File name:

HYDRA_1.6A_PRO.7z

Full analysis: https://app.any.run/tasks/cf3dac80-bf6c-48bd-9f99-6687e3f52743
Verdict: Malicious activity
Analysis date: March 24, 2025, 23:04:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
winring0x64-sys
vuln-driver
arch-exec
arch-doc
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

6D47A14B502E9960EEDA11FF5DF353F0

SHA1:

67EA63E09CE107188046D4C05E58540DF50CE3AA

SHA256:

93D658F8A71BFC7E0F550D333856098D879FD46806F7D129177D07A0AB5C8939

SSDEEP:

98304:3L86LrScbzPLAjqgPc6fQFXB3NTopjETVxsUmz/31qYfv1k2CzpL3lcV8c1LII0f:r2ILBK1ONqBUFBF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • WinRAR.exe (PID: 7720)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 7720)
      • HYDRA.exe (PID: 7352)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 7048)

    • The process checks if it is being run in the virtual environment

      • HYDRA.exe (PID: 7352)

    • Creates files in the driver directory

      • HYDRA.exe (PID: 7352)

    • Starts CMD.EXE for commands execution

      • HYDRA.exe (PID: 7352)

    • Executable content was dropped or overwritten

      • HYDRA.exe (PID: 7352)

    • Uses powercfg.exe to modify the power settings

      • HYDRA.exe (PID: 7352)

  • INFO

    • Reads the time zone

      • HYDRA.exe (PID: 7352)

    • The sample compiled with japanese language support

      • WinRAR.exe (PID: 7720)

    • Manual execution by a user

      • HYDRA.exe (PID: 7352)
      • HYDRA.exe (PID: 1616)
      • HYDRA.exe (PID: 4812)
      • HYDRA.exe (PID: 7708)
      • HYDRA.exe (PID: 8024)
      • HYDRA.exe (PID: 7912)
      • HYDRA.exe (PID: 8136)
      • HYDRA.exe (PID: 8084)
      • HYDRA.exe (PID: 5756)
      • HYDRA.exe (PID: 632)
      • HYDRA.exe (PID: 7452)
      • HYDRA.exe (PID: 6808)
      • HYDRA.exe (PID: 7316)
      • HYDRA.exe (PID: 7528)
      • HYDRA.exe (PID: 2564)

    • Checks supported languages

      • HYDRA.exe (PID: 7352)
      • HYDRA.exe (PID: 7912)
      • HYDRA.exe (PID: 7708)
      • HYDRA.exe (PID: 8084)
      • HYDRA.exe (PID: 5756)
      • HYDRA.exe (PID: 7452)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7720)

    • Reads CPU info

      • HYDRA.exe (PID: 7352)

    • Reads the computer name

      • HYDRA.exe (PID: 7352)
      • HYDRA.exe (PID: 7708)
      • HYDRA.exe (PID: 7528)
      • HYDRA.exe (PID: 7912)
      • HYDRA.exe (PID: 5756)

    • Reads the machine GUID from the registry

      • HYDRA.exe (PID: 7352)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2023:09:23 15:25:43+00:00
ArchivedFileName: HYDRA 1.6A PRO
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
196
Monitored processes
60
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT winrar.exe rundll32.exe no specs hydra.exe no specs hydra.exe cmd.exe no specs conhost.exe no specs lodctr.exe no specs wmiapsrv.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs hydra.exe no specs hydra.exe hydra.exe no specs hydra.exe hydra.exe no specs hydra.exe hydra.exe no specs hydra.exe hydra.exe hydra.exe no specs hydra.exe hydra.exe no specs hydra.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"powercfg.exe" /setacvalueindex c206b735-d3a0-4474-9777-b69a09e63c7c 54533251-82be-4824-96c1-47b60b740d00 40fbefc7-2e9d-4d25-a185-0cfd8574bac6 0x00000000C:\Windows\System32\powercfg.exeHYDRA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
632"C:\Users\admin\Desktop\HYDRA 1.6A PRO\HYDRA.exe" C:\Users\admin\Desktop\HYDRA 1.6A PRO\HYDRA.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
HYDRA
Exit code:
3221226540
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\hydra 1.6a pro\hydra.exe
c:\windows\system32\ntdll.dll
864"powercfg.exe" /lC:\Windows\System32\powercfg.exeHYDRA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"powercfg.exe" /setacvalueindex c206b735-d3a0-4474-9777-b69a09e63c7c 54533251-82be-4824-96c1-47b60b740d00 3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb 0x00000000C:\Windows\System32\powercfg.exeHYDRA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1616"C:\Users\admin\Desktop\HYDRA 1.6A PRO\HYDRA.exe" C:\Users\admin\Desktop\HYDRA 1.6A PRO\HYDRA.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
HYDRA
Exit code:
3221226540
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\hydra 1.6a pro\hydra.exe
c:\windows\system32\ntdll.dll
1628"powercfg.exe" /restoredefaultschemesC:\Windows\System32\powercfg.exeHYDRA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1912\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2564"C:\Users\admin\Desktop\HYDRA 1.6A PRO\HYDRA.exe" C:\Users\admin\Desktop\HYDRA 1.6A PRO\HYDRA.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
HYDRA
Exit code:
3221226540
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\hydra 1.6a pro\hydra.exe
c:\windows\system32\ntdll.dll
Total events
6 983
Read events
6 615
Write events
199
Delete events
169

Modification events

(PID) Process:(7720) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7720) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7720) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7720) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\HYDRA_1.6A_PRO.7z
(PID) Process:(7720) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7720) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7720) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7720) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7528) lodctr.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbhub\Performance
Operation:writeName:Last Counter
Value:
2266
(PID) Process:(7528) lodctr.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbhub\Performance
Operation:writeName:Last Help
Value:
2267
Executable files
42
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\Bunifu.UI.WinForms.BunifuButton.dllexecutable
MD5:7E751AE1A357A30E3AA5153352EBCAFD
SHA256:ADFE00B9B70403C2C908D55058D63F9E151322E1CBD8BD3B854C25659CFE46CF
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\Bunifu.UI.WinForms.BunifuCircleProgress.dllexecutable
MD5:69BECCB5C9E400CA1434932D094D137A
SHA256:1351825949D8D0AA65AF08D527214C4C316BBEB9B87027DBB965F7C8D07C3FE8
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\AdlTune.dllexecutable
MD5:886BA5044E7FDE070981A33AF6EB637D
SHA256:C01E542AFB95E999B309AD1B8B0324D2F2A1462D6049154C6747F9270998BC24
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\amdvbflash\AMDVBFlashDriverInstaller.exeexecutable
MD5:98D09E802EE2130801160A3F395B5774
SHA256:A509DDBFA8E02213A3C81918BAAF020A0E2E56DF9814102C191F7DD6EAA77A78
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\amdvbflash\amdvbflash.exeexecutable
MD5:313ED2279DF1AF019A0CCD06B4507277
SHA256:CB04893E48312E2AA23436D21DD3CAACF8FEC2339373EEF3F3875B7C359B1A3C
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\Bunifu.UI.WinForms.BunifuDropdown.dllexecutable
MD5:C715CBDEE4B7E42294BEA2A949626D41
SHA256:41199AFA13D2967121028FBEA947397EB86505DD3C42E4BBFB002FAB04FE46A6
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\Bunifu.UI.WinForms.BunifuDataGridView.dllexecutable
MD5:C895E9BAD25D4A9D97EC1DB436F7071E
SHA256:5CE993B88CB8C5B5FA453F4CFA237EDF298F5E15CDE42D6895664FC1ED6E3D37
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\Bunifu.Licensing.dllexecutable
MD5:2B2740E0C34A46DE31CF9DA8A75D77CF
SHA256:A9BE91CAE167702885A5CA74273DB779E3E391E2E604CC03779ED403C53EBE43
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\amdvbflash\AMDVBFLASH_User_Guide_NDA.pdfpdf
MD5:F4A483489567D6B10B6A2A884205DA5D
SHA256:A2463E61CE763447111A7EF97C6ED424E1921C5CA4F75F827E078238F23FAB93
7720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7720.28173\HYDRA 1.6A PRO\amdvbflash\Changelog.txttext
MD5:E55A0130C287F8ACAAA432B787A4C8BB
SHA256:1CBE1AD43C3ABB2475FF9B237A3CB67827A268DDD6D37A854AD90BC80095FB0A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7868
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4400
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4400
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4024
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7868
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.143
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.0
  • 20.190.159.131
  • 20.190.159.73
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.0
  • 20.190.159.130
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HYDRA_1.6A_PRO.7z