hydracrypt | afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2023 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ProtectUnregister.raw.hydracrypt_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\PushUse.crw.hydracrypttmp_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\SuspendSkip.png.hydracrypttmp_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\SuspendSkip.png.hydracrypt_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\InitializeUnregister.raw.hydracrypttmp_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\JoinMove.raw.hydracrypttmp_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\ProtectUnregister.raw.hydracrypttmp_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\InitializeUnregister.raw.hydracrypt_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\JoinMove.raw.hydracrypt_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\Pictures\PushUse.crw.hydracrypt_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Drops startup file 3 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_7808ea6c	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe\""	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\nonoxifa.exe\""	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	ioc	process
File opened (read-only)	\??\Z:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\S:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\I:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\W:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\O:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\J:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\H:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\E:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\B:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\Y:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\P:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\L:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\K:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\R:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\Q:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\N:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\M:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\X:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\V:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\U:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\T:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\G:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\F:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
File opened (read-only)	\??\A:	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

description	pid	process	target process
PID 3532 set thread context of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

736 3628 WerFault.exe 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid process

3532 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
3532 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid	pid_target	process	target process
736	3628	WerFault.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid	process
3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3296	WMIC.exe
Token: SeSecurityPrivilege	3296	WMIC.exe
Token: SeTakeOwnershipPrivilege	3296	WMIC.exe
Token: SeLoadDriverPrivilege	3296	WMIC.exe
Token: SeSystemProfilePrivilege	3296	WMIC.exe
Token: SeSystemtimePrivilege	3296	WMIC.exe
Token: SeProfSingleProcessPrivilege	3296	WMIC.exe
Token: SeIncBasePriorityPrivilege	3296	WMIC.exe
Token: SeCreatePagefilePrivilege	3296	WMIC.exe
Token: SeBackupPrivilege	3296	WMIC.exe
Token: SeRestorePrivilege	3296	WMIC.exe
Token: SeShutdownPrivilege	3296	WMIC.exe
Token: SeDebugPrivilege	3296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3296	WMIC.exe
Token: SeRemoteShutdownPrivilege	3296	WMIC.exe
Token: SeUndockPrivilege	3296	WMIC.exe
Token: SeManageVolumePrivilege	3296	WMIC.exe
Token: 33	3296	WMIC.exe
Token: 34	3296	WMIC.exe
Token: 35	3296	WMIC.exe
Token: 36	3296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3296	WMIC.exe
Token: SeSecurityPrivilege	3296	WMIC.exe
Token: SeTakeOwnershipPrivilege	3296	WMIC.exe
Token: SeLoadDriverPrivilege	3296	WMIC.exe
Token: SeSystemProfilePrivilege	3296	WMIC.exe
Token: SeSystemtimePrivilege	3296	WMIC.exe
Token: SeProfSingleProcessPrivilege	3296	WMIC.exe
Token: SeIncBasePriorityPrivilege	3296	WMIC.exe
Token: SeCreatePagefilePrivilege	3296	WMIC.exe
Token: SeBackupPrivilege	3296	WMIC.exe
Token: SeRestorePrivilege	3296	WMIC.exe
Token: SeShutdownPrivilege	3296	WMIC.exe
Token: SeDebugPrivilege	3296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3296	WMIC.exe
Token: SeRemoteShutdownPrivilege	3296	WMIC.exe
Token: SeUndockPrivilege	3296	WMIC.exe
Token: SeManageVolumePrivilege	3296	WMIC.exe
Token: 33	3296	WMIC.exe
Token: 34	3296	WMIC.exe
Token: 35	3296	WMIC.exe
Token: 36	3296	WMIC.exe
Token: SeBackupPrivilege	3872	vssvc.exe
Token: SeRestorePrivilege	3872	vssvc.exe
Token: SeAuditPrivilege	3872	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid process

3532 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
3532 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

pid	process
3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.execmd.exenet.exe

description	pid	process	target process
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628	3532	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3628 wrote to memory of 3720	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3720	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3720	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4260	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4260	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4260	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3156	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3156	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3156	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3164	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3164	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3164	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4384	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4384	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4384	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3720 wrote to memory of 220	3720	cmd.exe	net.exe
PID 3720 wrote to memory of 220	3720	cmd.exe	net.exe
PID 3720 wrote to memory of 220	3720	cmd.exe	net.exe
PID 3628 wrote to memory of 232	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 232	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 232	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4660	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4660	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4660	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 1444	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 1444	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 1444	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 220 wrote to memory of 3580	220	net.exe	net1.exe
PID 220 wrote to memory of 3580	220	net.exe	net1.exe
PID 220 wrote to memory of 3580	220	net.exe	net1.exe
PID 3628 wrote to memory of 4716	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4716	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4716	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4024	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4024	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4024	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 1292	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 1292	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 1292	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3504	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3504	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3504	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4904	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4904	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4904	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3064	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3064	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 3064	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4712	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4712	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe
PID 3628 wrote to memory of 4712	3628	2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
  C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
  2⤵
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:3156
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2012
    3⤵
    - Program crash
    PID:736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3628 -ip 3628
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_7808ea6c

Filesize
126KB

MD5
5c5ea03083c4dedc679ef1456053885c

SHA1
8604fd858560f3b57eb01b6c69daafd7ac5fd990

SHA256
6d837dd9bee7ca42810d70f108dbf110cd6bc1401e5b09c793a37e28376426a5

SHA512
9ed634fd563511de3191d0dbb1b0faccde86d6f451da7a4817954c2e0767ed5526085c5d19f8ba5ed5d026c486c82906bf6d13e357e75746db68cbf7689212a3

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_7808ea6c

Filesize
28KB

MD5
97c01955e826f4f5bfe4638cd5d6eac0

SHA1
e9a988e5a48bf9f6290083f119bebc15bf2d2fac

SHA256
8c230ac16ac6d99fbeecaa122770fefde991f6cd7d0ec87eb857e95916983126

SHA512
05f93f259e83c755321afa0b825ed733bdecf82af3f84522630ba5532cec06a57b63a169c8a1b0e7be4ac043d015a911e02927efa52b02c3b46439f8d7975ed8

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_7808ea6c

Filesize
1KB

MD5
91f0a24ee564a44d9ff06eba36e77d34

SHA1
7cb1cd4eb9e46c3c2f5af5ed49e2fcf44bb3675d

SHA256
6b2cd1c35b29d0afa2a21d559c41c6fb1df2b98f97a506a16f7ff5284ffb8224

SHA512
fc03d6b7caf59353b630aca3f20b20283ccfbd9013b04706dd6febe698c54195c95fcef7917b14eda727b87aedec7875c8a0a6f1495842610a25f79908ef69cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_7808ea6c

Filesize
174B

MD5
0b14c400d1bbc1c337a4b2920f89292e

SHA1
f6584b5f38de0d6a082926042ace1f00c412ce88

SHA256
049ff2419b0a0ca6c977ad01bff762ecbbe6238ba44225ded17f2b27bcb61857

SHA512
bb0c0d7bb86d826b4861c51bb95461134defd1d94c947e9c31d91b64f3635d05129eb6745e54c6a779336e3bf757e9fab059d1f4de6d11d21a3edbececfd1edf

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_7808ea6c

Filesize
8KB

MD5
6b9a2d3443e818cd81dc08408fa981ee

SHA1
c2e9c1a9997bde631041ae4abd330ae32e7f1e8e

SHA256
0826c770b64ed650532a8048ad26cadb8420bd4c3725d6259a14197591051167

SHA512
300af4c8c207001f575a18a4433283443a6f8e58cfb07436fa715fb1eef3e241398511800420f7a8abe880d824159d889a70dafc7d5f2590405ba7531ef8c9c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_7808ea6c

Filesize
8KB

MD5
1debcab0ccdd268b8d3c4a00b293946b

SHA1
a3fec52e7855cc02fc9e586e4f26c0c9f71a4cb6

SHA256
281f69f65e899a30f95dfcdcb4b1b73e2fc96d3945f2fd03328f538089e8936b

SHA512
38ddbac6ffef172a6d163ebf450411ca275dd10bb78e0a502cc463335aa206267974303e4c175a8e93834bc481a7a2e88f4b49bb9d7ba20f7647539dd96bca2b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cd96e0a4-ba8e-4699-994e-68268453df33}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_7808ea6c

Filesize
5B

MD5
54ff6e5f5d6a9e95a7513181de1c01cd

SHA1
f8ef905b6e3960c091624b70f0e5f8e6e589452c

SHA256
585b116123e84d2ec5527b719108fe5131f971afc15cf28f11214637a3e37f62

SHA512
e33363a61d3a29e94f9c0be7be03c0438ff9009d5868b3733ab791a418b6a916ed0ddfcce2940ecb91a79a367258d07e27646b356f15f78722f631f8bed21f85

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cd96e0a4-ba8e-4699-994e-68268453df33}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_7808ea6c

Filesize
5B

MD5
144fabca850bc48cfd6efad2dc6ecc72

SHA1
4e3808dcc18d073866d9291f0a9ace3d83479fc7

SHA256
bcd3d0065c2e4196502dce26032e21472ec6332d9d079addea4efa5c14710e82

SHA512
929ddbd057da439f22c8071b2ae71cf6bc533947ed8b46cc161dbe064f864d6f93407d7334c80682a193f0747aaed42fbaa11673b8c615d620184130838c6dd6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{506550ab-e951-47fb-95b2-997bfb0b6514}\0.1.filtertrie.intermediate.txt.hydracrypt_ID_7808ea6c

Filesize
269B

MD5
3129c9ca8c418e22b6e276ba4e4b0708

SHA1
997d136ecd4aa69288cc3ce6c62c5b05476af867

SHA256
12d1e2d284be53ff290d3c480c8f9c0e8ac772d4d352cf383b64d92edb1a7660

SHA512
9c9af5d8ceac80599ce7ac4f00935b8262fe884ceb52b765f22f47b0a2b57ed949b70a039f614d4424fbf6758f422e450b1bbe050c2b42434257dbb25d1dd46f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{506550ab-e951-47fb-95b2-997bfb0b6514}\0.2.filtertrie.intermediate.txt.hydracrypt_ID_7808ea6c

Filesize
269B

MD5
6049a8d22070111df6737f0ebd612c3d

SHA1
f0ffe70d31c52e09c93cbda46aa2fbc2c06230c9

SHA256
def9d8ac5451be3f61557a3aaaed92410f21f4efce0beb90713e6a98227e1783

SHA512
cf6a9c89b4e8e8f9af9b5348a07407bb0a10b1842d7f3fd3a6eca02b6669bd5a8efa05026283ac992f752bbd0ae0b03eae85dfbe2c200d294cc8815dbc683de6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213926208578348.txt.hydracrypttmp_ID_7808ea6c

Filesize
63KB

MD5
f63a874ca114a51f4d73be26a691c467

SHA1
8cbf0149a185eb3a12e6d0ca915a942794c1a296

SHA256
e8213c184d6ee6904fd898012d559faab916c7d16a2cf94e1e1b4a4deaf7a576

SHA512
e7869543d27ab3b852989f989f359b27c596cc53c097626be89eaaf0294e53b2c3f6b7c34a467a28a617d9682ae5553871640cc6bf75e5d762e7bbaac5ff61b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213934756508290.txt.hydracrypttmp_ID_7808ea6c

Filesize
64KB

MD5
9f5cdcec0825dc592f993b6125f59c36

SHA1
6e51e5e23308d26359ee4d17a0bb50842ba1adf8

SHA256
bc4ee70f7cff825265a92c70c031caf160d53a16d2d1b0e43123af05ae1a98c7

SHA512
20133af027fc658c3ab8864cb98efd6221efac70129e2b86d7423d8c03f631595c655778578aff8b4a4d8fd4b1d4fbb09a04b6f7ecf7a6115c06766de0bdead7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213938700221555.txt.hydracrypttmp_ID_7808ea6c

Filesize
75KB

MD5
4b6d17242d16188a4e898073250dcaa7

SHA1
5f5d5b496eafdec9ab5839f15c76cacdb94329ba

SHA256
b24d8af79819f343723ce02b5a4ac531f7335cb79f944c819baaeabc0acf6f67

SHA512
3d3563e198f4db8a89f0b19220412ed4c38b2729e18ce1e2d37e192a097114933748a764e101a5a34a7f29684ca15b64ff9361e572cbff41ca5b6cceb0724ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230220_185643140.html.hydracrypttmp_ID_7808ea6c

Filesize
94KB

MD5
01b26c26888c8d8612137fa0b2d282fa

SHA1
062381a60d7e9d72458e265031908d2a68b45ec1

SHA256
4389d4ea520faf5be12645a02d792bb1735e211b9d4675f5a95280f6d3874f3f

SHA512
f0cbd6bb027b2d36edb331bbb523c592b5ee5814e36337ca17bc94920507548acb91600b89d9cd14ebb3b3b62e9edfea0dc1b5ceec222e3a36db765ccdb16d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC8C0.tmp.hydracrypttmp_ID_7808ea6c

Filesize
63KB

MD5
f2b5ed9e71a59a8b733c57f2c5f12b83

SHA1
7047d1d5d62a731d75e4ba7c0d0a1353eee9e5c9

SHA256
a2473138775ac1c6554cacb3559c993321e9f677e857097ede91785cb2f01df2

SHA512
f8f55a9631a49abccb413483b7c92f3a99deb1d63477ead9fc0041b46315402402ec197bf7458964de524948b55c89586d27f853c3e2c13e84e23a4f883a4ce7

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
e4e3245a569450ce2909082c27958bf3

SHA1
448510c2e88694a828dbeacb9e527058df96a668

SHA256
2f5d7d840eb01ccb1b7c7c2a5155e6d605de461886bb36e12f32274fac66c998

SHA512
c1ea65f47fc7027c13121c4c73b481b6c69be77cea2f6f00ad5c20839b142d3ad137d1bdb0a35a6d187281ad73d0f8a80388692ba13dc65f816589fa199049b1

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_7808ea6c

Filesize
170B

MD5
96f0565b9b499f4a60b33d58dda1942e

SHA1
15ef331f4c1db79575bff93603291612773f70d1

SHA256
9647f7fdc4828f43074609e392840743c09adb594e582d7e084656b927878ae7

SHA512
ac5b2140669f1d551d46247c3690f2b252e79197015baf00fbc5c9898e61fa037ebdaddb7738e2f631083035450695a91e8f3337b850c729aa6ba2c66a241692

Download Submit
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_7808ea6c.txt

Filesize
915B

MD5
0cb4d4030b991787e682a2e85456ef18

SHA1
abd94ffeb9014956d8d54e96d3142afefc5a564c

SHA256
ab697fa5729b0020eb3a6bb1041b3a46ce9cda3d8480f2dd5bcbaecffdfcae20

SHA512
67d02e50bc2256d13d85b595616859e5e01998c4e2308847a3dd9012b3c3216c38ffb3fc954c0e34a28bc0680e91b274e2e863534efc47b2b111b0fb5a769f1c

Download Submit
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_7808ea6c.txt

Filesize
915B

MD5
0cb4d4030b991787e682a2e85456ef18

SHA1
abd94ffeb9014956d8d54e96d3142afefc5a564c

SHA256
ab697fa5729b0020eb3a6bb1041b3a46ce9cda3d8480f2dd5bcbaecffdfcae20

SHA512
67d02e50bc2256d13d85b595616859e5e01998c4e2308847a3dd9012b3c3216c38ffb3fc954c0e34a28bc0680e91b274e2e863534efc47b2b111b0fb5a769f1c

Download Submit
memory/3532-134-0x0000000002330000-0x0000000002335000-memory.dmp

Filesize
20KB

Download
memory/3628-137-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/3628-3643-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3628-1776-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3628-4214-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3628-133-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/3628-136-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/3628-1099-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3628-418-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/3628-4937-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3628-415-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3628-2767-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3628-5017-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/3628-5020-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download