wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Resubmissions

11-01-2024 08:14

240111-j43cladag8 10

11-01-2024 05:38

240111-gb57nsgdb5 10

11-01-2024 01:41

240111-b4hzysdah6 10

Analysis

max time kernel
118s
max time network
149s
platform
windows7_x64
resource
win7-20231215-es
resource tags

arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
submitted
11-01-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wanncry.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD233B.tmp	wanncry.exe

Executes dropped EXE 13 IoCs

pid	Process
2588	taskdl.exe
2212	@[email protected]
1956	@[email protected]
932	taskhsvc.exe
1104	taskdl.exe
1520	taskse.exe
2296	@[email protected]
2604	taskdl.exe
2652	taskse.exe
2508	@[email protected]
2012	taskdl.exe
2760	taskse.exe
2564	@[email protected]

Loads dropped DLL 33 IoCs

pid	Process
2208	wanncry.exe
2208	wanncry.exe
3028	cscript.exe
2208	wanncry.exe
2208	wanncry.exe
2264	cmd.exe
2264	cmd.exe
2212	@[email protected]
2212	@[email protected]
932	taskhsvc.exe
932	taskhsvc.exe
932	taskhsvc.exe
932	taskhsvc.exe
932	taskhsvc.exe
932	taskhsvc.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe
2208	wanncry.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2736	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epkpryutff721 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	wanncry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2120	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1976	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
932	taskhsvc.exe
932	taskhsvc.exe
932	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeBackupPrivilege	548	vssvc.exe
Token: SeRestorePrivilege	548	vssvc.exe
Token: SeAuditPrivilege	548	vssvc.exe
Token: SeIncreaseQuotaPrivilege	948	WMIC.exe
Token: SeSecurityPrivilege	948	WMIC.exe
Token: SeTakeOwnershipPrivilege	948	WMIC.exe
Token: SeLoadDriverPrivilege	948	WMIC.exe
Token: SeSystemProfilePrivilege	948	WMIC.exe
Token: SeSystemtimePrivilege	948	WMIC.exe
Token: SeProfSingleProcessPrivilege	948	WMIC.exe
Token: SeIncBasePriorityPrivilege	948	WMIC.exe
Token: SeCreatePagefilePrivilege	948	WMIC.exe
Token: SeBackupPrivilege	948	WMIC.exe
Token: SeRestorePrivilege	948	WMIC.exe
Token: SeShutdownPrivilege	948	WMIC.exe
Token: SeDebugPrivilege	948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	948	WMIC.exe
Token: SeRemoteShutdownPrivilege	948	WMIC.exe
Token: SeUndockPrivilege	948	WMIC.exe
Token: SeManageVolumePrivilege	948	WMIC.exe
Token: 33	948	WMIC.exe
Token: 34	948	WMIC.exe
Token: 35	948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	948	WMIC.exe
Token: SeSecurityPrivilege	948	WMIC.exe
Token: SeTakeOwnershipPrivilege	948	WMIC.exe
Token: SeLoadDriverPrivilege	948	WMIC.exe
Token: SeSystemProfilePrivilege	948	WMIC.exe
Token: SeSystemtimePrivilege	948	WMIC.exe
Token: SeProfSingleProcessPrivilege	948	WMIC.exe
Token: SeIncBasePriorityPrivilege	948	WMIC.exe
Token: SeCreatePagefilePrivilege	948	WMIC.exe
Token: SeBackupPrivilege	948	WMIC.exe
Token: SeRestorePrivilege	948	WMIC.exe
Token: SeShutdownPrivilege	948	WMIC.exe
Token: SeDebugPrivilege	948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	948	WMIC.exe
Token: SeRemoteShutdownPrivilege	948	WMIC.exe
Token: SeUndockPrivilege	948	WMIC.exe
Token: SeManageVolumePrivilege	948	WMIC.exe
Token: 33	948	WMIC.exe
Token: 34	948	WMIC.exe
Token: 35	948	WMIC.exe
Token: SeTcbPrivilege	1520	taskse.exe
Token: SeTcbPrivilege	1520	taskse.exe
Token: SeTcbPrivilege	2652	taskse.exe
Token: SeTcbPrivilege	2652	taskse.exe
Token: SeTcbPrivilege	2760	taskse.exe
Token: SeTcbPrivilege	2760	taskse.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2212	@[email protected]
1956	@[email protected]
2212	@[email protected]
1956	@[email protected]
2296	@[email protected]
2296	@[email protected]
2508	@[email protected]
2564	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2692	2208	wanncry.exe	17
PID 2208 wrote to memory of 2692	2208	wanncry.exe	17
PID 2208 wrote to memory of 2692	2208	wanncry.exe	17
PID 2208 wrote to memory of 2692	2208	wanncry.exe	17
PID 2208 wrote to memory of 2736	2208	wanncry.exe	20
PID 2208 wrote to memory of 2736	2208	wanncry.exe	20
PID 2208 wrote to memory of 2736	2208	wanncry.exe	20
PID 2208 wrote to memory of 2736	2208	wanncry.exe	20
PID 2208 wrote to memory of 2588	2208	wanncry.exe	32
PID 2208 wrote to memory of 2588	2208	wanncry.exe	32
PID 2208 wrote to memory of 2588	2208	wanncry.exe	32
PID 2208 wrote to memory of 2588	2208	wanncry.exe	32
PID 2208 wrote to memory of 1992	2208	wanncry.exe	37
PID 2208 wrote to memory of 1992	2208	wanncry.exe	37
PID 2208 wrote to memory of 1992	2208	wanncry.exe	37
PID 2208 wrote to memory of 1992	2208	wanncry.exe	37
PID 1992 wrote to memory of 3028	1992	cmd.exe	36
PID 1992 wrote to memory of 3028	1992	cmd.exe	36
PID 1992 wrote to memory of 3028	1992	cmd.exe	36
PID 1992 wrote to memory of 3028	1992	cmd.exe	36
PID 2208 wrote to memory of 1308	2208	wanncry.exe	35
PID 2208 wrote to memory of 1308	2208	wanncry.exe	35
PID 2208 wrote to memory of 1308	2208	wanncry.exe	35
PID 2208 wrote to memory of 1308	2208	wanncry.exe	35
PID 2208 wrote to memory of 2212	2208	wanncry.exe	42
PID 2208 wrote to memory of 2212	2208	wanncry.exe	42
PID 2208 wrote to memory of 2212	2208	wanncry.exe	42
PID 2208 wrote to memory of 2212	2208	wanncry.exe	42
PID 2208 wrote to memory of 2264	2208	wanncry.exe	41
PID 2208 wrote to memory of 2264	2208	wanncry.exe	41
PID 2208 wrote to memory of 2264	2208	wanncry.exe	41
PID 2208 wrote to memory of 2264	2208	wanncry.exe	41
PID 2264 wrote to memory of 1956	2264	cmd.exe	39
PID 2264 wrote to memory of 1956	2264	cmd.exe	39
PID 2264 wrote to memory of 1956	2264	cmd.exe	39
PID 2264 wrote to memory of 1956	2264	cmd.exe	39
PID 2212 wrote to memory of 932	2212	@[email protected]	44
PID 2212 wrote to memory of 932	2212	@[email protected]	44
PID 2212 wrote to memory of 932	2212	@[email protected]	44
PID 2212 wrote to memory of 932	2212	@[email protected]	44
PID 1956 wrote to memory of 1228	1956	@[email protected]	50
PID 1956 wrote to memory of 1228	1956	@[email protected]	50
PID 1956 wrote to memory of 1228	1956	@[email protected]	50
PID 1956 wrote to memory of 1228	1956	@[email protected]	50
PID 1228 wrote to memory of 2120	1228	cmd.exe	45
PID 1228 wrote to memory of 2120	1228	cmd.exe	45
PID 1228 wrote to memory of 2120	1228	cmd.exe	45
PID 1228 wrote to memory of 2120	1228	cmd.exe	45
PID 1228 wrote to memory of 948	1228	cmd.exe	46
PID 1228 wrote to memory of 948	1228	cmd.exe	46
PID 1228 wrote to memory of 948	1228	cmd.exe	46
PID 1228 wrote to memory of 948	1228	cmd.exe	46
PID 2208 wrote to memory of 1104	2208	wanncry.exe	56
PID 2208 wrote to memory of 1104	2208	wanncry.exe	56
PID 2208 wrote to memory of 1104	2208	wanncry.exe	56
PID 2208 wrote to memory of 1104	2208	wanncry.exe	56
PID 2208 wrote to memory of 1520	2208	wanncry.exe	55
PID 2208 wrote to memory of 1520	2208	wanncry.exe	55
PID 2208 wrote to memory of 1520	2208	wanncry.exe	55
PID 2208 wrote to memory of 1520	2208	wanncry.exe	55
PID 2208 wrote to memory of 2296	2208	wanncry.exe	54
PID 2208 wrote to memory of 2296	2208	wanncry.exe	54
PID 2208 wrote to memory of 2296	2208	wanncry.exe	54
PID 2208 wrote to memory of 2296	2208	wanncry.exe	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2692	attrib.exe
1308	attrib.exe

C:\Users\Admin\AppData\Local\Temp\wanncry.exe
"C:\Users\Admin\AppData\Local\Temp\wanncry.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2692
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 46201704937333.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "epkpryutff721" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
  2⤵
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:492
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
- Loads dropped DLL
PID:3028

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2120

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "epkpryutff721" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run key to start application
- Modifies registry key
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]

Filesize
916B

MD5
0bacf0219c445947dd7be98072394688

SHA1
ce4a1a7b6cb7f53df1df7238e7fb2402251184c4

SHA256
48fe0637f8554b7fb7e2f385ca74b86aee429fec726324b420434831f08798b0

SHA512
5a9b509b65649587db6f5cfbee2a69ef156fb7bf561a9b203b82cf3ab1cf93a2cb9a78795f2b104d67624d7e50e58cd2cbf22146481147448ed07ca4666bbcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\46201704937333.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
93KB

MD5
20b1d361c9ffbe4de82493b42e6e5d47

SHA1
b5fe5312274b92e7ce6865d6eb90fb8f30036f37

SHA256
8ac279142e8d6f9b51252ab814d97f1309b2608197bf41f477497107ff1698f5

SHA512
db0302283b4be988e23ad15fb76b3b5fce632ce36c619d46f8f7908c63f0e12635aa14f747f5a637f3100c01cf58616f63777a3cded55b79c1c95b7077937cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
365KB

MD5
b91b8cc1255b2125ac943342643e71f2

SHA1
af2f0da008c3f1bf8b23e814d7bf827f40fc91aa

SHA256
2feffe55a4f2fef0644cbc219974798f25ae36026fe1071752fa4cce19b47c28

SHA512
6e16c2a10030110b1fc31ad2d5fd29db012495a627472047da9d996a721926668665bdb818a39f1e2d69e124ca982faacf8f5faba5964fda8912810cb7501b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.4MB

MD5
ddb227c24d87cc190cba7b439b3af8e1

SHA1
8e85f6519419ea50f78f60ef1a3389f4fd14dc90

SHA256
5a74b659c08c40a5be7e139b8463388be16ffe62f436b362ec49d8033c7e2272

SHA512
711f1ab9508129487aed1990108c851e3d958e0c1567a8f14bb90636e730053f0bc2bc869802109c03517840d88a7ab9786f90d60cdac4baa323b05a18cc4cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
893KB

MD5
ac65975505ac4bfc9d460b3452488c29

SHA1
a820817ff8f4afbcec909f18d8a86abda8472300

SHA256
e2dd305799e08684b25f1ceb1ecbd7a0d90903273ebbdf08d3a0e404655a555a

SHA512
096f01c5e2264fe28b438ca120f1bacc238d7e25be97fe5b7928260490de9cb46e34a6fc99423c5cc586b7447d1c18c1e45c9dcc7575af6f12bef693f7c9bf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
381KB

MD5
08f3b9de46430c22ec441644ac8f586f

SHA1
863de5aabf097a5846754abd76c24cf4100ab6b1

SHA256
7694a2a0176461b20094faafd4710d8320bb504b0d859421a7ddddfb0d63c0ce

SHA512
52a8a191ad6573e9a046c4135ad5a37fe2806fe76945fbeb088369c402096ae082863e9e89c03a64d1214f5f74439eae4cf03a0598b5ee553ded2c0dddb69130

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Filesize
384KB

MD5
c41e66f9886d7d32fb6dec66a5520c7e

SHA1
95473cb1468683d7e61bcd9f82663a23971b9fd4

SHA256
72beabfae6738bf284fbbf6662e0a4ea51696b8c223eadc1540903a8c6abdc1f

SHA512
e1a9fddab6eb5db3188124e9a3327de56a93e47b32ad61589bddc7266f4037bb2ab9e1303206cb5b20af2c392852308bf933cf2ea02933c6eceb4b329c03f59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
92KB

MD5
a57f96bc0022196dd181498cd793e926

SHA1
9967df5abb8655e05244a1825b10167b1389eacc

SHA256
b7c38ed51eadf6defc784690f696de2dd15452dbac2f04210d84ac3a2dda3246

SHA512
f90ee6d77ed7717fe0227669039f4428ba7a43b4792714d6959e87b8f5d659cf7d614f8d48ea4a22bad0339cab35d77bdb04517f6729db68165db156ded33168

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
92KB

MD5
f7e655502c8c44405362c2a6452edfb9

SHA1
fee984b0d06c1f92c5d4a83038abc7d58fdf92cd

SHA256
dbac579c3addb875c49bacf14818b1a16b2a2fdb5fbf51ad40cc0d419a658383

SHA512
cb16d833e970de5716d271c55c56db7f27ca1be2535b93a65015c7b8fd8b5881d0992705f9e576c3562de9024ffe6ec6de6cb5a6fba929b849b8fbfe8d7944e7

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.4MB

MD5
066537f1b3801da5953c501e27abba93

SHA1
b281bf8138e22d2c7d48957139d8421ee8d98839

SHA256
9f2dbf95772bf736f287cb264f578b1b4e6ec01fb5e6b307bc96200defeca000

SHA512
c5657cd5d0f171d218c5050862fac63d44d0c9b2e0b3a9e6093214a05a73a1d3bdb1701c7342780b81dbfa14daaf1b5a85500be33186d159ea27f9b36305483d

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
894KB

MD5
c55d826dc069e03d069c237aa1c3651c

SHA1
e1deaa5d21c591c19a802758a9a42216122f2206

SHA256
565f368747a0a8f1b2b610081ca305aa5adff366f6c8eb8f2ed47923bd6c9f18

SHA512
5a822bebf79fce0f552393fbe9c253f3694a3b52532d50753f4b067524d83cd58354836718b718baf89eac4df52ac98c07f7d3dd8076938d97c57ecba8ed34ee

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
memory/932-937-0x0000000074D50000-0x0000000074DD2000-memory.dmp

Filesize
520KB

Download
memory/932-928-0x0000000074AB0000-0x0000000074CCC000-memory.dmp

Filesize
2.1MB

Download
memory/932-936-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-925-0x0000000074D50000-0x0000000074DD2000-memory.dmp

Filesize
520KB

Download
memory/932-943-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-926-0x0000000074AB0000-0x0000000074CCC000-memory.dmp

Filesize
2.1MB

Download
memory/932-931-0x00000000749F0000-0x0000000074A12000-memory.dmp

Filesize
136KB

Download
memory/932-924-0x0000000074D50000-0x0000000074DD2000-memory.dmp

Filesize
520KB

Download
memory/932-933-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-939-0x0000000074CD0000-0x0000000074D47000-memory.dmp

Filesize
476KB

Download
memory/932-941-0x0000000074A20000-0x0000000074AA2000-memory.dmp

Filesize
520KB

Download
memory/932-979-0x0000000074AB0000-0x0000000074CCC000-memory.dmp

Filesize
2.1MB

Download
memory/932-938-0x00000000751D0000-0x00000000751EC000-memory.dmp

Filesize
112KB

Download
memory/932-930-0x0000000074A20000-0x0000000074AA2000-memory.dmp

Filesize
520KB

Download
memory/932-927-0x0000000074A20000-0x0000000074AA2000-memory.dmp

Filesize
520KB

Download
memory/932-929-0x00000000749F0000-0x0000000074A12000-memory.dmp

Filesize
136KB

Download
memory/932-940-0x0000000074AB0000-0x0000000074CCC000-memory.dmp

Filesize
2.1MB

Download
memory/932-975-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-986-0x0000000074AB0000-0x0000000074CCC000-memory.dmp

Filesize
2.1MB

Download
memory/932-982-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-1001-0x0000000074AB0000-0x0000000074CCC000-memory.dmp

Filesize
2.1MB

Download
memory/932-997-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-932-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-1063-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-1044-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-1048-0x0000000074AB0000-0x0000000074CCC000-memory.dmp

Filesize
2.1MB

Download
memory/932-1052-0x00000000010B0000-0x00000000013AE000-memory.dmp

Filesize
3.0MB

Download
memory/932-1056-0x0000000074AB0000-0x0000000074CCC000-memory.dmp

Filesize
2.1MB

Download
memory/2208-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download