Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    107s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 03:40

General

  • Target

    08b304d01220f9de63244b4666621bba_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    08b304d01220f9de63244b4666621bba

  • SHA1

    b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6

  • SHA256

    afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

  • SHA512

    162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9

  • SSDEEP

    3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Malware Config

Signatures

  • HydraCrypt

    Relatively unsophisticated ransomware family based on leaked CrypBoss source code.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (626) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 27 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\08b304d01220f9de63244b4666621bba_JaffaCakes118.exe
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C net stop vss
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\net.exe
          net stop vss
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop vss
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2920
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=Z: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=Y: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2616
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=X: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2312
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=W: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:956
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=V: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:600
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2940
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=U: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:3048
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2456
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=T: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2324
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=S: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1308
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2680
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=R: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2968
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=Q: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:3016
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1288
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=P: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2480
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=O: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3020
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=N: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:820
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2316
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=M: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2496
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1716
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=L: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:864
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2116
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=K: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:992
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1444
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=J: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:944
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=I: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1396
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=H: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:872
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1232
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=G: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2128
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1596
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=F: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2096
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=E: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2352
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=D: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2172
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=C: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2256
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=B: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:928
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=A: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1912
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 29248
        3⤵
        • Program crash
        PID:1696
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2620
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1071561941127524856317779220811680927960-1804522966293494506-562563154-844980834"
    1⤵
      PID:2180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_339c2a33

      Filesize

      126KB

      MD5

      6a66e3dae1aa88f805d2ef85b96aaeea

      SHA1

      710fadee2d7c2cba762805deed29acec4fcea2ec

      SHA256

      0d3123e2bb94c0c3edab967a615dfd317efbe6adb01338b4bd59b70e99ae6840

      SHA512

      3b875f623abc728c4e6274df8939db69fc72c0ed44cffcb77051b634a24c018304c0625ddb5ba330d8b6b4a0849c912e99931a82f3d713b9303a51b5981e5b26

    • C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_339c2a33

      Filesize

      28KB

      MD5

      b89586b24930f19c9c4b4d9de50005d2

      SHA1

      5ee0639ceb2df100eef687cbbf26f811b612999e

      SHA256

      a6de1ea1d26d782de2f3641fd5faa4aab64049261bf97f4c43a9b7fa0f503173

      SHA512

      6810d912c7ec2e66d2b870f64f227474dc6f673bab23d829c86167b103c79f87ab580039a8b24fdd959b92d84b9e1f05f9bf12da4cf733bd7e646fd97ee0c647

    • C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_339c2a33

      Filesize

      1KB

      MD5

      5b447702c809d290fe4bf5c19b905f26

      SHA1

      1ca1546b3bd1eed4d1b69886ee813360d0ce69ff

      SHA256

      bbd3274bf1afee6d59d4cf55e8efc2d121aebcbb064eb85783c520f7561209ad

      SHA512

      b5d86c394f02491f553c1e8fe6a980f78ce1e2b97c6dd8add746a9565946b9e4b3033fb4ab5a040513d8d81174f370c91eea0548df6670a05f24afd3dbcdc897

    • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GRU3FPRK\desktop.ini.hydracrypttmp_ID_339c2a33

      Filesize

      67B

      MD5

      58073b86c007ea688a7b8adeeffe6198

      SHA1

      f9fe39ea08a4eb7fe1d040e706a6ad32860b002b

      SHA256

      0c4d5dd13b796052be9751b2f1beeb61b3829d496739c2401505dd865dc47065

      SHA512

      3985497ff7f5003588cae9aec665ab27635f8be423ad3cd03f5022c7a9f51cec80bfd4b5190e416b9d13e5447e1227bd571857f878fd9ce8b1dd6695d4ab0aad

    • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X9WSUL7T\desktop.ini.hydracrypt_ID_339c2a33

      Filesize

      331B

      MD5

      6e370b7a3151ad087354eabdbbef2c45

      SHA1

      d973b7ee5c8616a0201e1065c0e8807ff83e097e

      SHA256

      09f7f5474fab7d223a770b85110e0426e60a3f52d99d96fac456cad9502b0b5d

      SHA512

      e7a6b427c0bbab0340c1c650387c297ca0f41bbf206d22f52610db318068b8c255adddae0833a7b271e9a76a8dda4cdc94f3a6c97c1935702f463608cc3f8f95

    • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051853366.html.hydracrypttmp_ID_339c2a33

      Filesize

      1.1MB

      MD5

      fb15434f7d323ac8e542227b0ef59635

      SHA1

      7179d98c18757072d9b619649e42c81b339cc19b

      SHA256

      f51d04fcdc3050ea21f3b7ca1eb1af5962ce6c5707a1d264f96294b7160a47cc

      SHA512

      935b79cb2724db1ac3bf85e6908090fca7b584d1032dd41ac0b08aa54204e1a7b329c9c168dbd43fe0ee17855f272b2f92100a2708eee21e270526685285c15c

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\homepremium\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      35KB

      MD5

      e2373551822fc3b08d65a6189bd8fe9a

      SHA1

      19208a70d1a5f4cc0bb165543941366b3317e8ae

      SHA256

      ad1f01b98c7e91fc2c50363e4f5d503ac9491c1d10f4a605a69c58941517bc5e

      SHA512

      5af1556128cf51f9c2176dfc18d428a7a0fa57fac5d55ec51c58ba58ce7fda8d63288d8e0868b93462c0b4a072e559ef1ff86b91f457c6a177bfee40baf7fd70

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\professionale\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      28KB

      MD5

      f94448318658fbdadbbca9cdd3bab52a

      SHA1

      2c41689aa4bd97681a43c0b07a6935bc051b841b

      SHA256

      23fd6130a12157d7ae505e50cbd4d9100437a89327c73005b2b1503d84701906

      SHA512

      83ee1abe9f436986bd9528f8deb25cbff82b0421de1a0494317c4c33e52c17fe11befec10315417314ba34ff3ae4cf426b063b44f138a1910fd4a9d1c07649bb

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimate\license.rtf.hydracrypt_ID_339c2a33

      Filesize

      35KB

      MD5

      016a2a7a09452165c3e389efcb679e59

      SHA1

      721a082d243c163a6b5f6432b0bad1577a49f562

      SHA256

      32352602b1ce8f197c2a94d8d10bd1c952f16da4ac2a3d3de255ad0277fb73ca

      SHA512

      0ba9e6083be1eb1c9ab1ac0b941d6f71e25546a1aa64abfd61f6ca73a2523e154d058ce10bebe3ce13be3f67fa0eb96488433e854480a47557da41c4d0159de0

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\_default\professional\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      221KB

      MD5

      fa33e5947c4175483b54760325f356ff

      SHA1

      5d72f482250829fe0d2421da815ab549dc9d7531

      SHA256

      aeb7b7414c390cca07f6fc905e915869b1d66e1c22df7973b03c627619e0f4b5

      SHA512

      f493848d1dc32ef0c3076c5fc257fa65665762d66097dc8eec1c65a3264e3b27ebb0d74612a28f8a7130956d4c1c7aebd5bc73f771d1b62620d08827dc5a3bbe

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\homepremiume\license.rtf.hydracrypt_ID_339c2a33

      Filesize

      28KB

      MD5

      ee1b8d08b6efb15b4f81ad617fb4dd6e

      SHA1

      d179d4880ed3c6c4d3d8448fec9445997d20ed68

      SHA256

      905f5222f89616714cf730185783f8089f2a847e6095e31371b25e4e6fe967c5

      SHA512

      843e92abce469de566673e605a8e71243a4fd8ced79e52f9397f92dbd74d09cd254e5e3baadf259e32dfc526140c25c39087094553a22ac66e36415401ca7d2c

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startere\license.rtf.hydracrypt_ID_339c2a33

      Filesize

      28KB

      MD5

      2bae11eb1fa69d6f400390a7f80c3f1a

      SHA1

      e67b1150a6dc27dbbc987f09cba1d3e53c7fb55f

      SHA256

      6809caaaf67da7a3a6ff5a062a90a08e3c3cb3bc5b56e2f760d2fad3c6b02369

      SHA512

      7a855f4a541fc14bb028c294e9a04c3f8ed8de70bd74067f988814ac73147846085284374edb2f792598c97ce50a3b2db68302ab728e78a1909987def0f3e1c4

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\startern\license.rtf.hydracrypt_ID_339c2a33

      Filesize

      35KB

      MD5

      dac9dc295c201ffe54bfdfab9e5387ea

      SHA1

      00acdeac732f0d60bd79babad203f9680169348a

      SHA256

      21f12589052180777e05f6a12018981b45b97b82d726fd428fa67522ea04ac85

      SHA512

      98b9ffdeea6f7b347f16e65482f9c99d735033d70c0804e369d7a6654164540480b6cb0ca777375beb1e83f86ccc3a2e379d6505922e013212e3a0de3c5bfa1f

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\starter\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      174KB

      MD5

      4464e394ca7d2ccfa7ecf4ee41c71968

      SHA1

      e508043e062e7a02a148670259e9ea3f84bceb6a

      SHA256

      19805b8881bbcd00ff272f71ce6d5bd90f686141c9c9cc98a8328e6538ecb229

      SHA512

      3c68ab5d1a748aae26d27737f3d74516804c94aa339c4a6a23acc50340e95c181b80dfbd50b76020d54e1c503556aa41e4aac796e18cc41bb208fe4dd0802450

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\startere\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      41KB

      MD5

      76b2bd2b6339070a466341063988c2a8

      SHA1

      64a397da7df866bb8047791dbcf865f9395c4fcb

      SHA256

      2ef2b2bab038aaded69596d7319a221ff13e7d5677b1b822b628034e4117e7ea

      SHA512

      530ff8ba820ec4cdc01a77938fe86f8e585626f75fcd70cd8259754fbdd06b7cd99ea918078bfbe5c41afa5e589c254601eec3fa98a38c24e818995de31d20a3

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc29d5bca5556a09\lipeula.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      9KB

      MD5

      3222da5c774e4cd3026dfdc0d88b30f6

      SHA1

      24121450779062aee5349db7617a5c7e3a71fcfa

      SHA256

      f351e6e2d382832ede295c7f3281444de0b027c35c1bd0c4430778320bcde87c

      SHA512

      8cfc0423edfac7cf08c8ed17aac7f748c0cdb6ecf30a4e190f4975975067c6e8e6d900009dab64b4c5d7d8d4e49948d8ef11f81b0b8ab4831b70eeb88148ca81

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9a71deeabfc0d8da\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      39KB

      MD5

      cb12f75a20742b019af8d204c6bf586d

      SHA1

      e988ab1484b86b9c4fad75c061d1fe24ed49f72a

      SHA256

      baba9b48b831f7f0818de975c71bcd9b71a1e0a35fd8566d5cbcbdccafd6ca8f

      SHA512

      b50e7b6f88cace5796d9111c2c59ea8004357ea74ff18a00775cd497dd224d9780b98d085adb1ec60690b02316c0645c29b671d71cb6270df5465dc72e7a8608

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_30cf7a89f238525a\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      43KB

      MD5

      9efec0bead2389962939edfe37d67aec

      SHA1

      82b4bc7ec59024983804ca6145bfccb4aa439cc0

      SHA256

      f5bc9e3a01d95cbb2064fe4ecd2098375f40368dadd7e2c4561dc051cea5f6dc

      SHA512

      15dd0c5a20e4838880c301e9bbca2bc0b2969a64139edf2ad4c935a1ece0e2816416d1e5d25eb860cde4a31c74195c043daf172094e8977919eab27be84a81f9

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16d3f6301ae8cff8\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      758B

      MD5

      cfccf09aa6ef2a3329e517072c89d451

      SHA1

      df12e24af2b75535a3d35a06e9b00bdf2c01452b

      SHA256

      1841b246b1369a3c98d9ff138c1fed065dd67df0d7cc15247d6c3c02dd79cc71

      SHA512

      f8f8d1ff8074004fd18839a1346296a9683ec5b20fdaa55bd9c1b169f202b963a461ffe91c93c9535d48cee4ae086b93334238074b7fb064e9ae640df4144f85

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..priseia64.resources_31bf3856ad364e35_6.1.7601.17514_es-es_382fefd2e1555940\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      68KB

      MD5

      f6300e01616d4ec54251c781497c2c8c

      SHA1

      7ddef82665af6e4e18753e44c73b48ff60f93ce1

      SHA256

      0be19d912111fc984c2f4836c39f4ea3e92086cac53ff5875920b9ad1824b6b0

      SHA512

      3e88519cae252901f8aeb5efe4589649db9ef6815f529545db0cccb9f572f2f5a14e7dc0a1cbc16d7220cf523b1099094e36f451acd0613600b0cb2a6ac8344c

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..rverhyper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b990ce545164c82b\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      62KB

      MD5

      b2ce4d598fe22eafce678de8bbc763a9

      SHA1

      8dda739df89d0ff3f14f1043c2e4c9b40fc4fee4

      SHA256

      18137764c4bbc16ab74cb70783defa6aa9fcfa471d30a0f6b12be10756abeb71

      SHA512

      94cbb384aec7d273d73f1e0e9232ef38f4c9d59fe243fa64fdb6c115a6c21b89aa7096e2c4ac1120325cd7b5db24ae7617cb9a57bae59329e762adebfe76933c

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1cda3731d74e249\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      780B

      MD5

      d03ce8d49e28d79c7ef6ea16262b8a33

      SHA1

      47a3dbec92d053b69eefbe9c1181405bce34b43e

      SHA256

      ca61444dcb8c6ca1d0a7e4f2b274d71debc8cef110d9235396d2e395c2277c50

      SHA512

      3990e6cb9d0807267924b3fbc8e5e739ab506ea0ef50127b930b78fbb1b165148fa1721555b12a04cde7602da1bd0d8375a5ab79c6cb7fc1190e8a30479159d4

    • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18649662a3c65f12\license.rtf.hydracrypttmp_ID_339c2a33

      Filesize

      780B

      MD5

      d528a89d392e0845744aa67dc8c1a53d

      SHA1

      672773b253a449cacd9599ec813ecdfc7b57d4f7

      SHA256

      633391a341ccbf88ce9f17d5fbaa5b7fe8f359ff04b6b6fb46a8429327af5e1e

      SHA512

      42bad595475572b7cd7872a70face0e52f75a88a09e38591f792116885434d2da4b7d627b7f9207aaed1e5742849e9da3b7ae41391299762d70730bd09a1567a

    • C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

      Filesize

      1KB

      MD5

      ed3ceaac51558dcdfcbe27071dc203b8

      SHA1

      b32bb87be55aa40418d2f5898bcceabf6062a929

      SHA256

      989ac42229c9caa96ce6c5da9a5a97ede5298282040287454c4a4f33dd466586

      SHA512

      6658ba16014978f68e6f0a206b9a62dbf43938c267ea87bf5c7f4c5916c9d131a3abd5ec4ce253c8ccaa48631d27a5f357e308863df8a58aa5a95b8068f89657

    • C:\Users\Admin\Documents\ReadPush.xlsx.hydracrypttmp_ID_339c2a33

      Filesize

      10KB

      MD5

      feb832fdfc12c802cfbcc6a7fa7ebe78

      SHA1

      51c09aae37cefc290888e2d7c5876360d5bfd4d9

      SHA256

      bf022d5b59bb725e7de01a50997bced21a6a0d8f97cecd1b690634033572beae

      SHA512

      f04677d25208241b0600eabaa6973daee4ec3e61f878b3fa59124836e88c18540939eebf360674e077e92b43d324855937537c507f2f5bd049f54caa3648cfbc

    • C:\Users\Public\Documents\README_DECRYPT_HYDRA_ID_339c2a33.txt

      Filesize

      915B

      MD5

      1cb60f48539cc0bd459bbb83d010db58

      SHA1

      dea4df664b9590519c8bf34457a91c42385c6b7b

      SHA256

      e0f8f1dc39b0515da2a1b7f943b2c98fff73544692499a1c66c35bd0a31808f8

      SHA512

      797bde90081d1b8adbdfa95056e286b72bfb0dca04e110219b965136d25732ff404f64a2a2fb4524d1fd351880b940384aac935f758a071e35dc9c1763d7da0e

    • memory/888-26-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-13-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-774-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-1-0x0000000000300000-0x0000000000400000-memory.dmp

      Filesize

      1024KB

    • memory/888-7-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-11-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-9-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-3-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-17-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-19-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/888-2233-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-23-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-3754-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-170-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-211-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-1424-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-2760-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-431-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-1695-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-5-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-15-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/888-3279-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-3722-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-1160-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/888-3752-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/1956-0-0x00000000002A0000-0x00000000002A5000-memory.dmp

      Filesize

      20KB