Overview

overview

10

Static

static

10

0.46582298...58.exe

windows7-x64

7

00331dd25b...3a.exe

windows7-x64

10

065988f36f...a0.exe

windows7-x64

3

0826716413...57.exe

windows7-x64

10

08cf8ed94c...a4.exe

windows7-x64

10

0997ba7292...3c.exe

windows7-x64

3

0b7996bca4...5f.exe

windows7-x64

0c3431dbb8...ui.dll

windows7-x64

5

0cd7440ca9...bc.exe

windows7-x64

10

100b8bfff5...ir.exe

windows7-x64

3

101.ex_.exe

windows7-x64

3

119.executable.exe

windows7-x64

6

119.unp.exe

windows7-x64

6

11abb44de5...47.exe

windows7-x64

10

11fb52c968...22.exe

windows7-x64

10

123.exe

windows7-x64

1

139.exe

windows7-x64

1

13E418BF18...73.dll

windows7-x64

3

144.exe

windows7-x64

1

17697e1829...44.dll

windows7-x64

3

19561b3379...er.exe

windows7-x64

10

19ec0d0e51...C5.exe

windows7-x64

7

1a6bed2aff...f2.exe

windows7-x64

10

1f210c60f9...40.exe

windows7-x64

10

1f3509cc11...dd.exe

windows7-x64

10

20c6d29da8...7d.exe

windows7-x64

9

234e77145d...2d.exe

windows7-x64

10

263fc6fc9e...32.exe

windows7-x64

9

2e0da054d0...23.zip

windows7-x64

9

Compenso.P...__.exe

windows7-x64

9

301a3f5017...5f.exe

windows7-x64

10

30620.ex_.exe

windows7-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

  • Size

    164KB

  • MD5

    5f2d13576e4906501c91b8bf400e0890

  • SHA1

    adff2761a6afe9ecaa70486c0a04746c676a133b

  • SHA256

    1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2

  • SHA512

    29186d7c1702ab738844777a780ce982882727d8fb3ae6e1fd084bffef3ac63fcd7ca4624ee9bf047c909c303deece27f81650b1309280d6609d207e29131dfd

  • SSDEEP

    3072:rIynAdou+ZKzVq6yWcp35EMVGv4sbJt0vQP3rmQp:rIKRD6qnnKdvbfm

Score
10/10
hydracryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Signatures

  • HydraCrypt

    Relatively unsophisticated ransomware family based on leaked CrypBoss source code.

    ransomwarehydracrypt
  • Hydracrypt family
    hydracrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (453) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 27 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
    "C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
      C:\Users\Admin\AppData\Local\Temp\1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C net stop vss
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\SysWOW64\net.exe
          net stop vss
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop vss
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2904
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2968
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=Z: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1252
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2872
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=Y: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2180
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2776
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=X: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2144
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2608
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=W: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2728
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=V: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2220
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=U: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:636
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:864
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=T: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1812
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2784
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=S: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1904
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=R: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2456
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:236
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=Q: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2092
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2940
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=P: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2944
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=O: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1996
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2104
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=N: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1844
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=M: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2588
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=L: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1152
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=K: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1572
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=J: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1268
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:704
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=I: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1608
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=H: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:308
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=G: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1364
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=F: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3012
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=E: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2252
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=D: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2260
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1912
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=C: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1592
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1936
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=B: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:1860
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:876
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /For=A: /All
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 8456
        3⤵
        • Program crash
        PID:1528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_8a9b6c
    Filesize

    126KB

    MD5

    0fd75c53014a85c285402ae90d77a7a2

    SHA1

    f60420277902e6ed1431a5d5ead192e2b8ea5e13

    SHA256

    b21bead1ec6f4429351f13d9b410b3ee8a2570faccb6858d9e1baf0cd5d6263b

    SHA512

    005d8f224dd6559e1f43d1073ff71a0754a9deac9694b679c496bb896b74ff4f0b54db631665ffb26358bef4c8bc9dbb31c2747eb1a22b5cc545359477abfb25

    Download Submit

  • C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_8a9b6c
    Filesize

    28KB

    MD5

    b28fbf081d549d258bc74cd71bb8101e

    SHA1

    45635b30fcbea5bc14719cb0f4931b87b4692791

    SHA256

    6813e40df80e56122295abf13cffeb14fd401c0637cb8d66543c2090b67069e3

    SHA512

    89ae92747be652c25c00a2c383cfaf5769ffc35eb2c0c393e7c38120b67e53c431def12f1682093ddeab295d121a198bafbfed1f87177ec91cb93831d693f457

    Download Submit

  • C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_8a9b6c
    Filesize

    1KB

    MD5

    b7a42c1db6b1f3778e0b6949e69e8894

    SHA1

    b4b6156c538ca5b7387b3936241dbfdc9658fbab

    SHA256

    d0fff1d2544e237a77b7e039b35026db5032f66129ba8158912c16cf2a84dacf

    SHA512

    6d3f5f51a47a6461958c15f78c05f88c34d270154984cc49b6f050dc1eebb7085b17ee247cc33a972de3db5e2524a8f0783062be4f8c4750c6fe87fc5b66e536

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Caches\{C6682E6E-46FA-468A-8F76-ED3318460F44}.2.ver0x0000000000000002.db.hydracrypttmp_ID_8a9b6c
    Filesize

    1KB

    MD5

    c9811e1efb9c8c0de5f535b37bb0fb12

    SHA1

    fceaca5b56ccc01f8fb66b52061b151de41079d7

    SHA256

    50faff01f6eebe1dad3bdabf3e5f90e5acc50778044427f8404c6f244adbbdf9

    SHA512

    3dc01488d24b6fd8b86dd9dbf591a51b907dbba63371cd33267d996645983bd134218c6a7f76445700630b277280d07da8f61f436a0b65211080a304b0e44d44

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C1JHBK4W\desktop.ini.hydracrypttmp_ID_8a9b6c
    Filesize

    67B

    MD5

    7679e57fde0171aacf752e9d269c95c4

    SHA1

    a8927155f46608c93034419fcf1eaa5dd0448188

    SHA256

    64ff9bfebbe189cf8962e523affb9839c32dc242f79efd7ef7f264f16ad71644

    SHA512

    f957a8b996cad82c84b5c4fcad44bc795ede2a7c6aaf532a356851f332b796571635daea270b1fd7998a87979fc1a524507f85194bab3ff8096c66348061cd2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini.hydracrypt_ID_8a9b6c
    Filesize

    331B

    MD5

    e870f9e47639e5bd9c2cf4e71563e9f2

    SHA1

    eb7bd9ec860acbb0f15549e844e02a60c89ddd8a

    SHA256

    363294f91ae50d7068d746352d6956f4d94459f386124f4e3ab57cba5a6a297d

    SHA512

    bbbfa93ec6bc0d8f6db0a4e86c122aa1226829fc0ae8b489aacbf5e852fda5add64bd535c0d6ea6da4a22336a3008688f1a3575664616e743e30d1089d3b1e12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051533592.html.hydracrypttmp_ID_8a9b6c
    Filesize

    1.1MB

    MD5

    1633cfbc3a974c489204a6a7955d8a9b

    SHA1

    513ee87cb2c4a2157a65f4ad125f58be5818eee5

    SHA256

    2e4567b3bc593286da591a0ef04767aa72517985930195fdadbc857537602171

    SHA512

    9a6dba53cd69c66b02f027850ac116be6cd5687d518a9d0a83a8f1f7c002efc8b65758508ae03673d3c8c2020b10d05a8b0aa197d984c2bfed84d96d07cc4587

    Download Submit

  • C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat
    Filesize

    1KB

    MD5

    2193ebb854d65ab7ff1506991d36092e

    SHA1

    5bd5ff5eea4454fc1613f04c5c8a17335d204e1e

    SHA256

    ddc2fe986400591ad2d3cdadb59c9e225244e4163149e944ac3d062793ba8c43

    SHA512

    abeca001126516e36c341a13db00ae0f9d41fc93d1cfe68e49cf5df63a6244ce530d776525c7dd3e47c5c633d62608b390a70797d300cc55336fe1ed256e9fa9

    Download Submit

  • C:\Users\Public\Pictures\README_DECRYPT_HYDRA_ID_8a9b6c.txt
    Filesize

    915B

    MD5

    69157cfa11064b97f07b0b9ecd4e4e08

    SHA1

    b06a9b545661cd8204df5f1484a74066c9047853

    SHA256

    141655bd60cdcba778087f47cb4a10740272689d7bcf5409e0d3fb43881e5704

    SHA512

    c3e5f51d95607c7c9be1319515cc6fec2fa2d955426032eb06d63b70c1592b0f4515d42f93705663dc343d95d227fafa2765cc2a79b5df00869e87ffdb129ad8

    Download Submit

  • memory/1736-16-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-4-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-8-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-6-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-2854-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-2853-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1736-26-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-12-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-430-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1736-431-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-14-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-1-0x0000000000300000-0x0000000000400000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1736-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1736-2052-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1736-22-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-2-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-10-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1736-19-0x0000000000400000-0x0000000000978000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/1908-0-0x0000000000270000-0x0000000000275000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1972-24-0x0000000077370000-0x000000007748F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1972-25-0x0000000077490000-0x000000007758A000-memory.dmp

    Filesize

    1000KB

    Download