541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427

Analysis

max time kernel
96s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
29-04-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hydra-1.1.0.Setup.exe
Size

128.8MB
MD5

366d719f4ffb6e6378bb8eb0ca5f89c0
SHA1

7ab9d1f32366c7eba513c37ae7304f6c74dd8933
SHA256

541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427
SHA512

da1816efa36d0f9e9c8aa0d03cd9cb64851762d83e212d5f91d77d42de91fc23af920922bbf1ca5824a2668d0d4915fc9b024b1dc0abbeb56e6a3e5ed970d5ca
SSDEEP

3145728:QkJG7QPqLxp8O4d4pPU62+0JXWg3/VnRbQvk4H6wWhuyGdgv+m7K2mpHQj/:QkJGUPsxdHt0kg3/VndY5dQ+mO2mpHg

Score

9^/10

discovery

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 16 IoCs

pid	Process
2588	Update.exe
1188	Squirrel.exe
4696	Hydra.exe
2324	Update.exe
2572	Hydra.exe
4516	Hydra.exe
4880	Update.exe
2168	Hydra.exe
4808	Hydra.exe
2912	Hydra.exe
2308	Hydra.exe
4972	Update.exe
1436	Hydra.exe
2808	Hydra.exe
1732	hydra-download-manager.exe
4880	Hydra.exe

Loads dropped DLL 31 IoCs

pid	Process
4696	Hydra.exe
4696	Hydra.exe
2572	Hydra.exe
4516	Hydra.exe
2168	Hydra.exe
4516	Hydra.exe
4516	Hydra.exe
4516	Hydra.exe
4516	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2308	Hydra.exe
1436	Hydra.exe
2808	Hydra.exe
1436	Hydra.exe
1436	Hydra.exe
1436	Hydra.exe
1436	Hydra.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
1732	hydra-download-manager.exe
4880	Hydra.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	Hydra.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
4532	tasklist.exe
2100	tasklist.exe
484	tasklist.exe
644	tasklist.exe
3812	tasklist.exe
3644	tasklist.exe
2216	tasklist.exe
1064	tasklist.exe
3860	tasklist.exe
436	tasklist.exe
4708	tasklist.exe
4480	tasklist.exe
4136	tasklist.exe
4668	tasklist.exe
2084	tasklist.exe
1832	tasklist.exe
244	tasklist.exe
2300	tasklist.exe
5040	tasklist.exe
2296	tasklist.exe
2840	tasklist.exe
3304	tasklist.exe
4112	tasklist.exe
4708	tasklist.exe
3928	tasklist.exe
4916	tasklist.exe
2940	tasklist.exe
1528	tasklist.exe
2884	tasklist.exe
2040	tasklist.exe
4176	tasklist.exe
3948	tasklist.exe
3228	tasklist.exe
2804	tasklist.exe
4804	tasklist.exe
2972	tasklist.exe
2092	tasklist.exe
1572	tasklist.exe
2052	tasklist.exe
2024	tasklist.exe
1300	tasklist.exe
720	tasklist.exe
4964	tasklist.exe
2972	tasklist.exe
5076	tasklist.exe
892	tasklist.exe
4808	tasklist.exe
3920	tasklist.exe
2092	tasklist.exe
3900	tasklist.exe
832	tasklist.exe
4176	tasklist.exe
3332	tasklist.exe
5004	tasklist.exe
1440	tasklist.exe
3852	tasklist.exe
2052	tasklist.exe
4240	tasklist.exe
2152	tasklist.exe
4528	tasklist.exe
3216	tasklist.exe
5092	tasklist.exe
1340	tasklist.exe
2904	tasklist.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\shell\open	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\hydra\\app-1.1.0\\Hydra.exe\" \"%1\""	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\URL Protocol	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\ = "URL:hydralauncher"	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\ = "URL:hydralauncher"	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\shell\open\command	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\shell	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\shell\open\command	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\hydra\\app-1.1.0\\Hydra.exe\" \"%1\""	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\hydralauncher\URL Protocol	Hydra.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4696	Hydra.exe
4696	Hydra.exe
4696	Hydra.exe
4696	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
4736	powershell.exe
4736	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	2972	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	4708	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	5056	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	1280	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	5052	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	4948	tasklist.exe
Token: SeDebugPrivilege	4916	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	2944	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	2300	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	4972	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	1440	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	4560	tasklist.exe
Token: SeDebugPrivilege	5056	tasklist.exe
Token: SeDebugPrivilege	3364	tasklist.exe
Token: SeDebugPrivilege	832	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	5096	tasklist.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	4848	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	2548	tasklist.exe
Token: SeDebugPrivilege	4964	tasklist.exe
Token: SeDebugPrivilege	3032	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe
Token: SeCreatePagefilePrivilege	2912	Hydra.exe
Token: SeDebugPrivilege	4892	tasklist.exe
Token: SeDebugPrivilege	3852	tasklist.exe
Token: SeShutdownPrivilege	2912	Hydra.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2588	Update.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe
2912	Hydra.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	Hydra.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2588	1696	Hydra-1.1.0.Setup.exe	81
PID 1696 wrote to memory of 2588	1696	Hydra-1.1.0.Setup.exe	81
PID 2588 wrote to memory of 1188	2588	Update.exe	82
PID 2588 wrote to memory of 1188	2588	Update.exe	82
PID 2588 wrote to memory of 4696	2588	Update.exe	83
PID 2588 wrote to memory of 4696	2588	Update.exe	83
PID 4696 wrote to memory of 2324	4696	Hydra.exe	84
PID 4696 wrote to memory of 2324	4696	Hydra.exe	84
PID 4696 wrote to memory of 2572	4696	Hydra.exe	85
PID 4696 wrote to memory of 2572	4696	Hydra.exe	85
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4516	4696	Hydra.exe	86
PID 4696 wrote to memory of 4880	4696	Hydra.exe	104
PID 4696 wrote to memory of 4880	4696	Hydra.exe	104
PID 4696 wrote to memory of 2168	4696	Hydra.exe	88
PID 4696 wrote to memory of 2168	4696	Hydra.exe	88
PID 4808 wrote to memory of 2912	4808	Hydra.exe	93
PID 4808 wrote to memory of 2912	4808	Hydra.exe	93
PID 2912 wrote to memory of 2308	2912	Hydra.exe	94
PID 2912 wrote to memory of 2308	2912	Hydra.exe	94
PID 2912 wrote to memory of 4972	2912	Hydra.exe	287
PID 2912 wrote to memory of 4972	2912	Hydra.exe	287
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96
PID 2912 wrote to memory of 1436	2912	Hydra.exe	96

C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:1188
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --squirrel-install 1.1.0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Users\Admin\AppData\Local\hydra\Update.exe
      C:\Users\Admin\AppData\Local\hydra\Update.exe --createShortcut=Hydra.exe
      4⤵
      Executes dropped EXE
      PID:2324
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Hydra /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Hydra\Crashpad --url=https://f.a.k/e --annotation=_productName=Hydra --annotation=_version=1.1.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=29.1.4 --initial-client-data=0x56c,0x570,0x574,0x568,0x578,0x7ff6965ba880,0x7ff6965ba88c,0x7ff6965ba898
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2572
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1852 --field-trial-handle=1856,i,11944107013588257855,10299450768071335712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4516
  - - C:\Users\Admin\AppData\Local\hydra\Update.exe
      C:\Users\Admin\AppData\Local\hydra\Update.exe --checkForUpdate https://update.electronjs.org/hydralauncher/hydra/win32-x64/1.1.0
      4⤵
      Executes dropped EXE
      PID:4880
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2108 --field-trial-handle=1856,i,11944107013588257855,10299450768071335712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2168

C:\Users\Admin\AppData\Local\hydra\Hydra.exe
"C:\Users\Admin\AppData\Local\hydra\Hydra.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
  "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Hydra /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Hydra\Crashpad --url=https://f.a.k/e --annotation=_productName=Hydra --annotation=_version=1.1.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=29.1.4 --initial-client-data=0x53c,0x540,0x544,0x534,0x548,0x7ff6965ba880,0x7ff6965ba88c,0x7ff6965ba898
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2308
- - C:\Users\Admin\AppData\Local\hydra\Update.exe
    C:\Users\Admin\AppData\Local\hydra\Update.exe --checkForUpdate https://update.electronjs.org/hydralauncher/hydra/win32-x64/1.1.0
    3⤵
    - Executes dropped EXE
    PID:4972
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2108 --field-trial-handle=2112,i,11471825263375307005,5144074363029105640,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1436
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2144 --field-trial-handle=2112,i,11471825263375307005,5144074363029105640,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2808
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\dist\hydra-download-manager\hydra-download-manager.exe
    C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\dist\hydra-download-manager\hydra-download-manager.exe 5881 \\.\pipe\bd3e026dbf31b4252e470400acd1698c \\.\pipe\e72eef2e231b88e25f1ff5f3618569b9
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5040
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.hydra.Hydra --app-path="C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3088 --field-trial-handle=2112,i,11471825263375307005,5144074363029105640,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4316
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4668
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3612
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2972
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4676
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2940
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3628
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1332
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3708
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5060
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:644
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3228
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3176
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2084
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2040
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2712
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:332
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4788
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3516
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4520
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4856
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4668
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2020
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4480
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2884
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3852
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1280
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:5040
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1172
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3436
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4904
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3596
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:900
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:644
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2152
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3332
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3644
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1832
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2884
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:5092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1280
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1692
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:5076
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3724
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2096
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3076
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3372
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4856
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3500
- - C:\Windows\system32\where.exe
    where powershell
    3⤵
    PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Get-CimInstance -ClassName Win32_LogicalDisk | Select-Object Caption, FreeSpace, Size"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4736
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2276
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4176
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3920
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:612
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2984
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:832
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4972
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3888
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2332
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4708
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3332
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1340
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2940
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:336
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4136
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2712
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2084
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3364
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1692
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1172
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1252
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:244
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2020
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3888
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1400
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:996
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4892
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3332
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3400
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4480
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2728
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3948
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1064
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3364
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3724
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3304
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4792
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4520
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:420
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4552
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3852
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2900
- - C:\Windows\system32\where.exe
    where powershell
    3⤵
    PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Get-CimInstance -ClassName Win32_LogicalDisk | Select-Object Caption, FreeSpace, Size"
    3⤵
    PID:2728
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2712
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2216
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2804
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2908
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3860
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3076
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4340
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4912
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:856
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2020
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1032
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3616
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4512
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3628
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3188
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4136
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2156
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3900
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4360
- - C:\Windows\system32\where.exe
    where powershell
    3⤵
    PID:3172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Get-CimInstance -ClassName Win32_LogicalDisk | Select-Object Caption, FreeSpace, Size"
    3⤵
    PID:4992
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1400
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1300
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4788
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2084
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2904
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2096
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4528
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3812
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:436
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1900
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1428
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:336
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1196
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2296
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1860
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3228
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2096
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4804
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5096
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3796
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1516
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:436
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:612
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2744
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2100
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1784
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2300
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:484
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:5004
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3372
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2676
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2944
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2276
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3860
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4856
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3060
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2884
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4316
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3900
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4912
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3996
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3436
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3028
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4552
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4804
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1280
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5012
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1400
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2940
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4176
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2884
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:568
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1664
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4348
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:720
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3928
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2024
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1232
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3216
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5108
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:436
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

Filesize
1KB

MD5
6884f06e5e48278e875c48434c7e7d69

SHA1
e95d5626f455f989a37e62dbb71fd1147a6a18dd

SHA256
a2575cf61e66d6b0032cc832c80698cc53879e70fd9ebc9e0693947609443e2b

SHA512
a115434399f781f760fb4288c9b9cb0efc111f12ce4b17fde32439fa8fbfd61929c827f415856150e15501767d194c67cbbdac093a72d122e960a8fa75d8177a

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
76B

MD5
82aad9846f60a10e4495a1c628a4f0b6

SHA1
4119492d3c6fe99ba75f852756d8b04b950e76f0

SHA256
529fd322807a4f0ad7a95c5ed06b4aaf0aabd3f52f33d9b852c6f063a63ef839

SHA512
e19321f50ec6aeca3f040ea98f88a03e4afe8908796a4dbbd7bb41b25713b7a85fbc1dce366d25afea47d4a67181164b678e7f727bd58d88b68db7fafebcbdaf

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
a560bad9e373ea5223792d60bede2b13

SHA1
82a0da9b52741d8994f28ad9ed6cbd3e6d3538fa

SHA256
76359cd4b0349a83337b941332ad042c90351c2bb0a4628307740324c97984cc

SHA512
58a1b4e1580273e1e5021dd2309b1841767d2a4be76ab4a7d4ff11b53fa9de068f6da67bf0dccfb19b4c91351387c0e6e200a2a864ec3fa737a1cb0970c8242c

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
43KB

MD5
b5a42ecde0b058b3c4e661e0ec84400b

SHA1
7e2bfc653c5bc6997553c150a0823daae372cd99

SHA256
ce636d201ef86ffbf4ee8c8762b4d9dc255be9d5f490d0a22e36fe0c938f7244

SHA512
b7f4a7bddb226066f7edf23dfb9bee658c30ae03dfe727ec739f51fd98c63831f732343c14a6ca080f31baed38bf9064cdd57c9d1daaf4c42c029fe83d846dc0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\hydra-1.1.0-full.nupkg

Filesize
128.6MB

MD5
f68a126e9c00c1e8e8236d3bacaab94b

SHA1
6fc114a0c9d82b0f66b4d582e0e848bcce614622

SHA256
64313254f63ec3fe14a808efbc10b01dc21b18297c2fcf32fb041a7c66b9c25d

SHA512
65135dd0663481dd99c86f190faca8694f4ad6a0b7236956db906da1cdf6a0dbcdefd367aa343039e07fade9db6319fc583667760274c169b80cb112ca89372d

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
11KB

MD5
2e4587a60d1bfe337eeb2601c49fb135

SHA1
145d5e3d2ad85a99449a966f7eb131b3c90af481

SHA256
c665ea7e7605a3e9af8be71e3e78c6da60bbafa058b707fd628ca0058e37999b

SHA512
e8b7c0bdd4d5d80479c40b77927982da874655e990ce2b5df1203a3c07817ead5fd178266f2e75d2837b4b6addafb3fb74de1be5ab7b49b0efee89aa289c547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\475b6b89-67fa-446e-8368-2f08b4a91271.tmp.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1v0oj3iv.yzj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\hydra\Hydra.exe

Filesize
261KB

MD5
c29c528c1e3eafbe317a0b390ae9cb90

SHA1
1b98d7b425d335ddd34d6cc612c4768894c345fe

SHA256
37c8d1d2853655c3ea13994199e9bb2b0c030b7d751c5081851373c8857b8e79

SHA512
4e038d113041715f4dca360503611a35a8651cd8fd3e730ea51b12206677d4aeb786244e82a7d4ad76de5bba846ecf130283068ea6e859af73c4de93c19be4d7

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe

Filesize
168.1MB

MD5
65a18f0a84d1b7ab328cd0e7cbb66f34

SHA1
63fa0956f29fb9e9a62e5858714bd70ad804ab12

SHA256
a33b51554f43b3704d8ce4104bb47849eaedcb12fc1836a423a7a7a84de8c600

SHA512
6925551a0b6c59ca4db1c18f3361217d91fe9a0ac4324fdf62c68dc35c5b95bb4a7de044c9ef4c0c2a17687431f5471340841fd5b6f6904efc8280c7e2d86ee6

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\chrome_100_percent.pak

Filesize
150KB

MD5
b1bccf31fa5710207026d373edd96161

SHA1
ae7bb0c083aea838df1d78d61b54fb76c9a1182e

SHA256
49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3

SHA512
134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\chrome_200_percent.pak

Filesize
229KB

MD5
e02160c24b8077b36ff06dc05a9df057

SHA1
fc722e071ce9caf52ad9a463c90fc2319aa6c790

SHA256
4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106

SHA512
1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\ffmpeg.dll

Filesize
2.7MB

MD5
855d27d5735c1afd26ff53a7f1bb93eb

SHA1
fc4d2c2f13022bedbdee3eb073961587360bb6ca

SHA256
a32800cbf98c84f2da9dcfea2fe8bdcfaaeef07c4eb81469945a992f83bb339c

SHA512
d6df90c3dc66f9dc9d8f7549d8385c0853a398b6dde5fecfbeb2396725f4c4aab50021b39fdb09ab6f553483e9a2bc985a3d4cce33de4c3f3958a86430cccb69

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\libEGL.dll

Filesize
468KB

MD5
5667c348e845c446fb56d7f9d4f11019

SHA1
f02f09799a54ec90371370deac68d36499be45dc

SHA256
72126255176dca2000061657efa0a8e91a9658d1724769b9260093116e131c33

SHA512
daf716e9af5976772e0bf7f33bcbcf347f64de8fc9787f568c1478a464d9f4603f92f3e41242782b07cb5503fffd78bc2e25f040cb932a52614e46a8e92bd2f6

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\libGLESv2.dll

Filesize
7.3MB

MD5
eaedf6de749ef1230197ce1ac0455f0e

SHA1
ba737231f09676278cdeb7840aab1df1ea76c57b

SHA256
8dae6f25ad4fcbbb7eb617ac02fac48c7f0bea7f75c630ea02882cf4fb469a25

SHA512
3417438c516a51e1e04a82c4f145d881c2f2dfb90428656c9aaea80b3b46fa3e4c536b320bc6b137186e200603a4aaa250bd21e0f117b3a02f224cbf20d3a2cc

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\locales\en-US.pak

Filesize
440KB

MD5
8f164155d22029535cd60f47966a89af

SHA1
19733935efe68f7ff3e2a84d28317e0391eb824b

SHA256
20be1732675fedf380010b09936ed65c71bb761d0a05732215ef0795b5aba606

SHA512
4582715817bb9c99d875aa89b1efbd0f70b63dcd37dbfc64e3078d1d4d7ad4ae8fac5a703afe1fc65b9af2f5c0fe8d3e293e2f0530106a6974b38b4cebca9db0

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources.pak

Filesize
5.0MB

MD5
8b4ae918802e54e58cad58b37cc9085c

SHA1
99ba711d34401ae0205ab86aeb7fccf52b576168

SHA256
51eef9af8b1d4cf7c9e4ecfb78b6954ba179e2298b1f134ffdcb4b9eab1bd8e6

SHA512
fe068c1e1b4929a0e85ec5bcf925f75d5a80d892fe45a1c948c39d433aec0674cdb55809c2659aabd9a969aa61387c8a5796d226116ed75c7a4d05b5c09fc785

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\app.asar

Filesize
11.0MB

MD5
ac9806525d2615d75a015a555d26f0c2

SHA1
88d66a4fdaf87eaa9a6f3c632e795c67b377ee59

SHA256
a9bf0998bfda78da9f1426ef98c1f61d63fd073be7e29269a3ae18a8ae0ee85e

SHA512
33c060955144905ee67f884df49ed99ca5f051b6607c9ce6a4ae35eacebb90081ee9cc7055f3bc6fc583a84c27f7a00a5e628904fc167b82bb5cfd984d5fc303

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\hydra.db

Filesize
48.0MB

MD5
5ea8df2f2999e675faf22fdb2c8c5d72

SHA1
40f5579bdb8031066506c6468938f805adae30f0

SHA256
ec3d9a0bfcb8b704ca68a28585c7620766f93e3e4702673eb0ab866f35474233

SHA512
fe2a79c0d6afcca49bdf115d6d46f8676c7cb75df4168856fc58738038f1f100e9b09c28ffb66da18d116e9c1e87280d9f976eb5e7f820ed28b5e176c8bda71f

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\squirrel.exe

Filesize
1.8MB

MD5
ff4f902f07f0d3ce4768ec7c5d79f204

SHA1
c3dbb5119263d332a575105a4aa2e91b136612c1

SHA256
0a8a6015b64e956211bd8e70eab23801801358c77d606ef4517eb871d5c8fae8

SHA512
f11a5f60b0d9944e19b98aed6c72b2a4f33660dbb1ccfaa293189b56d6e497207d084bf63e2ae1636c3d4f25077cddfe881c34a625fedc127567fdefae84793a

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\v8_context_snapshot.bin

Filesize
663KB

MD5
796517f2fa15adf83ee3be8e7d647a73

SHA1
4287c74c8a765286350dc5322eb79dcdc3f2fd06

SHA256
68effe7d9398b4e81b829fe65c4c68c4cbb9b42a4bb146df826fbf808926f675

SHA512
7c24fb1c249d7355f0b2576e14fa802acca11333ee23ec59503ae611292de63c217343af77c49ca10ed6e9bcd792810a1f1b2abc50784572902ec87ea7203f03

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\vk_swiftshader.dll

Filesize
5.1MB

MD5
a209cc01921c3cceebf40fd2ca3aa1eb

SHA1
7c6a483cd79642fc76ecd695f2bcbcd32034f11d

SHA256
d60bf3062d47378d169aea2f7e6666a099d116e55305ae4f3a494f969b7d3d4b

SHA512
276e8856ad362a6836c021f712df9668c1b0eaeb0ed4ba003b5aab5c37cb7427f6cbdcb51fbe657eeb3af276839a3f622a6499dc8b3a62cde82890eefca5e300

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Crashpad\settings.dat

Filesize
40B

MD5
3cabc85c82486a54d94d7ee26ccdab4a

SHA1
a2f5da6afffefbc972fed2f8adce6dff544f0f10

SHA256
7f66e19af922c9325d2df3bb62732450e1cfcdcc4a50a99be655c764a43436b1

SHA512
05253e3470829e90b308194e669d0c6047ade76c88b4cffd8a278e2d107d1ef78bdc810111bb2851cf3e60f1e47f61242689e3cf4a870cc49291a0ebc7bc41ad

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Local State

Filesize
434B

MD5
718822d250bc52dfd256247bd0195c42

SHA1
2f142ce233ae25f0df20f797d7208eb420ac1d49

SHA256
7153a945986dd31b58a0482dc9d351df4611bacae517461234cd374b2940c390

SHA512
eb9a59d41049bd31f17ef54ffe007cfb66c4230e83c2efccd39cc71d36d5992b8f98dd4adc15d1c34d8b7f6ee98cd093c0762368c7ad99b4072e351e3712679d

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Local Storage\leveldb\LOG

Filesize
241B

MD5
48e7b7567198e157dbc476fe0fb0de44

SHA1
054fd5f06bd5a52e7bcfb020e2044c97f5156a4b

SHA256
c89ecf7f946447f25b2c9782e09d019bfaeb06b482a9af916b0d5efe7d37837c

SHA512
58f5347aec664dd54a55d8c4d1d733b1c289b07652131a0be24aa8dc66f448e57f6f6f025bd0affa23cdb133d6fa496819b66416031523f071dcc31fd2b06b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\Network Persistent State

Filesize
777B

MD5
a37c4b6313f7ef1b6502662cfa5b2dcd

SHA1
aa3dff6719a4c48514d7163165b225e92c953bfa

SHA256
67eba9f371e4d875c94803ffcea16a58faf4b9e8dfb219052fe2aaed5e240252

SHA512
31c36d657c4f4baf12c017d9c229bf22eaf18ba367c86a1371327716156c92ebbed34863a32f5ab02e6215353121e3f9e4f286f92248ca88d12a1e02609b44a8

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\Network Persistent State~RFe5962c7.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity

Filesize
356B

MD5
5c2f4bbff2ea3dd161b7ec02eb9365d8

SHA1
718abfa951c98f8f2caebc5dce4d0a94ec0e5db6

SHA256
41bc596d72c0e203deeaf169aabeea9144ac41f11a2a10c71cc74218c5f081ac

SHA512
14411754563da4ad50e9e26c49898a7fe6f56a94c51c832f9e4170141144dcd8f093ae9f0a08cf9d01a3897db1b6a14bc8928296d1d2b19e36fb95619c637ed3

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity~RFe590a47.TMP

Filesize
356B

MD5
de437a3854cb072352d9790c5c0bce92

SHA1
3d9e102ad36c27971b883235b92496502921e44a

SHA256
b4290415d407d1169185a7f8669485a8085470f20fbf0d7adde91649d3fee322

SHA512
0e28cfce7de7c574d4b734ad91b4b86e9d67dc5b2cb422678f8b7e21d111bb18e25e35649bcb6b967b649a60ffda2544c4ba360f1e7c9b9309256310fc74483a

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\sentry\scope_v3.json

Filesize
15KB

MD5
4856161a696158b8f8ab8a1af3c112ac

SHA1
0524da4b11bc5d5f20b56d93cc8c320ba1a35cae

SHA256
c4c2c13b9457d9b1b4e31eaec2f3bcde15cb32f26df6ee7fb6f754a13f93a4c4

SHA512
5caccb59fc9f1a6abcca516eacd51cb04cdd18bbe234ac7109e396947c27d8f34239972ec3fc53016f99259bb0298a1d5f19751dba2b421ddde8f5c1e3311b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/568-3558-0x00007FFA89220000-0x00007FFA892CE000-memory.dmp

Filesize
696KB

Download
memory/1188-1926-0x00000000006D0000-0x00000000008A8000-memory.dmp

Filesize
1.8MB

Download
memory/2324-1970-0x0000000000B70000-0x0000000000B90000-memory.dmp

Filesize
128KB

Download
memory/2588-1898-0x000000001FDC0000-0x000000001FDF8000-memory.dmp

Filesize
224KB

Download
memory/2588-8-0x0000000000720000-0x00000000008F6000-memory.dmp

Filesize
1.8MB

Download
memory/2588-1899-0x000000001FD80000-0x000000001FD8E000-memory.dmp

Filesize
56KB

Download
memory/2728-3177-0x0000028B1C430000-0x0000028B1C57F000-memory.dmp

Filesize
1.3MB

Download
memory/4736-2990-0x00000287F6500000-0x00000287F664F000-memory.dmp

Filesize
1.3MB

Download
memory/4736-2984-0x00000287F67A0000-0x00000287F67C4000-memory.dmp

Filesize
144KB

Download
memory/4736-2983-0x00000287F67A0000-0x00000287F67CA000-memory.dmp

Filesize
168KB

Download
memory/4736-2981-0x00000287F64D0000-0x00000287F64F2000-memory.dmp

Filesize
136KB

Download
memory/4880-2397-0x00007FFA888A0000-0x00007FFA888A1000-memory.dmp

Filesize
4KB

Download
memory/4880-2398-0x00007FFA873D0000-0x00007FFA873D1000-memory.dmp

Filesize
4KB

Download
memory/4992-3244-0x0000022175A30000-0x0000022175B7F000-memory.dmp

Filesize
1.3MB

Download