Resubmissions

22-11-2024 22:54

241122-2vh7gaxmfl 10

22-11-2024 03:27

241122-dzqkcatmht 10

22-11-2024 03:16

241122-dsgc4atlgs 10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 22:54

General

  • Target

    afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

  • Size

    164KB

  • MD5

    08b304d01220f9de63244b4666621bba

  • SHA1

    b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6

  • SHA256

    afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

  • SHA512

    162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9

  • SSDEEP

    3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Malware Config

Signatures

  • HydraCrypt

    Relatively unsophisticated ransomware family based on leaked CrypBoss source code.

  • Hydracrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (908) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
    "C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
      C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C net stop vss
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\SysWOW64\net.exe
          net stop vss
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3096
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop vss
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4348
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3396
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4880
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1236
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3904
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1860
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3436
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3844
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3180
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2284
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1360
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4628
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2436
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4016
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1528
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4336
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4204
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2844
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3116
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1872
        3⤵
        • Program crash
        PID:4740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3052
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2912 -ip 2912
    1⤵
      PID:1560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_9fac38b1

      Filesize

      126KB

      MD5

      1161d8890c7005ea477400e0e1d3997e

      SHA1

      f837f070825ac791548853453f7b2703657f7948

      SHA256

      3a1dcc14202bcae103c17c40c004d83aa4abbb6f210e84e57f2ec7889ec88dcf

      SHA512

      159aeefaff247aa22111bc819eb07631c70683db12628c74d48aaa1fea161f96f5a8fec7653b493adf65a7c49246542f5bcae3cf637576f37fb0e45e832b7ebc

    • C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_9fac38b1

      Filesize

      28KB

      MD5

      97df3636d5be325392edc424e873cefb

      SHA1

      687596d7b3ce4e28b8f3d37c849cab5a72a02939

      SHA256

      8c4a6f82334dbd48c335f52dd777dd106466e5f19f456075afe4bb2b861fd017

      SHA512

      0002cf64756d744a461a108a52fc633b8508ea89c9b4a172c5273d37a02a9acf56e761faeadc62affd4408e8b16abfe178003fd38a8d02d4a8f445bcaa962516

    • C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_9fac38b1

      Filesize

      1KB

      MD5

      fe4a80d9f130bdf2326681e9548e807e

      SHA1

      73bd39c3f798521a0bf2d4b7db4311f619f05476

      SHA256

      f32fc0ceb021061927e0cf4fc3381fa3f5aa3df2fc56e9ddfa3298a2ecbcdf52

      SHA512

      748d1d142b6dce13f47a4fb6bd2f23f1dad2536e2cbb8767aa7b717d425dce9aec9ed58e7fbd28d2b2caef87a63dd178c742d0b23e2d579acca52413f96e27c7

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.hydracrypttmp_ID_9fac38b1

      Filesize

      332KB

      MD5

      f65472746d0fa1b3447412f20c897881

      SHA1

      bb7611de1395501d38acb3361cfa59ba0b80210a

      SHA256

      0ecfff4008516764f48d52cb10575b3ac253d1d31f0ab67dd54420e83686dc24

      SHA512

      7470d925d9ba18f764c7cd5ffe9d6dc9f19b234b38456c80e6267cfb904228bea34f29fe92ab1138af6b5f621e84f5e37d8190b0e4ae9b9ece201dec8eac3017

    • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\onenote.exe.db.hydracrypttmp_ID_9fac38b1

      Filesize

      24KB

      MD5

      0a9e4942c1dc0c971e7709d003724bfa

      SHA1

      a7fce2b9be799d49c84cb9b7cb85f08d417fa4a6

      SHA256

      a86c60cad98ebbd330ccbdcbeb0de5cd9e9c274356d054f753449dcc73f38d71

      SHA512

      3a9d50a664deba3b789c3cbaec264566786da63bda09b14817e2dd3c52ecddbde5440ce6086cf667167867085382cc47dd0fd58075f0b5346ae6e5ffb841545f

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_9fac38b1

      Filesize

      174B

      MD5

      e746585202167ade5841c39a805a3785

      SHA1

      e9ffa2f9bd89e31bc0444f5ec0ef871cebeba698

      SHA256

      f499bc72163069199e28da00c98c26a9cbe1f70cf6e1a611d0b5b4f7982f7b09

      SHA512

      110272da23d144b4978a2b7282283782e61f277cf3a7c3810d557d6deceaf59c7488a41083d438d03480e1ae578fa029cfa2721ab666a4fe15a83c2b2fdf1a7e

    • C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_9fac38b1

      Filesize

      8KB

      MD5

      ce33d261914cfaf12c574de8bb35deea

      SHA1

      53c29649b1ee9d14e5b6ecf8cb6f57a4d025aa76

      SHA256

      f8b4058fc260e3923df76875a1bb244111df16196dfcb1e781dc83cfb1649785

      SHA512

      e42c610d84e5bbfdc7181d59b9c413e510adafd3ee56b57a005368b6d007c27619da4af74df0e590aadf4ba10f64d285b34462f8d550da61abd2464867d60e0f

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_9fac38b1

      Filesize

      8KB

      MD5

      053805885ad570f3006fe9490a585037

      SHA1

      484cdea5678996ef0aced24e0c613ba671f71349

      SHA256

      f6ed1af2fd1bd8f914585e54a0ac9844e2ca6ab1ef40822340068a5d416a4dca

      SHA512

      7941ea23d33452446d3fbba8421b55b423fcc70cefdce69740514ed824b60099b5a5adea42430cd672589829b66a084a2b94d135cda7c4995368bf639e329aeb

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e1b98d9c-2917-4e0c-8723-46d9c100b538}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_9fac38b1

      Filesize

      5B

      MD5

      9f3ba37329fbf83afba69d20c61c0cb7

      SHA1

      c47e76f26ad8e9c5d4a0aa919cfd1d78605f174a

      SHA256

      52ef0981b2ee86479e71e9f934b1fd5d2451a31ec836d9168a516a0d8e4c70a0

      SHA512

      55a52af59a5f65a82e413cca81f44961efaea83b113384253820a4471b78ed69477582bd2bb0a776ad62f3eeba166b0a5da84e9c4bfac82d3e6230f335a44be8

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e1b98d9c-2917-4e0c-8723-46d9c100b538}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_9fac38b1

      Filesize

      5B

      MD5

      bc72a76b12154af3fbd2d32258460cb3

      SHA1

      cb3c73b390281243bfcc422e840a8f95ed7481a7

      SHA256

      99db54e52642ab369450e247085e1c0a942ac56fe2d4fa4479117d074438775a

      SHA512

      08a640ecaa95b7769cd5cec86a409bb0fbadd3e2f04d310e9a5be98c028742018be04e2566f12f4298cbe79c4d55f50d5e00c9b5207dd15f22ea5001f047e8ce

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656060295712.txt.hydracrypttmp_ID_9fac38b1

      Filesize

      77KB

      MD5

      48958521babf310f356f82ef749032cc

      SHA1

      f3fd18a31905fcac56ac8bc46917d2f25b01a686

      SHA256

      b117d7c62e11e13f82a27dfd4eaaab438b9c469c8fdae14c445a4c9dd21e7df0

      SHA512

      c1f9709f360f2804f30ffe152784a31e7e8e01eb7876e8a2b2920b701d63b8e16f2ad6a5d0a43d92886e768756fb2be653c1b34ca0c40acf8ff5e174537ac1b0

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656525478361.txt.hydracrypttmp_ID_9fac38b1

      Filesize

      47KB

      MD5

      ca845a99cbaea4b8ba658376bf4fc0b0

      SHA1

      975e85b50bb25cc669428daad72e45d57b3d7c56

      SHA256

      34accaaa51a2bc3aee2bc227a509aedb04d74b006302add9527d0ab35beed429

      SHA512

      6a8a0fdb8021ae7725d0d7f772b2e46c98a2c8295814e8c08cf93abb70318230da3636d774dfbe246527b1ec9c6d08b155c080db1c1b4a539e7c9458f6b474ac

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663169040966.txt.hydracrypttmp_ID_9fac38b1

      Filesize

      63KB

      MD5

      7b9adad5667966362a732713a6bc63b0

      SHA1

      b588e06bac597bbac0d6fb5418fcfe5ac85d2160

      SHA256

      093181893d31d961a909705a1387cf5f888d6096789bd5835e2032efba751156

      SHA512

      b07f0f827b749815db64e25414cd6905baacc7d9c6701dac5ba1f9f89b597de782f9d2c23ffa50c27fcded22c5e6d434cf29391eeb4d299969966c2b6254bd78

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt.hydracrypttmp_ID_9fac38b1

      Filesize

      74KB

      MD5

      4d618ce38af9a188151ac240a797f597

      SHA1

      09298644190d55440ff201a9ccfc1befcd90a4cd

      SHA256

      ce9012006572e4fb5675359b8aafab978616ba4266cbb38dd0067300662cd0bf

      SHA512

      085286b5b5bdfda49c108d2161bd0d52041ce7f8d823b2a3f4dad9663e3ece6eaab721c16762e702a0eb28e45cea3b31900532d895c498b1bfc95ac6c53c80cb

    • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241007_091147539.html.hydracrypttmp_ID_9fac38b1

      Filesize

      93KB

      MD5

      01b03268955c57e71e48d5b6a7eed689

      SHA1

      35b07416900b00e7b8cdf4e39b5c0013e1a9cf78

      SHA256

      34a54a0b3b67beb92f61d3c68b05608e7dbbe34a243bf51c69078fcc177e59f8

      SHA512

      48a1c417ec2b40898027d7f0538614958c976c827df1cd45d3e036cef6c9f384c345a8daeb473673292b599e1cd33d43ec3ca8faa987b7870cc433a5fbb8faed

    • C:\Users\Admin\AppData\Local\Temp\wct53C3.tmp.hydracrypttmp_ID_9fac38b1

      Filesize

      63KB

      MD5

      ea5ba7cf0604aee0287745428607e0fe

      SHA1

      0772290d2a95551052f7d86c48ec5357bdfb53e8

      SHA256

      7eba66a495a6b52e00d6fb39eeba9f00ab5885d1b717586bbf0f706c22b6a290

      SHA512

      36e5a7f11a2043ac0c91fc89f29b8de2581907bf1ec955541c91e14e012651e6c5caba5eb08fef6caee3ec19b9d153ffa3e7f528f526771ebfa55fbcae46fbe1

    • C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

      Filesize

      1KB

      MD5

      6a16061f1c0240d859b754017eb171e7

      SHA1

      d70b85dba1068db46cbe78ad8febb05e9baa8ca2

      SHA256

      0de37df83833651ea7b4a36cb58365b54070f116b2b0123ef71f958c13bd9a46

      SHA512

      be595408c4d128fd2a7563f7b638f6c97948b89495f11a3711addaa721d7ea7efd45ad4bacf3760d1538e4fabfa0af90ed0d7410fdbfa15db932550a0cc1ac48

    • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_9fac38b1

      Filesize

      170B

      MD5

      eb819576447f1ce5765cef3b91fe14a1

      SHA1

      47794cd725dbadf85dd6384b3807d83ffef896c8

      SHA256

      2fb9aa57912db6b0d02fda0c9d80c4ff0c7dbf316f7ffbc7840877eb446cce8c

      SHA512

      b6d93d47001c5c719ea80196d6ed52328ebedc563efac8c028e96ebd4d8eab96661212f9e57f420b75112e0fe6a521c316786356faea083d462d1dd585e000f2

    • C:\Users\Public\Documents\README_DECRYPT_HYDRA_ID_9fac38b1.txt

      Filesize

      915B

      MD5

      e6f34e223b172686c2e35cb9d513fc39

      SHA1

      31dddfb65fd3ea8fe4c71f936bb6b0bf062aab2a

      SHA256

      fc49609f3841a03a163fdaeeae740fb1d0d8807a52a2baebc47ea6517cb49f9b

      SHA512

      3655617c9424272032a35bbc6144db981c2e7eaf79121f94af3119e50421eb243c0269eb151fe8fc9e38711934951dacd4ad77ff2ac6a0a0654296a38b31b640

    • memory/2912-969-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/2912-966-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/2912-3042-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/2912-3-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/2912-1-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/2912-5323-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/2912-5346-0x0000000000400000-0x0000000000978000-memory.dmp

      Filesize

      5.5MB

    • memory/4460-0-0x0000000000AA0000-0x0000000000AA5000-memory.dmp

      Filesize

      20KB