hydracrypt | 51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Hydracrypt family
hydracrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (904) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Drops startup file 3 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_5d76c7f9	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_5d76c7f9	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\kuxowuri.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened (read-only)	\??\N:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\M:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\B:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\A:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\X:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\S:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\P:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\G:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Z:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\R:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Q:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\J:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\I:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\E:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\W:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\U:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\T:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\O:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\L:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\K:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\H:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Y:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\V:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	pid	process	target process
PID 1888 set thread context of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2756 2880 WerFault.exe afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	pid_target	process	target process
2756	2880	WerFault.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net.execmd.exeWMIC.execmd.exenet1.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.execmd.execmd.execmd.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	process
1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5068	WMIC.exe
Token: SeSecurityPrivilege	5068	WMIC.exe
Token: SeTakeOwnershipPrivilege	5068	WMIC.exe
Token: SeLoadDriverPrivilege	5068	WMIC.exe
Token: SeSystemProfilePrivilege	5068	WMIC.exe
Token: SeSystemtimePrivilege	5068	WMIC.exe
Token: SeProfSingleProcessPrivilege	5068	WMIC.exe
Token: SeIncBasePriorityPrivilege	5068	WMIC.exe
Token: SeCreatePagefilePrivilege	5068	WMIC.exe
Token: SeBackupPrivilege	5068	WMIC.exe
Token: SeRestorePrivilege	5068	WMIC.exe
Token: SeShutdownPrivilege	5068	WMIC.exe
Token: SeDebugPrivilege	5068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5068	WMIC.exe
Token: SeRemoteShutdownPrivilege	5068	WMIC.exe
Token: SeUndockPrivilege	5068	WMIC.exe
Token: SeManageVolumePrivilege	5068	WMIC.exe
Token: 33	5068	WMIC.exe
Token: 34	5068	WMIC.exe
Token: 35	5068	WMIC.exe
Token: 36	5068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5068	WMIC.exe
Token: SeSecurityPrivilege	5068	WMIC.exe
Token: SeTakeOwnershipPrivilege	5068	WMIC.exe
Token: SeLoadDriverPrivilege	5068	WMIC.exe
Token: SeSystemProfilePrivilege	5068	WMIC.exe
Token: SeSystemtimePrivilege	5068	WMIC.exe
Token: SeProfSingleProcessPrivilege	5068	WMIC.exe
Token: SeIncBasePriorityPrivilege	5068	WMIC.exe
Token: SeCreatePagefilePrivilege	5068	WMIC.exe
Token: SeBackupPrivilege	5068	WMIC.exe
Token: SeRestorePrivilege	5068	WMIC.exe
Token: SeShutdownPrivilege	5068	WMIC.exe
Token: SeDebugPrivilege	5068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5068	WMIC.exe
Token: SeRemoteShutdownPrivilege	5068	WMIC.exe
Token: SeUndockPrivilege	5068	WMIC.exe
Token: SeManageVolumePrivilege	5068	WMIC.exe
Token: 33	5068	WMIC.exe
Token: 34	5068	WMIC.exe
Token: 35	5068	WMIC.exe
Token: 36	5068	WMIC.exe
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	process
1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1888 wrote to memory of 2880	1888	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2880 wrote to memory of 3952	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 3952	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 3952	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4072	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4072	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4072	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 2004	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 2004	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 2004	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4524	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4524	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4524	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 3952 wrote to memory of 1076	3952	cmd.exe	net.exe
PID 3952 wrote to memory of 1076	3952	cmd.exe	net.exe
PID 3952 wrote to memory of 1076	3952	cmd.exe	net.exe
PID 2880 wrote to memory of 4448	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4448	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4448	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 232	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 232	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 232	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1076 wrote to memory of 1108	1076	net.exe	net1.exe
PID 1076 wrote to memory of 1108	1076	net.exe	net1.exe
PID 1076 wrote to memory of 1108	1076	net.exe	net1.exe
PID 2880 wrote to memory of 1324	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 1324	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 1324	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4592	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4592	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4592	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 904	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 904	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 904	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 1536	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 1536	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 1536	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4808	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4808	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4808	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4636	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4636	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4636	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4880	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4880	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 4880	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2004 wrote to memory of 5068	2004	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 5068	2004	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 5068	2004	cmd.exe	WMIC.exe
PID 2880 wrote to memory of 2196	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 2196	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2880 wrote to memory of 2196	2880	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
"C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1864
    3⤵
    - Program crash
    PID:2756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2880 -ip 2880
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_5d76c7f9

Filesize
126KB

MD5
2b079c3b0c31f2f1fe6ac1abbed2eda9

SHA1
17b633fbbbafb6baa416dd5c217c55ed78daa5cc

SHA256
7d53218b8e9e636979d6de9806c00ebe4970945117d422b36211f682f23d1f9b

SHA512
87ab058470b7a2c28f5f5236330308a532e2f67bd07ebc6aac035056b124553e2c5f3aea86adb2a751263342690bf143a37ddf2ee4f0450bd491022b0f687ecf

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_5d76c7f9

Filesize
28KB

MD5
219d237869ffcb2bfed9c1060d065315

SHA1
88f15f333af7b6faa51f47eccde51e94ace866c8

SHA256
284259f63c228e599d2ef0e2dd398adbd04d7bafd21a9968b34f9e793132dd0b

SHA512
306ef07242987907db374a0f59c98b111c73c8bd5ea9180315e927a495093a8637dd1bc18f93549819447a112915244c5820f6202af6a53b45c432f424831716

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_5d76c7f9

Filesize
1KB

MD5
446fc80c5bfa2e75498c2f802d3c5c78

SHA1
1bb2701a13f34203c7fe95504030a78d3ec242e0

SHA256
64633009c64e4e1993165f91c8ce3c81cc871481426e7de98dfb2844fb55b224

SHA512
8bc53c2f41637483b1f7fa77d462e83dbddb7a07c0aa5493784874bb2d85d1c5a12a90ee7a82827c0c30ae44144909fafd59be56e3d5077d86e9f037031cc6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.hydracrypttmp_ID_5d76c7f9

Filesize
332KB

MD5
390fe9f54be179df192514d93a5c96e7

SHA1
cfc55045ba2b8df58e2d96dc8d32e360ceff0eb2

SHA256
6d409123587356493fe4038ae287b680c947365b0ebe15be9083f9027e583df3

SHA512
6b2c87d00d0dbdbc5d075dce2db9c19964301a7df18194b1b33a17ea9067c377fe70d1e43f24706677de32d646f27adb8185f3b9fdfe5a3375f40763e5688fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db.hydracrypttmp_ID_5d76c7f9

Filesize
24KB

MD5
0c29d682291c66016499cc5be4fd1df2

SHA1
0d753618297375fc5997b91c28362ffec71f977a

SHA256
6baa96d33ae833f889408ad7b18056db668f6f9ca0c0d61eda2dcc1c19d84c72

SHA512
aab9006459951d8c0100f7359ec658f244ca15fefe75c5cdebd87b63803bed81971fecafe7e1a98984d04d478c3a2bb8405bfb1a584a128696d3a156f11811a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_5d76c7f9

Filesize
174B

MD5
d61643f602f5936e3408aac977f15a72

SHA1
3572f7c8c7c426e8a510afcdf376f4ab1b1979c2

SHA256
551e94a75cbe0f9d3add04cebbc75b3ef94bf9de2ef6d46c34ae3d5308535d87

SHA512
d54a35f13ecfe0b74c1ae04f374dc1834d3bd804154b07bf6cf76d5712f27489f176f192182dc215a1ebe8e0f09a05d1dc307e69ad3e56e5162eb37048eab433

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_5d76c7f9

Filesize
8KB

MD5
c0bb9beffca62ae42af10ff47aa1bb3a

SHA1
f890c1bea7a228cdd362ccde438b54b2fc188f96

SHA256
89d0bc5fab2dc4ee6cdbc144d7574f43691e2ce28976a0e4eb4a72f7bd56d268

SHA512
ed5d58b9e812fa835b46860e6cede8532564ccd21cffffccdd78d10906a1cf92967ac373b063be8edb83d81b2275528c07c60b88780daa59dd78ef79c092ed5d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_5d76c7f9

Filesize
8KB

MD5
25b2b6baa5d6358ffe766117bfd73fac

SHA1
be407d1a0e5bfeec8813fbbfa278c10015758440

SHA256
e7c252b59d67a79ec43927e1d7459d906fa63f7cb80816b4808881a296fb7a23

SHA512
7db32da13a2a5ba32b5afdae21f29c1d21c28b5014f208131cb97874e345348c2995d38603a3e75407fbbf96c73f50812e46640bab908709501e7839810b2023

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{68f64396-d409-40fb-b49c-188b7cbd08a4}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_5d76c7f9

Filesize
5B

MD5
43f303c037f429d24ccafb5bccae3870

SHA1
8c25d9291b56c37636733f50513411d854b25e22

SHA256
2b411055e8f355a5aeda051a6191dc8da2525b67f6c52786f439c17fdfd315a5

SHA512
86db4f4f709a4ae1ac4ea3af380a5a953dc8349be72b42cc7914c2937910e803131f048c79b3747c2b0e85f45e774bb11645e435b14d0cd8d91900947e70f902

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{68f64396-d409-40fb-b49c-188b7cbd08a4}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_5d76c7f9

Filesize
5B

MD5
1ddf5e4e204c6afb513eab9c8cce1284

SHA1
c63fa45f280e3b3fdc2d366bb26c99c47b6da00b

SHA256
b58d3b5c33fb174157b3cdb5eed3dbe7d4d8a93e86550f663c72b8eabeba5e36

SHA512
30f250d53f61af1605d63433f0d302d817a4750c15a2c03bfaefd9c8e85cd666f35cb88d9ae2ea7366f87fff495ee1ba5ba78c3c63c8fb8eb99b668e56498012

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656120098725.txt.hydracrypttmp_ID_5d76c7f9

Filesize
77KB

MD5
13dfea31c27d4f4d7783e4419aa6525b

SHA1
917f2113c642921983da847b170d43f60de3832e

SHA256
b852348092e0974aacfdf60d098c923991a0dc77f230b25bdb663cf330163246

SHA512
a4ca35757d8e2a0d39605e2793b0419d08c55fe5c077ad0fb3a70b8dfe0c403cbaf438315617a168a6e5d7d9f9533f75c9ccd009c08aec3193304305a31d72f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656590293648.txt.hydracrypttmp_ID_5d76c7f9

Filesize
47KB

MD5
6e68c7b56b6c37232346a391bde6ab45

SHA1
c3396a8c1943ca0cf6311fea24beeb783c728088

SHA256
4d6028b59a37806cba25769fe7ac38e2c69ae7934f190d948ae59ef06674ae6e

SHA512
b9dafbed585ac6de85023e6ffcfad2cc20f3e96c2cab4d433fa076c0df9a6ac91daf83aee47edac734b291dfcaa3757f655c6214d377195e0e12db83f2cb6487

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663328721506.txt.hydracrypttmp_ID_5d76c7f9

Filesize
63KB

MD5
0f3980f2084e4670fb1d37351e08c979

SHA1
66f532f47247a3668414de9b132f66c62dda168e

SHA256
d4145158b063977066854b576a6000bf424468add2cb138c87461f1380706d60

SHA512
b97b8569052f30fa9966d8abaf6c4dc16bce82712284312f7fb24259bb66959f34969e6b9189fce591dbe8a9455eff9d25760e4fb0731996e9ae83b25a73f6fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt.hydracrypttmp_ID_5d76c7f9

Filesize
74KB

MD5
831d4e6ab3e45ad18e88e8c733a0cf78

SHA1
fa1e72dac5974cc3a3404c865012605c4c0b5930

SHA256
f16af7166e80cc6352fb27194b0910082fa6d89afaff67bc25602b69f97c2377

SHA512
118690521ae1379939e1ba2d4b20c837873aead3d405ec4237a7dafa73edf77d01eef31c9b782d1808fbcdd3fab428e3fce82f10c3d9ca0173738a760370ca83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241007_091203424.html.hydracrypttmp_ID_5d76c7f9

Filesize
93KB

MD5
028fc47a806de44675ab0344ba0180b4

SHA1
67ad18cf64aad8bc2a31c0e3420c875cc7a5ddf6

SHA256
cd3a7f06855cf7427c00cd74f48f2e540a74ad59d4812b59bb08199ffb1316ca

SHA512
081d5d3dca8f0ff6f7dceedfc0aac4a3554c35cf0b8092bc6e0571e973de7fbf3f71bdb2b08f7b9de2cc8ef6f724598fb508c9b31e95909762eaae7c230ced02

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct5658.tmp.hydracrypttmp_ID_5d76c7f9

Filesize
63KB

MD5
b9f6302929b979057745d85f3108f0db

SHA1
4ad11c9e6391ee9e012a048d68a39b746a78d686

SHA256
d10faecb7f20c2462ae401656463fa551bccdd4cc81225e94af415a1d88c3597

SHA512
6ad26ec8207957de951f024648e8da38706734729e50b8a97f5effc2021eb2bd077cb09db851264a91cc0784a8e0e1bcad5cca3f32fe3e77bfa7dcd4450a2f1c

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
1850f16ddb2bff1f0dca36a020fd4003

SHA1
d67cd20a27522c9286ab7ec190ab8562f76c7722

SHA256
8edb37954f4e54cff87056df57bbb04f1e27058a4110742a7a9fbd2909493d15

SHA512
ae75936064868aae961ba8ea7f21fb6395e98a2d38848fffbe871777720223b05f93bcbb1080eea65aa900e3cd9b6fb789d33f8357fef12c49d1050d06d7ec0c

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_5d76c7f9

Filesize
170B

MD5
b100a69e8c1df633b4f7434f5451cbcd

SHA1
949357a5e15acffae591bbc72ca709f7d07ead63

SHA256
8e45e044052e8338de37e3c0888d8bc1f4cea43f9f04d8e8283bacaa7d96fd23

SHA512
cae8406cc9b3f23bb8738b66799ed95822e4666c0bafd968afdc1f2597b45e17576cec722be5746c2521fcea3f8008c78718179ba77fe2b4cfb9f1b46b910a37

Download Submit
C:\Users\Public\Videos\README_DECRYPT_HYDRA_ID_5d76c7f9.txt

Filesize
915B

MD5
b70a40693049202e0ee98bbc79d59493

SHA1
cd98e5d88e30ada70d853b36e894942faab5837c

SHA256
ebbd287de8f3e2f61ba1c41bec8545ad1c8544f865f4eb17b1e2059c8a7eb275

SHA512
abd3fe39f76ff4eacc182e7cdb3c906f97ace6d36a28bdc0e812edbe07ac2cc2253eed14c669a1952d531333b666b6b3b00a2fa14c011888d79143652044ee50

Download Submit
memory/1888-0-0x0000000002250000-0x0000000002255000-memory.dmp

Filesize
20KB

Download
memory/2880-783-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2880-778-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2880-3789-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2880-3-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2880-1-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2880-2233-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2880-5319-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2880-5322-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download