe82268afb685fa8076db5f7d24aa0b0b19c554107aae498a0b184ec908

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
029c1ba05a0e18977bd30d7b620e762b

SHA1
a146f64b018f715a8b3572c26a0bbb6481f981d4

SHA256
219073cd0fe343361ac0ece187171c50ad2cf9b8c814bb21e2f3be6c09a32ce5

SHA512
653de12fab42742dc471c5e66738c585f1d035dc134e9d51b6670a9206f3ee0ce2d51d6765ec1b55e5baef7921c4c1beceea09fb8b7305b3f6a5371d83f73831

Download Submit
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_869a271f.txt

Filesize
915B

MD5
ec8a491fe3884746490f92171b930633

SHA1
16776e53d50c90d5eeaa29185d8e3a9c7b631365

SHA256
a94f02ee3488e12330293fd597a4cc8ca4602f3f3ee40b8d3c8240c8d90e97ca

SHA512
e017290c8a90da94f38e7651305f12e93f4e13d87630a8cd7fd9342e513892707ecaa2f28ca6a4a608752184cb91acce146e02ba97734ca3f4833868131e3577

Download Submit
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_869a271f.txt

Filesize
915B

MD5
ec8a491fe3884746490f92171b930633

SHA1
16776e53d50c90d5eeaa29185d8e3a9c7b631365

SHA256
a94f02ee3488e12330293fd597a4cc8ca4602f3f3ee40b8d3c8240c8d90e97ca

SHA512
e017290c8a90da94f38e7651305f12e93f4e13d87630a8cd7fd9342e513892707ecaa2f28ca6a4a608752184cb91acce146e02ba97734ca3f4833868131e3577

Download Submit
memory/1260-61-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/1712-260-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-63-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-320-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1712-64-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-66-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1712-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1712-69-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-680-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1712-60-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-2396-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1712-62-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-70-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-59-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-58-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-1292-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1712-57-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-1865-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1712-2292-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1712-56-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-55-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1712-54-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download