Malware Analysis Report

2025-01-18 20:57

Sample ID 230309-zlerksac34
Target 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
SHA256 afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
Tags
hydracrypt persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

Threat Level: Known bad

The file 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe was found to be: Known bad.

Malicious Activity Summary

hydracrypt persistence ransomware spyware stealer

HydraCrypt

Deletes shadow copies

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-09 20:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-09 20:48

Reported

2023-03-09 20:50

Platform

win7-20230220-en

Max time kernel

141s

Max time network

67s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe"

Signatures

HydraCrypt

ransomware hydracrypt

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File created C:\Users\Admin\Pictures\DisconnectSkip.crw.hydracrypt_ID_869a271f C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveApprove.tiff C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\ResolveApprove.tiff.hydracrypttmp_ID_869a271f C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\ResolveApprove.tiff.hydracrypt_ID_869a271f C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\ResolveUnblock.crw.hydracrypttmp_ID_869a271f C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\ResolveUnblock.crw.hydracrypt_ID_869a271f C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\DisconnectSkip.crw.hydracrypttmp_ID_869a271f C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_869a271f C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_869a271f C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe\"" C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\losihizi.exe\"" C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4EJGXEBJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BZB8KC7X\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A6DSJQQJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCT3UJZ1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1260 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 1712 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\system32\conhost.exe
PID 1712 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\system32\conhost.exe
PID 1712 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\system32\conhost.exe
PID 1712 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\system32\conhost.exe
PID 1712 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 868 N/A C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\net.exe
PID 772 wrote to memory of 868 N/A C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\net.exe
PID 772 wrote to memory of 868 N/A C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\net.exe
PID 772 wrote to memory of 868 N/A C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\net.exe
PID 1712 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\system32\conhost.exe
PID 868 wrote to memory of 1216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\system32\conhost.exe
PID 868 wrote to memory of 1216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\system32\conhost.exe
PID 868 wrote to memory of 1216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\system32\conhost.exe
PID 1772 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1772 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1772 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1772 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1712 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1884 wrote to memory of 296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1884 wrote to memory of 296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1884 wrote to memory of 296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1112 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

"C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe"

C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop vss

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All

C:\Windows\SysWOW64\net.exe

net stop vss

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop vss

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=Z: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=Y: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=W: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=U: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=V: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=X: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=S: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=P: /All

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8506824032135155593630421923-469705759-6137301091508827591212962404682656589"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9475992671378339094-5832242751180845862-213370082747187124918212332495356582"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=Q: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=R: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=O: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=T: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=N: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=L: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=M: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=K: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=J: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=I: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=H: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=G: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=F: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=C: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=E: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=D: /All

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=A: /All

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /For=B: /All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 7972

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 drivers-softprotect.eu udp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 drivers-softprotect.eu udp

Files

memory/1712-54-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1712-55-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-56-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-57-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-58-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-59-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-60-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1260-61-0x00000000003E0000-0x00000000003E5000-memory.dmp

memory/1712-62-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-63-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-64-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-66-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1712-68-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1712-69-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-70-0x0000000000400000-0x0000000000978000-memory.dmp

C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

MD5 029c1ba05a0e18977bd30d7b620e762b
SHA1 a146f64b018f715a8b3572c26a0bbb6481f981d4
SHA256 219073cd0fe343361ac0ece187171c50ad2cf9b8c814bb21e2f3be6c09a32ce5
SHA512 653de12fab42742dc471c5e66738c585f1d035dc134e9d51b6670a9206f3ee0ce2d51d6765ec1b55e5baef7921c4c1beceea09fb8b7305b3f6a5371d83f73831

memory/1712-260-0x0000000000400000-0x0000000000978000-memory.dmp

memory/1712-320-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1712-680-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A6DSJQQJ\desktop.ini.hydracrypttmp_ID_869a271f

MD5 b4c2311fb5b666691d7109f5a7db2908
SHA1 f4ce151c375ce4a822fe1a01c7b67e102a29f3ec
SHA256 0847951242c7c44af41bd974264a5ff7d05f8f86eec606e9aa7019460bf321cd
SHA512 e59dc17d8436908c968935197e583d0616870953534d9f62ae9caf043da092f9ed175df38d86979f9f1a105e6520b2814978d47e553043d5d76a29984b338152

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCT3UJZ1\desktop.ini.hydracrypt_ID_869a271f

MD5 791eacbdd2a9cbb9ac3c55c3e5f6aff7
SHA1 90096e9836c45a83bc2efd0a71c1720006ecd006
SHA256 ac8bcbef665f421aa8d4a2b1b2ad9cdc6e5d91ae29926d4e036354a0390e1675
SHA512 60981e15d62e35053bfedc25553c33024b5c09d620acba9b3729fc6500c755ff3fd42dd39678c94f2432c538c0f2878bfeded41342fe924621af0a9319d60759

memory/1712-1292-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230220_185731908.html.hydracrypttmp_ID_869a271f

MD5 666355e96e7540a6f8f607c7767f89e2
SHA1 fe4c5a4e4ac89797834e444c2f4a86c4351bc4f9
SHA256 a7503edaed07bb5ce9fd1094f2fb268501d1c58ccfbe160369e59186c67c4e67
SHA512 f08f46d66a6231c19875bfd43ba509b90e50aea6fb757a7ba5562b4eaa3ee1d021390fe82268afb685fa8076db5f7d24aa0b0b19c554107aae498a0b184ec908

memory/1712-1865-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1712-2292-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_869a271f.txt

MD5 ec8a491fe3884746490f92171b930633
SHA1 16776e53d50c90d5eeaa29185d8e3a9c7b631365
SHA256 a94f02ee3488e12330293fd597a4cc8ca4602f3f3ee40b8d3c8240c8d90e97ca
SHA512 e017290c8a90da94f38e7651305f12e93f4e13d87630a8cd7fd9342e513892707ecaa2f28ca6a4a608752184cb91acce146e02ba97734ca3f4833868131e3577

C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_869a271f.txt

MD5 ec8a491fe3884746490f92171b930633
SHA1 16776e53d50c90d5eeaa29185d8e3a9c7b631365
SHA256 a94f02ee3488e12330293fd597a4cc8ca4602f3f3ee40b8d3c8240c8d90e97ca
SHA512 e017290c8a90da94f38e7651305f12e93f4e13d87630a8cd7fd9342e513892707ecaa2f28ca6a4a608752184cb91acce146e02ba97734ca3f4833868131e3577

memory/1712-2396-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-09 20:48

Reported

2023-03-09 20:50

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe"

Signatures

HydraCrypt

ransomware hydracrypt

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File created C:\Users\Admin\Pictures\ProtectUnregister.raw.hydracrypt_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\PushUse.crw.hydracrypttmp_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\SuspendSkip.png.hydracrypttmp_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\SuspendSkip.png.hydracrypt_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\InitializeUnregister.raw.hydracrypttmp_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\JoinMove.raw.hydracrypttmp_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\ProtectUnregister.raw.hydracrypttmp_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\InitializeUnregister.raw.hydracrypt_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\JoinMove.raw.hydracrypt_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\Pictures\PushUse.crw.hydracrypt_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_7808ea6c C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe\"" C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\nonoxifa.exe\"" C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
PID 3628 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3720 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3720 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3628 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 3580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 220 wrote to memory of 3580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 220 wrote to memory of 3580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3628 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

"C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe"

C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop vss

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All

C:\Windows\SysWOW64\net.exe

net stop vss

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop vss

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2012

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 drivers-softprotect.eu udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 52.152.110.14:443 tcp
NL 13.69.109.131:443 tcp
US 13.107.4.50:80 tcp
NL 173.223.113.164:443 tcp
US 52.152.110.14:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 52.152.110.14:443 tcp
US 93.184.220.29:80 tcp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 drivers-softprotect.eu udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/3628-133-0x0000000000400000-0x0000000000978000-memory.dmp

memory/3532-134-0x0000000002330000-0x0000000002335000-memory.dmp

memory/3628-136-0x0000000000400000-0x0000000000978000-memory.dmp

memory/3628-137-0x0000000000400000-0x0000000000978000-memory.dmp

C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

MD5 e4e3245a569450ce2909082c27958bf3
SHA1 448510c2e88694a828dbeacb9e527058df96a668
SHA256 2f5d7d840eb01ccb1b7c7c2a5155e6d605de461886bb36e12f32274fac66c998
SHA512 c1ea65f47fc7027c13121c4c73b481b6c69be77cea2f6f00ad5c20839b142d3ad137d1bdb0a35a6d187281ad73d0f8a80388692ba13dc65f816589fa199049b1

memory/3628-415-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3628-418-0x0000000000400000-0x0000000000978000-memory.dmp

memory/3628-1099-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3628-1776-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_7808ea6c

MD5 0b14c400d1bbc1c337a4b2920f89292e
SHA1 f6584b5f38de0d6a082926042ace1f00c412ce88
SHA256 049ff2419b0a0ca6c977ad01bff762ecbbe6238ba44225ded17f2b27bcb61857
SHA512 bb0c0d7bb86d826b4861c51bb95461134defd1d94c947e9c31d91b64f3635d05129eb6745e54c6a779336e3bf757e9fab059d1f4de6d11d21a3edbececfd1edf

memory/3628-2767-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_7808ea6c

MD5 6b9a2d3443e818cd81dc08408fa981ee
SHA1 c2e9c1a9997bde631041ae4abd330ae32e7f1e8e
SHA256 0826c770b64ed650532a8048ad26cadb8420bd4c3725d6259a14197591051167
SHA512 300af4c8c207001f575a18a4433283443a6f8e58cfb07436fa715fb1eef3e241398511800420f7a8abe880d824159d889a70dafc7d5f2590405ba7531ef8c9c3

C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_7808ea6c

MD5 1debcab0ccdd268b8d3c4a00b293946b
SHA1 a3fec52e7855cc02fc9e586e4f26c0c9f71a4cb6
SHA256 281f69f65e899a30f95dfcdcb4b1b73e2fc96d3945f2fd03328f538089e8936b
SHA512 38ddbac6ffef172a6d163ebf450411ca275dd10bb78e0a502cc463335aa206267974303e4c175a8e93834bc481a7a2e88f4b49bb9d7ba20f7647539dd96bca2b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cd96e0a4-ba8e-4699-994e-68268453df33}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_7808ea6c

MD5 54ff6e5f5d6a9e95a7513181de1c01cd
SHA1 f8ef905b6e3960c091624b70f0e5f8e6e589452c
SHA256 585b116123e84d2ec5527b719108fe5131f971afc15cf28f11214637a3e37f62
SHA512 e33363a61d3a29e94f9c0be7be03c0438ff9009d5868b3733ab791a418b6a916ed0ddfcce2940ecb91a79a367258d07e27646b356f15f78722f631f8bed21f85

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cd96e0a4-ba8e-4699-994e-68268453df33}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_7808ea6c

MD5 144fabca850bc48cfd6efad2dc6ecc72
SHA1 4e3808dcc18d073866d9291f0a9ace3d83479fc7
SHA256 bcd3d0065c2e4196502dce26032e21472ec6332d9d079addea4efa5c14710e82
SHA512 929ddbd057da439f22c8071b2ae71cf6bc533947ed8b46cc161dbe064f864d6f93407d7334c80682a193f0747aaed42fbaa11673b8c615d620184130838c6dd6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{506550ab-e951-47fb-95b2-997bfb0b6514}\0.1.filtertrie.intermediate.txt.hydracrypt_ID_7808ea6c

MD5 3129c9ca8c418e22b6e276ba4e4b0708
SHA1 997d136ecd4aa69288cc3ce6c62c5b05476af867
SHA256 12d1e2d284be53ff290d3c480c8f9c0e8ac772d4d352cf383b64d92edb1a7660
SHA512 9c9af5d8ceac80599ce7ac4f00935b8262fe884ceb52b765f22f47b0a2b57ed949b70a039f614d4424fbf6758f422e450b1bbe050c2b42434257dbb25d1dd46f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{506550ab-e951-47fb-95b2-997bfb0b6514}\0.2.filtertrie.intermediate.txt.hydracrypt_ID_7808ea6c

MD5 6049a8d22070111df6737f0ebd612c3d
SHA1 f0ffe70d31c52e09c93cbda46aa2fbc2c06230c9
SHA256 def9d8ac5451be3f61557a3aaaed92410f21f4efce0beb90713e6a98227e1783
SHA512 cf6a9c89b4e8e8f9af9b5348a07407bb0a10b1842d7f3fd3a6eca02b6669bd5a8efa05026283ac992f752bbd0ae0b03eae85dfbe2c200d294cc8815dbc683de6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213926208578348.txt.hydracrypttmp_ID_7808ea6c

MD5 f63a874ca114a51f4d73be26a691c467
SHA1 8cbf0149a185eb3a12e6d0ca915a942794c1a296
SHA256 e8213c184d6ee6904fd898012d559faab916c7d16a2cf94e1e1b4a4deaf7a576
SHA512 e7869543d27ab3b852989f989f359b27c596cc53c097626be89eaaf0294e53b2c3f6b7c34a467a28a617d9682ae5553871640cc6bf75e5d762e7bbaac5ff61b3

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213934756508290.txt.hydracrypttmp_ID_7808ea6c

MD5 9f5cdcec0825dc592f993b6125f59c36
SHA1 6e51e5e23308d26359ee4d17a0bb50842ba1adf8
SHA256 bc4ee70f7cff825265a92c70c031caf160d53a16d2d1b0e43123af05ae1a98c7
SHA512 20133af027fc658c3ab8864cb98efd6221efac70129e2b86d7423d8c03f631595c655778578aff8b4a4d8fd4b1d4fbb09a04b6f7ecf7a6115c06766de0bdead7

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213938700221555.txt.hydracrypttmp_ID_7808ea6c

MD5 4b6d17242d16188a4e898073250dcaa7
SHA1 5f5d5b496eafdec9ab5839f15c76cacdb94329ba
SHA256 b24d8af79819f343723ce02b5a4ac531f7335cb79f944c819baaeabc0acf6f67
SHA512 3d3563e198f4db8a89f0b19220412ed4c38b2729e18ce1e2d37e192a097114933748a764e101a5a34a7f29684ca15b64ff9361e572cbff41ca5b6cceb0724ba5

C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230220_185643140.html.hydracrypttmp_ID_7808ea6c

MD5 01b26c26888c8d8612137fa0b2d282fa
SHA1 062381a60d7e9d72458e265031908d2a68b45ec1
SHA256 4389d4ea520faf5be12645a02d792bb1735e211b9d4675f5a95280f6d3874f3f
SHA512 f0cbd6bb027b2d36edb331bbb523c592b5ee5814e36337ca17bc94920507548acb91600b89d9cd14ebb3b3b62e9edfea0dc1b5ceec222e3a36db765ccdb16d48

memory/3628-3643-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wctC8C0.tmp.hydracrypttmp_ID_7808ea6c

MD5 f2b5ed9e71a59a8b733c57f2c5f12b83
SHA1 7047d1d5d62a731d75e4ba7c0d0a1353eee9e5c9
SHA256 a2473138775ac1c6554cacb3559c993321e9f677e857097ede91785cb2f01df2
SHA512 f8f55a9631a49abccb413483b7c92f3a99deb1d63477ead9fc0041b46315402402ec197bf7458964de524948b55c89586d27f853c3e2c13e84e23a4f883a4ce7

memory/3628-4214-0x0000000000400000-0x000000000040E000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_7808ea6c

MD5 5c5ea03083c4dedc679ef1456053885c
SHA1 8604fd858560f3b57eb01b6c69daafd7ac5fd990
SHA256 6d837dd9bee7ca42810d70f108dbf110cd6bc1401e5b09c793a37e28376426a5
SHA512 9ed634fd563511de3191d0dbb1b0faccde86d6f451da7a4817954c2e0767ed5526085c5d19f8ba5ed5d026c486c82906bf6d13e357e75746db68cbf7689212a3

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_7808ea6c

MD5 97c01955e826f4f5bfe4638cd5d6eac0
SHA1 e9a988e5a48bf9f6290083f119bebc15bf2d2fac
SHA256 8c230ac16ac6d99fbeecaa122770fefde991f6cd7d0ec87eb857e95916983126
SHA512 05f93f259e83c755321afa0b825ed733bdecf82af3f84522630ba5532cec06a57b63a169c8a1b0e7be4ac043d015a911e02927efa52b02c3b46439f8d7975ed8

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_7808ea6c

MD5 91f0a24ee564a44d9ff06eba36e77d34
SHA1 7cb1cd4eb9e46c3c2f5af5ed49e2fcf44bb3675d
SHA256 6b2cd1c35b29d0afa2a21d559c41c6fb1df2b98f97a506a16f7ff5284ffb8224
SHA512 fc03d6b7caf59353b630aca3f20b20283ccfbd9013b04706dd6febe698c54195c95fcef7917b14eda727b87aedec7875c8a0a6f1495842610a25f79908ef69cc

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_7808ea6c

MD5 96f0565b9b499f4a60b33d58dda1942e
SHA1 15ef331f4c1db79575bff93603291612773f70d1
SHA256 9647f7fdc4828f43074609e392840743c09adb594e582d7e084656b927878ae7
SHA512 ac5b2140669f1d551d46247c3690f2b252e79197015baf00fbc5c9898e61fa037ebdaddb7738e2f631083035450695a91e8f3337b850c729aa6ba2c66a241692

memory/3628-4937-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_7808ea6c.txt

MD5 0cb4d4030b991787e682a2e85456ef18
SHA1 abd94ffeb9014956d8d54e96d3142afefc5a564c
SHA256 ab697fa5729b0020eb3a6bb1041b3a46ce9cda3d8480f2dd5bcbaecffdfcae20
SHA512 67d02e50bc2256d13d85b595616859e5e01998c4e2308847a3dd9012b3c3216c38ffb3fc954c0e34a28bc0680e91b274e2e863534efc47b2b111b0fb5a769f1c

C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_7808ea6c.txt

MD5 0cb4d4030b991787e682a2e85456ef18
SHA1 abd94ffeb9014956d8d54e96d3142afefc5a564c
SHA256 ab697fa5729b0020eb3a6bb1041b3a46ce9cda3d8480f2dd5bcbaecffdfcae20
SHA512 67d02e50bc2256d13d85b595616859e5e01998c4e2308847a3dd9012b3c3216c38ffb3fc954c0e34a28bc0680e91b274e2e863534efc47b2b111b0fb5a769f1c

memory/3628-5017-0x0000000000400000-0x0000000000978000-memory.dmp

memory/3628-5020-0x0000000000400000-0x000000000040E000-memory.dmp