Analysis Overview
SHA256
1c2cd97c6e7826df5b0281dcf54a65068a9a1caf4224ebba739a86a54dc51665
Threat Level: Known bad
The file afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.zip was found to be: Known bad.
Malicious Activity Summary
HydraCrypt
Deletes shadow copies
Renames multiple (881) files with added filename extension
Reads user/profile data of web browsers
Drops startup file
Checks computer location settings
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-18 18:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-18 18:06
Reported
2024-04-18 18:09
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
HydraCrypt
Deletes shadow copies
Renames multiple (881) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_c8524973 | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_c8524973 | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe\"" | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\xamigufu.exe\"" | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
Drops desktop.ini file(s)
Enumerates connected drives
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2976 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
"C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe"
C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
C:\Windows\SysWOW64\net.exe
net stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 964
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | drivers-softprotect.eu | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2976-0-0x0000000000AA0000-0x0000000000AA5000-memory.dmp
memory/1932-1-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1932-3-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1932-4-0x0000000000400000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat
| MD5 | 28ee0b2201a56ae7af09261af9b4015d |
| SHA1 | c5a2f438cbd15218a6cdada950398fcc4cbb4b38 |
| SHA256 | aa057b2017c778a64862d1a1f3dd5df5e7410110944d9ea56fb0e369c7c754c9 |
| SHA512 | a52246fd719f180124cf27fe568a32ab2ba202f02ea35e3e512b32ea9b056b344d6ef60799df932dd57d557cf21fc824d425a5f339a450d7b37c54a88a9f454c |
memory/1932-880-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.hydracrypttmp_ID_c8524973
| MD5 | f05cbd3efd4b316a0e995bdef80eeda4 |
| SHA1 | afedbce4a36b8280990adf081a603d801dd75c97 |
| SHA256 | e0d3ddd609096d24619a16e5f5ec61f048f7e895b137cd5a8b15f8ff5c7be701 |
| SHA512 | ade9715d8c13a7ec57d9ebef57c75dc41d2519133f8b8106ce94301e62c248f4ebeb2b10c7bcab1139a7b4e09e32b1be3d32be40aaf8b511527447bccc43193a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_c8524973
| MD5 | 5f8c50844437a569e8b8fb17805109bb |
| SHA1 | 24bfd97a4a90a71d0faca7227b962e531515c2f2 |
| SHA256 | 4c5521f642c88188c41bcaaef3b42a6d734575d15fb23c47b7b23fd436ab57c1 |
| SHA512 | d046a6d9e33d99b4a3adbfaaeb0bb4514969a4757a6ffd9b0bea44e2b3f6a001dfdc2d0fedc870a29098b54961711d199ffb44c05c3cb501c578c73a81b54f8f |
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_c8524973
| MD5 | 73c6d697d667a5bf2389bde1bb6d09eb |
| SHA1 | a56027221814ecbbb145a617c100851447ef8467 |
| SHA256 | 38c3bf84b5d5b04f33c0f5fb84e364ab25a6144c58fe76ebcd5baacdac1693be |
| SHA512 | 3c0b40ac3f7c0f68a5112fa79ee5641f26d3ebb038613d999be6eb8ccfcb5503ebc7a34e805fd49a30664e0211631cf860f9b222620a3f2b57ebba1a602ce07d |
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_c8524973
| MD5 | ab6a0998135dc7a797b87a62ab05c6e3 |
| SHA1 | a64976dddad4c42c26de94f4867cce0fdc434d3a |
| SHA256 | 0d8e270ae605d3902e280d79583831248a6ff0d8c85b63953225293fe1e6f1b6 |
| SHA512 | beb806b4627eb445f828d038dc8211649a37d97fdb4dcd099191528fdb0863b8dcbf67f8c3a899465969c0afc30f6f6863cb78f6076455a35f42fe5e96148a17 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7c913f7c-d3d9-49c5-b502-f29fd5c7e740}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_c8524973
| MD5 | ebfbaccc35658d101c169d6c9f899632 |
| SHA1 | ec849c1592625e3a618d63611cfe3a0f6cc64e54 |
| SHA256 | d0e1dac95565db670c4a58e489c5e67591bfe19dbb9d28d9998ac9bb77c0593b |
| SHA512 | 500fc189c631abe956cdb16daf399a9482fccfc8bdcdb134b5c9dea5cd535a02d817bb02d7cc23e53f8e4e4bd9b02088323737968e500d25aa7fef778603c253 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7c913f7c-d3d9-49c5-b502-f29fd5c7e740}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_c8524973
| MD5 | 1005f5ef023aac8928d8a596dd79cb73 |
| SHA1 | 705a8f2d59d6d788c83cf1f7c63899a3698147bf |
| SHA256 | 7e3bef4ebccee17fab77ccf3dae45bfed57d2ad710d2c8b67ab23567dab476d8 |
| SHA512 | e51d888738b5a566c928be4985065c8d7ec41d25c4709c7a83f1b99aa1b6fb2e041c4c3f1c8c101a4f5bde9af1cfea12711c3f7228e8b554d1828d2d017cdbde |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d788b5ac-a173-4aea-af65-cc36d50361fe}\0.1.filtertrie.intermediate.txt.hydracrypt_ID_c8524973
| MD5 | ba9dd79c842f16688eca027f7bbaf027 |
| SHA1 | c6d8c5c8e4dd43f44241ff06c209f95308add823 |
| SHA256 | e11a3de8ae4963b4f1df7356a46bf6f94df85707b37eb3245d04666dad1360ff |
| SHA512 | 26d772e521a344950be6fb4bc43c8cc4ca0d290e75a376f60b6b5cc1dcbd5d0ade4b501416a0a77948dab05219ed60e8c8533bfac1a7356f6ffe0455d52ffed2 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d788b5ac-a173-4aea-af65-cc36d50361fe}\0.2.filtertrie.intermediate.txt.hydracrypt_ID_c8524973
| MD5 | b8af3ed32e7e9032de598750af41796c |
| SHA1 | b0f8d8b40d774e453830691747c4639a523f6c0d |
| SHA256 | bbe4199d3fed65c2a31a53f7981108d43b01942448f3424322c2fa5ad7ea061c |
| SHA512 | 8ff6dfef75abefee61f41223b26ec0eea30adae70cf09dfeadd3e5a99a9275a74fa5bc5beb9d5e831e53675625ff8dd1c35abe7da0a54d36cbe6cd3ac233a7fb |
memory/1932-3390-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573951893978108.txt.hydracrypttmp_ID_c8524973
| MD5 | a399007035615be310c56601c4b74aa2 |
| SHA1 | 729bb4da77ebf26625d5b7669ba11ad7a54e4322 |
| SHA256 | 35f653bb49ea758f5387bc7ffb35ba29eff437a7e9ad6fad609a164d3907bcf3 |
| SHA512 | d3553abe65ea177eebd3cd72bcf81c662521cdad220bb26b97dc546cca2e4e2aeda31a83c9ca8e6667c000240fec2510e70501006ee4ef211b781fb4825c291a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573952470598170.txt.hydracrypttmp_ID_c8524973
| MD5 | c84c032f5019aaeb0a13e848906bd66e |
| SHA1 | 444ecc11a507ca11cf1c5780a43f7c0d6b7ae99e |
| SHA256 | b1c87c5e3fa38261b81bfa6b7dcdc17e60e3a8adf282744ff9a42ba5eca5b391 |
| SHA512 | 996df60fe424d4b5d7ad027bfdd640c889e5b8cf6923565e982024dbb1aba55058bab4ba4972704a9db37140dce01b631f6731a108bddd7791cf2b1ef24a962e |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573959125774669.txt.hydracrypttmp_ID_c8524973
| MD5 | 0d83f320511d8d3ae75b0b81ef8496a8 |
| SHA1 | f4f397f0c5cd377dd214626199e23cf8286c9c2c |
| SHA256 | e75a2e98b6ad26ab168ae4298ad5f72ced1d8493dc891218645ec87c2d94985d |
| SHA512 | fe3f6bc7877b994e57ff0c37b3e8887ea51221dcefcac6806f6914c1a3d3f229b338bf7dbbea3061893a1afaf635d151b2d61307c31b528c517889121d947feb |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573962273348529.txt.hydracrypttmp_ID_c8524973
| MD5 | 67a894d870184e2975e87e753c54941c |
| SHA1 | 4808256b135827e3fd54fb954ea2cc2303c4f17f |
| SHA256 | 9974cc50cf20309e8d1e5034e19d9d321df9a989278046887b338a681610abfe |
| SHA512 | 5567db8eaf9b754383f5b4d893a237b425fa0b039d6c2a7c5047c93a6a6cd83f39b7a02cdc98944d3056d79733f9300000dfb3880f686379fc1221b7d6ca35f5 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573995096058966.txt.hydracrypt_ID_c8524973
| MD5 | 8a432d04b3820c2cb0048ed4fe3e6ef2 |
| SHA1 | f54d1d1b482393127752ea4dd8f2cdf1ab7ca02a |
| SHA256 | 5ba857d2869821aa4a3cefcd792380437b94999aff6164f616561e71f9105313 |
| SHA512 | a284255e3e5268f79421db0e248dd3eab6c116c0d312237d1bba198a1b1aeb3f834cb4483fca1ee41dbc99cc6e013636901eb53861c058d53b8ade4ecc9d8541 |
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240412_113835246.html.hydracrypttmp_ID_c8524973
| MD5 | a423a390f879a396ce700a9217228ff5 |
| SHA1 | 24b1c3e5a35c5dcba9f947d210ac291477d787fd |
| SHA256 | 723de9b7deed458a4009b012634e27883f0ea29e3fb351b7d453914dd7d3a663 |
| SHA512 | 55012716cbb2be76a729479e9b49966ee31031ac6833ea0d096fd6a802aa0770aaf6a4411fb68729e8525074af006cb56d2df5b1c39544dfadf0da959046113c |
C:\Users\Admin\AppData\Local\Temp\wct5F27.tmp.hydracrypttmp_ID_c8524973
| MD5 | babf86ec8a67c63bd0a9281cd1a76397 |
| SHA1 | e76b9796e8f313cafe14e2a6728373230e80ed11 |
| SHA256 | c7e28e9700c955e14664b7d7ffb7d2353724de4133678a3d0b8bf90bd26d92f0 |
| SHA512 | 5410035a3d03507baa6b60574dc4147924a997b51ad76ec7d561e024b3bf26a96d9ad467f91a7d9ea67d017fda2c38f5e6870634308537973bc3f861f5e39825 |
memory/1932-3751-0x0000000000400000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wctDB4C.tmp.hydracrypt_ID_c8524973
| MD5 | eef35d11cd8db6cb657ff803eedb9a70 |
| SHA1 | 6d7257ab37a424bb43be10ccd14c4332819b6a88 |
| SHA256 | 52c7a6f3f0b550c3378b1ab00900bb59d1aff4fbe824151732b9d571e7d4b58f |
| SHA512 | 7305922e11c090ac4dfb9b6e2036e2114d1591a24d3e6a7b1c4d57db87c252c306c9d44d6af9e7c72578610869d5efc1c5a2fdadfb87a39817d829c7ae9ef211 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_c8524973
| MD5 | 4002839b3ffe71c549fe0db8e1b59234 |
| SHA1 | 426c752c51c11ec4834914fa06c90f85a6707f0e |
| SHA256 | b16af8030b8afcdd3e940d3600b63230f189512d21e18640bc4c6f8439874a11 |
| SHA512 | d39dfb0f060d661399297e9ec15da83504b307b97eb05b7e91779a32eb6b0cbf2d1e3f9336a56ec80fcc96f2b7b70bdc8ab34646189f3d7d7c283a10ffebbc99 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_c8524973
| MD5 | 4c646744573072747249d0aa3b94d0a1 |
| SHA1 | 821d1879778a27b1caeffe5ec6c3148ee42b8faf |
| SHA256 | 87dbfea16050518a4debbcdc5ece5fc0195e90895e319bf50715eb42e01a6639 |
| SHA512 | bcbedae1d7fc6a4bc2e946d89ffdc562fa665bc5b4f7c4b6bd59c713e5ff1d3e8f36896dcef6a68590d56f1da8e7a4b489b199f446409f66d1a7b4da87f82836 |
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_c8524973
| MD5 | 7a74c1f103fabdb92e0f77d5d66dd6f9 |
| SHA1 | 1a763d8921ffc0a7b3272058bc05191fc009ee82 |
| SHA256 | 90153240c2ec8ad4992bbef401306ad60c9b5f3adec45d245af9d33be79fd058 |
| SHA512 | 2d5f94e18d77ddaaaafb0dd042f72cba07c3440bb02acc4d9e31e6ba494c2345482732171a364ec3e4c9dda4d0defe7b6f1e18b7827cc9fb7ddfb12a2df65fd0 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_c8524973
| MD5 | 4ffb5a304008f37a2918a73a5c6cdc83 |
| SHA1 | 9d063eea94c026637c174a00dd1a36f087c76be5 |
| SHA256 | a71085eac21e443ddda11f373e0462bcbe3171eee09b6679160006cd0b708bb2 |
| SHA512 | 7832286ed145b92eb3519955f817f00f8988cf7b7007dcd73a2e0beb41cc91bc558aafecf9c7081e9c9342879b0cc89b1530d8d3f69c513f1ed7293001c3f8aa |
C:\Users\Public\Pictures\README_DECRYPT_HYDRA_ID_c8524973.txt
| MD5 | 241e43485d709cc6db7e155e8a0be9fb |
| SHA1 | d9babb84928a14be9459d388ebc3b06822fdc496 |
| SHA256 | 7269843886d1c4ff40011aba0464daccb896d1464dc3de0931c774df3976e65e |
| SHA512 | 44512589a73be0023f62ebc3fb6b25c0909424ec70d8bf49ef93d4f03b75eecbe3130925d7b6f986c18f6579958c6e32489c337d8603f370d6a1cbb877845887 |
memory/1932-5148-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1932-5149-0x0000000000400000-0x0000000000978000-memory.dmp