Analysis Overview
SHA256
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
Threat Level: Known bad
The file 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe was found to be: Known bad.
Malicious Activity Summary
HydraCrypt
Deletes shadow copies
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Enumerates connected drives
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of SetWindowsHookEx
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-09 20:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-09 20:48
Reported
2023-03-09 20:50
Platform
win7-20230220-en
Max time kernel
141s
Max time network
67s
Command Line
Signatures
HydraCrypt
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Pictures\DisconnectSkip.crw.hydracrypt_ID_869a271f | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResolveApprove.tiff | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File created | C:\Users\Admin\Pictures\ResolveApprove.tiff.hydracrypttmp_ID_869a271f | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File created | C:\Users\Admin\Pictures\ResolveApprove.tiff.hydracrypt_ID_869a271f | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File created | C:\Users\Admin\Pictures\ResolveUnblock.crw.hydracrypttmp_ID_869a271f | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File created | C:\Users\Admin\Pictures\ResolveUnblock.crw.hydracrypt_ID_869a271f | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File created | C:\Users\Admin\Pictures\DisconnectSkip.crw.hydracrypttmp_ID_869a271f | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_869a271f | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_869a271f | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe\"" | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\losihizi.exe\"" | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4EJGXEBJ\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BZB8KC7X\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A6DSJQQJ\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCT3UJZ1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Enumerates connected drives
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1260 set thread context of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe |
Interacts with shadow copies
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe"
C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
C:\Windows\SysWOW64\net.exe
net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=Z: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=Y: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=W: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=U: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=V: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=X: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=S: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=P: /All
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8506824032135155593630421923-469705759-6137301091508827591212962404682656589"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9475992671378339094-5832242751180845862-213370082747187124918212332495356582"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=Q: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=R: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=O: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=T: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=N: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=L: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=M: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=K: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=J: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=I: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=H: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=G: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=F: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=C: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=E: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=D: /All
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=A: /All
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /For=B: /All
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 7972
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
Files
memory/1712-54-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1712-55-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-56-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-57-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-58-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-59-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-60-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1260-61-0x00000000003E0000-0x00000000003E5000-memory.dmp
memory/1712-62-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-63-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-64-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-66-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1712-68-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1712-69-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-70-0x0000000000400000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat
| MD5 | 029c1ba05a0e18977bd30d7b620e762b |
| SHA1 | a146f64b018f715a8b3572c26a0bbb6481f981d4 |
| SHA256 | 219073cd0fe343361ac0ece187171c50ad2cf9b8c814bb21e2f3be6c09a32ce5 |
| SHA512 | 653de12fab42742dc471c5e66738c585f1d035dc134e9d51b6670a9206f3ee0ce2d51d6765ec1b55e5baef7921c4c1beceea09fb8b7305b3f6a5371d83f73831 |
memory/1712-260-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1712-320-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1712-680-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A6DSJQQJ\desktop.ini.hydracrypttmp_ID_869a271f
| MD5 | b4c2311fb5b666691d7109f5a7db2908 |
| SHA1 | f4ce151c375ce4a822fe1a01c7b67e102a29f3ec |
| SHA256 | 0847951242c7c44af41bd974264a5ff7d05f8f86eec606e9aa7019460bf321cd |
| SHA512 | e59dc17d8436908c968935197e583d0616870953534d9f62ae9caf043da092f9ed175df38d86979f9f1a105e6520b2814978d47e553043d5d76a29984b338152 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCT3UJZ1\desktop.ini.hydracrypt_ID_869a271f
| MD5 | 791eacbdd2a9cbb9ac3c55c3e5f6aff7 |
| SHA1 | 90096e9836c45a83bc2efd0a71c1720006ecd006 |
| SHA256 | ac8bcbef665f421aa8d4a2b1b2ad9cdc6e5d91ae29926d4e036354a0390e1675 |
| SHA512 | 60981e15d62e35053bfedc25553c33024b5c09d620acba9b3729fc6500c755ff3fd42dd39678c94f2432c538c0f2878bfeded41342fe924621af0a9319d60759 |
memory/1712-1292-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230220_185731908.html.hydracrypttmp_ID_869a271f
| MD5 | 666355e96e7540a6f8f607c7767f89e2 |
| SHA1 | fe4c5a4e4ac89797834e444c2f4a86c4351bc4f9 |
| SHA256 | a7503edaed07bb5ce9fd1094f2fb268501d1c58ccfbe160369e59186c67c4e67 |
| SHA512 | f08f46d66a6231c19875bfd43ba509b90e50aea6fb757a7ba5562b4eaa3ee1d021390fe82268afb685fa8076db5f7d24aa0b0b19c554107aae498a0b184ec908 |
memory/1712-1865-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1712-2292-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_869a271f.txt
| MD5 | ec8a491fe3884746490f92171b930633 |
| SHA1 | 16776e53d50c90d5eeaa29185d8e3a9c7b631365 |
| SHA256 | a94f02ee3488e12330293fd597a4cc8ca4602f3f3ee40b8d3c8240c8d90e97ca |
| SHA512 | e017290c8a90da94f38e7651305f12e93f4e13d87630a8cd7fd9342e513892707ecaa2f28ca6a4a608752184cb91acce146e02ba97734ca3f4833868131e3577 |
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_869a271f.txt
| MD5 | ec8a491fe3884746490f92171b930633 |
| SHA1 | 16776e53d50c90d5eeaa29185d8e3a9c7b631365 |
| SHA256 | a94f02ee3488e12330293fd597a4cc8ca4602f3f3ee40b8d3c8240c8d90e97ca |
| SHA512 | e017290c8a90da94f38e7651305f12e93f4e13d87630a8cd7fd9342e513892707ecaa2f28ca6a4a608752184cb91acce146e02ba97734ca3f4833868131e3577 |
memory/1712-2396-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-09 20:48
Reported
2023-03-09 20:50
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
153s
Command Line
Signatures
HydraCrypt
Deletes shadow copies
Modifies extensions of user files
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_7808ea6c | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_7808ea6c | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe\"" | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\nonoxifa.exe\"" | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Enumerates connected drives
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3532 set thread context of 3628 | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe"
C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
C:\Users\Admin\AppData\Local\Temp\2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
C:\Windows\SysWOW64\net.exe
net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3628 -ip 3628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2012
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| NL | 13.69.109.131:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/3628-133-0x0000000000400000-0x0000000000978000-memory.dmp
memory/3532-134-0x0000000002330000-0x0000000002335000-memory.dmp
memory/3628-136-0x0000000000400000-0x0000000000978000-memory.dmp
memory/3628-137-0x0000000000400000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat
| MD5 | e4e3245a569450ce2909082c27958bf3 |
| SHA1 | 448510c2e88694a828dbeacb9e527058df96a668 |
| SHA256 | 2f5d7d840eb01ccb1b7c7c2a5155e6d605de461886bb36e12f32274fac66c998 |
| SHA512 | c1ea65f47fc7027c13121c4c73b481b6c69be77cea2f6f00ad5c20839b142d3ad137d1bdb0a35a6d187281ad73d0f8a80388692ba13dc65f816589fa199049b1 |
memory/3628-415-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3628-418-0x0000000000400000-0x0000000000978000-memory.dmp
memory/3628-1099-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3628-1776-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_7808ea6c
| MD5 | 0b14c400d1bbc1c337a4b2920f89292e |
| SHA1 | f6584b5f38de0d6a082926042ace1f00c412ce88 |
| SHA256 | 049ff2419b0a0ca6c977ad01bff762ecbbe6238ba44225ded17f2b27bcb61857 |
| SHA512 | bb0c0d7bb86d826b4861c51bb95461134defd1d94c947e9c31d91b64f3635d05129eb6745e54c6a779336e3bf757e9fab059d1f4de6d11d21a3edbececfd1edf |
memory/3628-2767-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_7808ea6c
| MD5 | 6b9a2d3443e818cd81dc08408fa981ee |
| SHA1 | c2e9c1a9997bde631041ae4abd330ae32e7f1e8e |
| SHA256 | 0826c770b64ed650532a8048ad26cadb8420bd4c3725d6259a14197591051167 |
| SHA512 | 300af4c8c207001f575a18a4433283443a6f8e58cfb07436fa715fb1eef3e241398511800420f7a8abe880d824159d889a70dafc7d5f2590405ba7531ef8c9c3 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_7808ea6c
| MD5 | 1debcab0ccdd268b8d3c4a00b293946b |
| SHA1 | a3fec52e7855cc02fc9e586e4f26c0c9f71a4cb6 |
| SHA256 | 281f69f65e899a30f95dfcdcb4b1b73e2fc96d3945f2fd03328f538089e8936b |
| SHA512 | 38ddbac6ffef172a6d163ebf450411ca275dd10bb78e0a502cc463335aa206267974303e4c175a8e93834bc481a7a2e88f4b49bb9d7ba20f7647539dd96bca2b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cd96e0a4-ba8e-4699-994e-68268453df33}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_7808ea6c
| MD5 | 54ff6e5f5d6a9e95a7513181de1c01cd |
| SHA1 | f8ef905b6e3960c091624b70f0e5f8e6e589452c |
| SHA256 | 585b116123e84d2ec5527b719108fe5131f971afc15cf28f11214637a3e37f62 |
| SHA512 | e33363a61d3a29e94f9c0be7be03c0438ff9009d5868b3733ab791a418b6a916ed0ddfcce2940ecb91a79a367258d07e27646b356f15f78722f631f8bed21f85 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cd96e0a4-ba8e-4699-994e-68268453df33}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_7808ea6c
| MD5 | 144fabca850bc48cfd6efad2dc6ecc72 |
| SHA1 | 4e3808dcc18d073866d9291f0a9ace3d83479fc7 |
| SHA256 | bcd3d0065c2e4196502dce26032e21472ec6332d9d079addea4efa5c14710e82 |
| SHA512 | 929ddbd057da439f22c8071b2ae71cf6bc533947ed8b46cc161dbe064f864d6f93407d7334c80682a193f0747aaed42fbaa11673b8c615d620184130838c6dd6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{506550ab-e951-47fb-95b2-997bfb0b6514}\0.1.filtertrie.intermediate.txt.hydracrypt_ID_7808ea6c
| MD5 | 3129c9ca8c418e22b6e276ba4e4b0708 |
| SHA1 | 997d136ecd4aa69288cc3ce6c62c5b05476af867 |
| SHA256 | 12d1e2d284be53ff290d3c480c8f9c0e8ac772d4d352cf383b64d92edb1a7660 |
| SHA512 | 9c9af5d8ceac80599ce7ac4f00935b8262fe884ceb52b765f22f47b0a2b57ed949b70a039f614d4424fbf6758f422e450b1bbe050c2b42434257dbb25d1dd46f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{506550ab-e951-47fb-95b2-997bfb0b6514}\0.2.filtertrie.intermediate.txt.hydracrypt_ID_7808ea6c
| MD5 | 6049a8d22070111df6737f0ebd612c3d |
| SHA1 | f0ffe70d31c52e09c93cbda46aa2fbc2c06230c9 |
| SHA256 | def9d8ac5451be3f61557a3aaaed92410f21f4efce0beb90713e6a98227e1783 |
| SHA512 | cf6a9c89b4e8e8f9af9b5348a07407bb0a10b1842d7f3fd3a6eca02b6669bd5a8efa05026283ac992f752bbd0ae0b03eae85dfbe2c200d294cc8815dbc683de6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213926208578348.txt.hydracrypttmp_ID_7808ea6c
| MD5 | f63a874ca114a51f4d73be26a691c467 |
| SHA1 | 8cbf0149a185eb3a12e6d0ca915a942794c1a296 |
| SHA256 | e8213c184d6ee6904fd898012d559faab916c7d16a2cf94e1e1b4a4deaf7a576 |
| SHA512 | e7869543d27ab3b852989f989f359b27c596cc53c097626be89eaaf0294e53b2c3f6b7c34a467a28a617d9682ae5553871640cc6bf75e5d762e7bbaac5ff61b3 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213934756508290.txt.hydracrypttmp_ID_7808ea6c
| MD5 | 9f5cdcec0825dc592f993b6125f59c36 |
| SHA1 | 6e51e5e23308d26359ee4d17a0bb50842ba1adf8 |
| SHA256 | bc4ee70f7cff825265a92c70c031caf160d53a16d2d1b0e43123af05ae1a98c7 |
| SHA512 | 20133af027fc658c3ab8864cb98efd6221efac70129e2b86d7423d8c03f631595c655778578aff8b4a4d8fd4b1d4fbb09a04b6f7ecf7a6115c06766de0bdead7 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213938700221555.txt.hydracrypttmp_ID_7808ea6c
| MD5 | 4b6d17242d16188a4e898073250dcaa7 |
| SHA1 | 5f5d5b496eafdec9ab5839f15c76cacdb94329ba |
| SHA256 | b24d8af79819f343723ce02b5a4ac531f7335cb79f944c819baaeabc0acf6f67 |
| SHA512 | 3d3563e198f4db8a89f0b19220412ed4c38b2729e18ce1e2d37e192a097114933748a764e101a5a34a7f29684ca15b64ff9361e572cbff41ca5b6cceb0724ba5 |
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230220_185643140.html.hydracrypttmp_ID_7808ea6c
| MD5 | 01b26c26888c8d8612137fa0b2d282fa |
| SHA1 | 062381a60d7e9d72458e265031908d2a68b45ec1 |
| SHA256 | 4389d4ea520faf5be12645a02d792bb1735e211b9d4675f5a95280f6d3874f3f |
| SHA512 | f0cbd6bb027b2d36edb331bbb523c592b5ee5814e36337ca17bc94920507548acb91600b89d9cd14ebb3b3b62e9edfea0dc1b5ceec222e3a36db765ccdb16d48 |
memory/3628-3643-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wctC8C0.tmp.hydracrypttmp_ID_7808ea6c
| MD5 | f2b5ed9e71a59a8b733c57f2c5f12b83 |
| SHA1 | 7047d1d5d62a731d75e4ba7c0d0a1353eee9e5c9 |
| SHA256 | a2473138775ac1c6554cacb3559c993321e9f677e857097ede91785cb2f01df2 |
| SHA512 | f8f55a9631a49abccb413483b7c92f3a99deb1d63477ead9fc0041b46315402402ec197bf7458964de524948b55c89586d27f853c3e2c13e84e23a4f883a4ce7 |
memory/3628-4214-0x0000000000400000-0x000000000040E000-memory.dmp
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_7808ea6c
| MD5 | 5c5ea03083c4dedc679ef1456053885c |
| SHA1 | 8604fd858560f3b57eb01b6c69daafd7ac5fd990 |
| SHA256 | 6d837dd9bee7ca42810d70f108dbf110cd6bc1401e5b09c793a37e28376426a5 |
| SHA512 | 9ed634fd563511de3191d0dbb1b0faccde86d6f451da7a4817954c2e0767ed5526085c5d19f8ba5ed5d026c486c82906bf6d13e357e75746db68cbf7689212a3 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_7808ea6c
| MD5 | 97c01955e826f4f5bfe4638cd5d6eac0 |
| SHA1 | e9a988e5a48bf9f6290083f119bebc15bf2d2fac |
| SHA256 | 8c230ac16ac6d99fbeecaa122770fefde991f6cd7d0ec87eb857e95916983126 |
| SHA512 | 05f93f259e83c755321afa0b825ed733bdecf82af3f84522630ba5532cec06a57b63a169c8a1b0e7be4ac043d015a911e02927efa52b02c3b46439f8d7975ed8 |
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_7808ea6c
| MD5 | 91f0a24ee564a44d9ff06eba36e77d34 |
| SHA1 | 7cb1cd4eb9e46c3c2f5af5ed49e2fcf44bb3675d |
| SHA256 | 6b2cd1c35b29d0afa2a21d559c41c6fb1df2b98f97a506a16f7ff5284ffb8224 |
| SHA512 | fc03d6b7caf59353b630aca3f20b20283ccfbd9013b04706dd6febe698c54195c95fcef7917b14eda727b87aedec7875c8a0a6f1495842610a25f79908ef69cc |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_7808ea6c
| MD5 | 96f0565b9b499f4a60b33d58dda1942e |
| SHA1 | 15ef331f4c1db79575bff93603291612773f70d1 |
| SHA256 | 9647f7fdc4828f43074609e392840743c09adb594e582d7e084656b927878ae7 |
| SHA512 | ac5b2140669f1d551d46247c3690f2b252e79197015baf00fbc5c9898e61fa037ebdaddb7738e2f631083035450695a91e8f3337b850c729aa6ba2c66a241692 |
memory/3628-4937-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_7808ea6c.txt
| MD5 | 0cb4d4030b991787e682a2e85456ef18 |
| SHA1 | abd94ffeb9014956d8d54e96d3142afefc5a564c |
| SHA256 | ab697fa5729b0020eb3a6bb1041b3a46ce9cda3d8480f2dd5bcbaecffdfcae20 |
| SHA512 | 67d02e50bc2256d13d85b595616859e5e01998c4e2308847a3dd9012b3c3216c38ffb3fc954c0e34a28bc0680e91b274e2e863534efc47b2b111b0fb5a769f1c |
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_7808ea6c.txt
| MD5 | 0cb4d4030b991787e682a2e85456ef18 |
| SHA1 | abd94ffeb9014956d8d54e96d3142afefc5a564c |
| SHA256 | ab697fa5729b0020eb3a6bb1041b3a46ce9cda3d8480f2dd5bcbaecffdfcae20 |
| SHA512 | 67d02e50bc2256d13d85b595616859e5e01998c4e2308847a3dd9012b3c3216c38ffb3fc954c0e34a28bc0680e91b274e2e863534efc47b2b111b0fb5a769f1c |
memory/3628-5017-0x0000000000400000-0x0000000000978000-memory.dmp
memory/3628-5020-0x0000000000400000-0x000000000040E000-memory.dmp