wannacry | 283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

Analysis

max time kernel
656s
max time network
621s
platform
windows7_x64
resource
win7-20231215-es
resource tags

arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
submitted
31/01/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7813.tmp	[email protected]

Executes dropped EXE 64 IoCs

pid	Process
2588	taskdl.exe
2816	@[email protected]
2268	@[email protected]
2952	taskhsvc.exe
1040	taskdl.exe
2804	taskse.exe
2220	@[email protected]
2092	taskdl.exe
1956	taskse.exe
2076	@[email protected]
3008	taskdl.exe
1436	taskse.exe
1992	@[email protected]
2036	taskse.exe
1012	@[email protected]
1700	taskdl.exe
988	taskse.exe
912	@[email protected]
692	taskdl.exe
368	taskse.exe
880	@[email protected]
2524	taskdl.exe
2740	taskse.exe
1584	@[email protected]
2328	taskdl.exe
2628	taskse.exe
2396	@[email protected]
820	taskdl.exe
3040	taskse.exe
2016	@[email protected]
848	taskdl.exe
2768	taskse.exe
2692	@[email protected]
2892	taskdl.exe
1432	taskse.exe
2948	@[email protected]
844	taskdl.exe
536	taskse.exe
2348	@[email protected]
2136	taskdl.exe
1676	taskse.exe
1560	@[email protected]
2036	taskdl.exe
908	taskse.exe
1036	@[email protected]
984	taskdl.exe
1988	taskse.exe
1688	@[email protected]
1388	taskdl.exe
2736	taskse.exe
2120	@[email protected]
2696	taskdl.exe
2620	taskse.exe
1304	@[email protected]
2396	taskdl.exe
2920	taskse.exe
3044	@[email protected]
308	taskdl.exe
2828	taskse.exe
2832	@[email protected]
2068	taskdl.exe
2428	taskse.exe
992	@[email protected]
1000	taskdl.exe

Loads dropped DLL 64 IoCs

pid	Process
2080	[email protected]
2080	[email protected]
2772	cscript.exe
2080	[email protected]
2080	[email protected]
2920	cmd.exe
2920	cmd.exe
2816	@[email protected]
2816	@[email protected]
2952	taskhsvc.exe
2952	taskhsvc.exe
2952	taskhsvc.exe
2952	taskhsvc.exe
2952	taskhsvc.exe
2952	taskhsvc.exe
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1228	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bvjwcamt067 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1100	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2320	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2952	taskhsvc.exe
2952	taskhsvc.exe
2952	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2220	@[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1904	vssvc.exe
Token: SeRestorePrivilege	1904	vssvc.exe
Token: SeAuditPrivilege	1904	vssvc.exe
Token: SeIncreaseQuotaPrivilege	740	WMIC.exe
Token: SeSecurityPrivilege	740	WMIC.exe
Token: SeTakeOwnershipPrivilege	740	WMIC.exe
Token: SeLoadDriverPrivilege	740	WMIC.exe
Token: SeSystemProfilePrivilege	740	WMIC.exe
Token: SeSystemtimePrivilege	740	WMIC.exe
Token: SeProfSingleProcessPrivilege	740	WMIC.exe
Token: SeIncBasePriorityPrivilege	740	WMIC.exe
Token: SeCreatePagefilePrivilege	740	WMIC.exe
Token: SeBackupPrivilege	740	WMIC.exe
Token: SeRestorePrivilege	740	WMIC.exe
Token: SeShutdownPrivilege	740	WMIC.exe
Token: SeDebugPrivilege	740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	740	WMIC.exe
Token: SeRemoteShutdownPrivilege	740	WMIC.exe
Token: SeUndockPrivilege	740	WMIC.exe
Token: SeManageVolumePrivilege	740	WMIC.exe
Token: 33	740	WMIC.exe
Token: 34	740	WMIC.exe
Token: 35	740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	740	WMIC.exe
Token: SeSecurityPrivilege	740	WMIC.exe
Token: SeTakeOwnershipPrivilege	740	WMIC.exe
Token: SeLoadDriverPrivilege	740	WMIC.exe
Token: SeSystemProfilePrivilege	740	WMIC.exe
Token: SeSystemtimePrivilege	740	WMIC.exe
Token: SeProfSingleProcessPrivilege	740	WMIC.exe
Token: SeIncBasePriorityPrivilege	740	WMIC.exe
Token: SeCreatePagefilePrivilege	740	WMIC.exe
Token: SeBackupPrivilege	740	WMIC.exe
Token: SeRestorePrivilege	740	WMIC.exe
Token: SeShutdownPrivilege	740	WMIC.exe
Token: SeDebugPrivilege	740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	740	WMIC.exe
Token: SeRemoteShutdownPrivilege	740	WMIC.exe
Token: SeUndockPrivilege	740	WMIC.exe
Token: SeManageVolumePrivilege	740	WMIC.exe
Token: 33	740	WMIC.exe
Token: 34	740	WMIC.exe
Token: 35	740	WMIC.exe
Token: SeTcbPrivilege	2804	taskse.exe
Token: SeTcbPrivilege	2804	taskse.exe
Token: SeTcbPrivilege	1956	taskse.exe
Token: SeTcbPrivilege	1956	taskse.exe
Token: SeTcbPrivilege	1436	taskse.exe
Token: SeTcbPrivilege	1436	taskse.exe
Token: SeTcbPrivilege	2036	taskse.exe
Token: SeTcbPrivilege	2036	taskse.exe
Token: SeTcbPrivilege	988	taskse.exe
Token: SeTcbPrivilege	988	taskse.exe
Token: SeTcbPrivilege	368	taskse.exe
Token: SeTcbPrivilege	368	taskse.exe
Token: SeTcbPrivilege	2740	taskse.exe
Token: SeTcbPrivilege	2740	taskse.exe
Token: SeTcbPrivilege	2628	taskse.exe
Token: SeTcbPrivilege	2628	taskse.exe
Token: SeTcbPrivilege	3040	taskse.exe
Token: SeTcbPrivilege	3040	taskse.exe
Token: SeTcbPrivilege	2768	taskse.exe
Token: SeTcbPrivilege	2768	taskse.exe
Token: SeTcbPrivilege	1432	taskse.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2816	@[email protected]
2268	@[email protected]
2268	@[email protected]
2816	@[email protected]
2220	@[email protected]
2220	@[email protected]
2076	@[email protected]
1992	@[email protected]
1012	@[email protected]
912	@[email protected]
880	@[email protected]
1584	@[email protected]
2396	@[email protected]
2016	@[email protected]
2692	@[email protected]
2948	@[email protected]
2348	@[email protected]
1560	@[email protected]
1036	@[email protected]
1688	@[email protected]
2120	@[email protected]
1304	@[email protected]
3044	@[email protected]
2832	@[email protected]
992	@[email protected]
3004	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2712	2080	[email protected]	28
PID 2080 wrote to memory of 2712	2080	[email protected]	28
PID 2080 wrote to memory of 2712	2080	[email protected]	28
PID 2080 wrote to memory of 2712	2080	[email protected]	28
PID 2080 wrote to memory of 1228	2080	[email protected]	29
PID 2080 wrote to memory of 1228	2080	[email protected]	29
PID 2080 wrote to memory of 1228	2080	[email protected]	29
PID 2080 wrote to memory of 1228	2080	[email protected]	29
PID 2080 wrote to memory of 2588	2080	[email protected]	32
PID 2080 wrote to memory of 2588	2080	[email protected]	32
PID 2080 wrote to memory of 2588	2080	[email protected]	32
PID 2080 wrote to memory of 2588	2080	[email protected]	32
PID 2080 wrote to memory of 1552	2080	[email protected]	33
PID 2080 wrote to memory of 1552	2080	[email protected]	33
PID 2080 wrote to memory of 1552	2080	[email protected]	33
PID 2080 wrote to memory of 1552	2080	[email protected]	33
PID 1552 wrote to memory of 2772	1552	cmd.exe	35
PID 1552 wrote to memory of 2772	1552	cmd.exe	35
PID 1552 wrote to memory of 2772	1552	cmd.exe	35
PID 1552 wrote to memory of 2772	1552	cmd.exe	35
PID 2080 wrote to memory of 1812	2080	[email protected]	37
PID 2080 wrote to memory of 1812	2080	[email protected]	37
PID 2080 wrote to memory of 1812	2080	[email protected]	37
PID 2080 wrote to memory of 1812	2080	[email protected]	37
PID 2080 wrote to memory of 2816	2080	[email protected]	39
PID 2080 wrote to memory of 2816	2080	[email protected]	39
PID 2080 wrote to memory of 2816	2080	[email protected]	39
PID 2080 wrote to memory of 2816	2080	[email protected]	39
PID 2080 wrote to memory of 2920	2080	[email protected]	40
PID 2080 wrote to memory of 2920	2080	[email protected]	40
PID 2080 wrote to memory of 2920	2080	[email protected]	40
PID 2080 wrote to memory of 2920	2080	[email protected]	40
PID 2920 wrote to memory of 2268	2920	cmd.exe	42
PID 2920 wrote to memory of 2268	2920	cmd.exe	42
PID 2920 wrote to memory of 2268	2920	cmd.exe	42
PID 2920 wrote to memory of 2268	2920	cmd.exe	42
PID 2816 wrote to memory of 2952	2816	@[email protected]	44
PID 2816 wrote to memory of 2952	2816	@[email protected]	44
PID 2816 wrote to memory of 2952	2816	@[email protected]	44
PID 2816 wrote to memory of 2952	2816	@[email protected]	44
PID 2268 wrote to memory of 1932	2268	@[email protected]	46
PID 2268 wrote to memory of 1932	2268	@[email protected]	46
PID 2268 wrote to memory of 1932	2268	@[email protected]	46
PID 2268 wrote to memory of 1932	2268	@[email protected]	46
PID 1932 wrote to memory of 1100	1932	cmd.exe	48
PID 1932 wrote to memory of 1100	1932	cmd.exe	48
PID 1932 wrote to memory of 1100	1932	cmd.exe	48
PID 1932 wrote to memory of 1100	1932	cmd.exe	48
PID 1932 wrote to memory of 740	1932	cmd.exe	50
PID 1932 wrote to memory of 740	1932	cmd.exe	50
PID 1932 wrote to memory of 740	1932	cmd.exe	50
PID 1932 wrote to memory of 740	1932	cmd.exe	50
PID 2080 wrote to memory of 1040	2080	[email protected]	52
PID 2080 wrote to memory of 1040	2080	[email protected]	52
PID 2080 wrote to memory of 1040	2080	[email protected]	52
PID 2080 wrote to memory of 1040	2080	[email protected]	52
PID 2080 wrote to memory of 2804	2080	[email protected]	53
PID 2080 wrote to memory of 2804	2080	[email protected]	53
PID 2080 wrote to memory of 2804	2080	[email protected]	53
PID 2080 wrote to memory of 2804	2080	[email protected]	53
PID 2080 wrote to memory of 2220	2080	[email protected]	54
PID 2080 wrote to memory of 2220	2080	[email protected]	54
PID 2080 wrote to memory of 2220	2080	[email protected]	54
PID 2080 wrote to memory of 2220	2080	[email protected]	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2712	attrib.exe
1812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2712
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 324251706714709.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - Loads dropped DLL
    PID:2772
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1100
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bvjwcamt067" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bvjwcamt067" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2320
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:912
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:880
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:992
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  PID:620
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  PID:1900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
6ccb35eed64a54c4b29ec0bb92ee1576

SHA1
74ecaa9da3f77ef2c7cf59bfa8e19bb0364d564c

SHA256
182b765b78f02436351e4a9ec51b976d2483cae5bb8577c250bc34bb95a6c77b

SHA512
5868b559201756cb832acd5427fd0a74706d4f45d08d01de55a33ad3f3e9acde51b542253fa859820a1b556d3eb5ebba58d4906c4db762a0e83c5e2889c1e192

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Filesize
512KB

MD5
f76162458af9cc6b0ef67d0f5c16e7d4

SHA1
085af3cf3bca04c14782b473c008e8555d4844c8

SHA256
4df4374db3acfa06a815a11290b4edc4d74e06a88a16e6298ca32ca819f24935

SHA512
0b82b3385a99b0598366421d62403ae7465db1d596c1c601538aee55571f8109b60c06bf24b6b70add644e64309b051ba755550fbbf78646f4f75b926b77dd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Filesize
11KB

MD5
d02aea59691f8c098397d8dd577cdc3f

SHA1
c4e1b70d061a790c8ac9f66e5b6fef911e54ea98

SHA256
f2b82753d240946975413b4e5144f93e62e4f54c08c16cbe93235a02b81af2ad

SHA512
adaddfcca72345a97b8bd048729d593aabb2eda604ebf6851714c0766b0f86b040e8f2bd057723cfe16346085466da67c8064d2fcb385927c3925dc5a56147ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Filesize
550KB

MD5
0846c119b5b425f45e94c4c5ce9fb80a

SHA1
a1ba82daf330116822cf5a1a46332d3b50d12350

SHA256
99b7d7bb1508c6e083c2f766e9e3e40b8fdcaa0f2e3a590679822c78afa410d6

SHA512
246d277d9ec27a1765cc6ee462ba767b682676b85f9cd17cf92bf50487cd7626f072ff7fc4ad09221a7d37e5fa7df3539678d6cfc66cb08ea121de2ef1a8c791

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Filesize
699KB

MD5
3a0419b776e98ca356eec995a0134a77

SHA1
c7e81d0ce68d745fcf09d60da40f660aca0c83fd

SHA256
31736df3dc0e480f20f695f6b773ba48ea53b19b5ae3bd0aa447d236e2c0f796

SHA512
f92c8d47885736b16fcbe88779c958847180347c2be4004e92035423e930faf4e86e8801ed78ea051735a8e9818a12ae6ee8374018c64df5722f68786ca80d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Filesize
282KB

MD5
a638c96309e05078d3583bbf095d8f12

SHA1
4d20f919569805e5cf258cf8929e237f919187c5

SHA256
58515f4d58e01d808f02731f03e38b2d26651ce9594bd99713c171191fdf8bd2

SHA512
aeaa93e9c55de224be9d025b5e8cea28cebcd600639b6c432a8e83295a3967dfa4d2a50e9f8b177384234e7c1eec7ac63340d7bf5e2da12ef44924c9e059f212

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Filesize
1.1MB

MD5
a6a9d019cb85574ee8b0e61e659e5170

SHA1
981c4a540ee63b306922bd6975b9f9c2a84e5cae

SHA256
51756a4bdeaf3952eb011976e05eb0df8cf212017dae815ea430aaaa219f3fe6

SHA512
b68c1b29ffd74b4098e1e532b65c72fe8cf606328de48ac5442cce1bad220a767e114c7fb08b2d90cae98b19c1665c2b9e1761e588c59f34606d1167a13d2f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\324251706714709.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
916B

MD5
8ff826ce579fc58932b4e388b64d986f

SHA1
7d7a05438bd80f26c8a84af0a289ceb5c144bae5

SHA256
98cd1f98a8a6b65b59ab5f66c11c7267b96b3ea1c955af1260670087a0327eba

SHA512
2e3214cbd1a2c853716cb4f5f018cf61cd0e62dadbd25ef80ab2a59b30eb64eaa6ff139e72e5d59e28d0bbb19667143d739839fdcf3884d8de6a3f169aa90b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Filesize
487KB

MD5
e23a6fda7e3ac2744857f772853ff35d

SHA1
9e93a80c3d93d9fa4a7495fafa4e4241c40fd72f

SHA256
2ee362801be4090735bfad99c3f3b6189544f3238cae5ef2da81c0cd176e25ae

SHA512
378a73db68fd7158f38232154466390d5f2349ab1a25ffb4131f2e1f948b394e0c009d5f428d41392a5a653dee791d1ee55f1b1a2a9f420c50943c5fd54ec445

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Filesize
356KB

MD5
a1f6466efb3bb4137790c4daa90db5b5

SHA1
cb58b5038d629b1aa7d43df75232dbe33414b294

SHA256
b820a686e6cfec730dabe933b864b0008b8cf757d9ea613ab4f6ff08f90bb876

SHA512
6beb8838fe01c661aeebc02604da6318213bc723ebe73f0e54ed6838917e55062f1f3fb815e37bc3162cd91f192a3f5338927d900b08dabc55cab51d5cae638a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
323KB

MD5
685482bc04f17f041dc73f3921d8138d

SHA1
9a3124fe2eb458b3345788ebd5e76a6f91320390

SHA256
ba0913cf8871f6ea890fa2088a3475a984553ce5ad1980043a2bab0a40030655

SHA512
e638f6bd4da1a8bcf6fc6629a9d1272295d5e090d8bae20185f95214ce9496f13ad6099711b709dd29c36e26cfc47220131a7fa8f49f954e1695f06f5d7e48a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.6MB

MD5
2eedea1e97cb05751787fa3b93b2a733

SHA1
ca9acc3ee8e79be908600f1167d00271fed7844d

SHA256
d27fc203ee89f6efa40d9ab15d258ce96aa91cb156903f5f98e8dc0cbfc0f275

SHA512
75ed080d6500dbbb31a6f15792bef5c5fd423140f827930714cd28c36728c9e8177b2345f08536e69123b01fbd68824ede9356deb06c6116afefc73c999bbe36

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.0MB

MD5
a90e48eec0da22b3ca5008c39162be6d

SHA1
3f9cf203c1e90335dbb95e4748e3dae9669ea55c

SHA256
11a71163522a4d72ec964597e164851e100a9540a326fa4c2fc56021ae3f9781

SHA512
d21cd8996c44575f31fc5c51b3cbcc95b8f1633cfe1ab02eed3810ffe215c5a8188aa22dfc70f7f6e2970d9d2bd66a68f380514d5c459bb7bd06d88104139627

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
178a96a449c7c049475249d6cea1de59

SHA1
43c3da8ef1baa851767ed98535099354d6d78751

SHA256
c3a1a2ea461dcdd1f0525ba7a2068142280024c4e8c7b940f623eb31d616a431

SHA512
99df970bb75f45a85e6c3a7c2e83da1f19ed93fd52251693fb9e4836da3b15baf91ea4bb928e527e0e8358e27aeafd4e91bd631c95e39b754886ce96fd7ddfda

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_Spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
11.6MB

MD5
a03ed0d3c486e5386ef5e9d60e4fd077

SHA1
3d3fc3d5db246470c21d89104cb6190fdf267ec4

SHA256
a3139ca89d8f344f90725cfe0cf9371142d03605391d9c2f7eea3de342c83e88

SHA512
14ab32fa844132c75fbe17f40020d96fa3ef3e740959a2274a557a287804b93a0422780bd3ded561cb31ffab23443eabba77d3a8747e3d30395cb94854abbf9c

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Filesize
583KB

MD5
506e8af8638fe5beb8e2bac643cebdca

SHA1
eb850bf84bde89bbc21fce6608efc258ccd96165

SHA256
94957ab415c74d40a3b1fc04b9c4f9a55f7f72f374e7e9eb2d6b5e6955d15568

SHA512
837fdaf8ab209d7f6776694ba77099a8e1090736b66a0e372430db6a255759f6b9c763bb753517ed9b6a3f4210d8585367fc31df675bf2784550f0eacc3b5611

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
592KB

MD5
e38edceb83590c9cf26db8857cf66933

SHA1
4bd6d4c82a893c46ffc9d56f68d60b1b78688f5f

SHA256
5951945be854a89a2b25769f42e5e14f1d680a61d430ca8b8e2403bfadee4467

SHA512
026911bfa908cec5a5dbf6ff07b1cbf083e4e9e470e7c4a747af5dd7027fc132e135f90efa312c8a28efa1ab2211501e3cd09c63b5792a95d97116920969ab30

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
401KB

MD5
db48f04e7657ebe626ff4053bd3e4705

SHA1
051113a1cc80f52f5ac5f68aa4df033ff12428e4

SHA256
9d1ed0a9ff7a191ead2d5a9bac98c78a5a2b231cc3ba23226465b67ab9576981

SHA512
4b3bd0b8b25b7772d8e3ed805f227f3e47718f5386257291a6efe38c4670321cf44adeb884ae46c1b500862d3557d783a94c10f348358448671bd8ca9f89ab44

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Filesize
414KB

MD5
853144eb3fd40c036c1cc63a2a67ce3f

SHA1
d54187dceeb4bee8def6c7086eddd0db2fb5392a

SHA256
0030736e6f8916d2bd2f6fe75de9d652f4e467a500ec6cf8c444226f6699f867

SHA512
5dd1094432dca1726efb817a0e1a9331d55b939ca7e405b3875de517f349a1126cfe98725f48a917cddabeb1d2c404d01b6d5f3c6bfea0be34e4ec625e0828af

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.5MB

MD5
4556cc3ccead6fb53aad9f48d8b38046

SHA1
3dea3cf4b2aa937d909aabaa628d266deb5e382d

SHA256
5dcce49fab347125277636fdf85de9ccd1a06baa7e2e2d28fe5feee945ffbbe2

SHA512
aa56980bda78ec4766286d52a26399b83dfbc9c8f1e9a28077b2fa1ae589b1ede5b4559af1a11e83b7d9517c3b1464f602db363f608ab8de33b86024e9f343cc

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.3MB

MD5
7504e992b749f3ed05cbc378df83d554

SHA1
7be8f17fe872f4ac8a48fa196441343813b0e5dd

SHA256
8ca92d3b8063e0bd719ae88fc6224b0213ae2a5d40e61ac5c02872d81d263d7e

SHA512
c7311b42d95925ff99440187825dbd47e372e2d8e7689e5d00af72357a715cece00f4f577a3e57421658861f109862624815c3a4aafa573079dd5e651d46f242

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
memory/2080-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2952-869-0x0000000073DC0000-0x0000000073DE2000-memory.dmp

Filesize
136KB

Download
memory/2952-884-0x0000000074120000-0x000000007413C000-memory.dmp

Filesize
112KB

Download
memory/2952-885-0x00000000740A0000-0x0000000074117000-memory.dmp

Filesize
476KB

Download
memory/2952-886-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/2952-887-0x0000000073DF0000-0x0000000073E72000-memory.dmp

Filesize
520KB

Download
memory/2952-883-0x0000000074140000-0x00000000741C2000-memory.dmp

Filesize
520KB

Download
memory/2952-882-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-872-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-918-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-870-0x0000000073DF0000-0x0000000073E72000-memory.dmp

Filesize
520KB

Download
memory/2952-937-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-938-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-949-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-953-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/2952-977-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-1016-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-1027-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-1031-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/2952-1034-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/2952-871-0x0000000073DC0000-0x0000000073DE2000-memory.dmp

Filesize
136KB

Download
memory/2952-864-0x0000000074140000-0x00000000741C2000-memory.dmp

Filesize
520KB

Download
memory/2952-865-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/2952-867-0x0000000073DF0000-0x0000000073E72000-memory.dmp

Filesize
520KB

Download
memory/2952-868-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/2952-866-0x0000000074140000-0x00000000741C2000-memory.dmp

Filesize
520KB

Download