wannacry | 283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

Analysis

max time kernel
595s
max time network
497s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-01-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1392.tmp	[email protected]

Executes dropped EXE 61 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
1464	taskdl.exe
2932	@[email protected]
1452	@[email protected]
704	taskhsvc.exe
2664	taskdl.exe
2824	taskse.exe
2828	@[email protected]
1868	taskdl.exe
3052	taskse.exe
2112	@[email protected]
1068	taskdl.exe
1324	taskse.exe
1584	@[email protected]
540	taskse.exe
564	@[email protected]
796	taskdl.exe
636	taskse.exe
2676	@[email protected]
840	taskdl.exe
1600	taskse.exe
1896	@[email protected]
3008	taskdl.exe
2128	taskse.exe
1672	@[email protected]
568	taskdl.exe
2356	taskse.exe
1832	@[email protected]
2020	taskdl.exe
2108	taskse.exe
2876	@[email protected]
2872	taskdl.exe
2844	taskse.exe
2672	@[email protected]
1912	taskdl.exe
2792	taskse.exe
2804	@[email protected]
2648	taskdl.exe
1632	taskse.exe
916	@[email protected]
2660	taskdl.exe
2468	taskse.exe
1280	@[email protected]
2484	taskdl.exe
3060	taskse.exe
1188	@[email protected]
2092	taskdl.exe
2252	taskse.exe
2236	@[email protected]
1864	taskdl.exe
2276	taskse.exe
2524	@[email protected]
1184	taskdl.exe
1472	taskse.exe
952	@[email protected]
816	taskdl.exe
908	taskse.exe
2292	@[email protected]
1680	taskdl.exe
1672	taskse.exe
820	@[email protected]
568	taskdl.exe

Loads dropped DLL 64 IoCs

Processes:

[email protected]cscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
2060	[email protected]
2060	[email protected]
1584	cscript.exe
2060	[email protected]
2060	[email protected]
2276	cmd.exe
2276	cmd.exe
2932	@[email protected]
2932	@[email protected]
704	taskhsvc.exe
704	taskhsvc.exe
704	taskhsvc.exe
704	taskhsvc.exe
704	taskhsvc.exe
704	taskhsvc.exe
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]
2060	[email protected]

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2684 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2684	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nnzzsvcjqe067 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1612 vssadmin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2888 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhsvc.exe

pid process

704 taskhsvc.exe
704 taskhsvc.exe
704 taskhsvc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

2828 @[email protected]

pid	process
1612	vssadmin.exe

pid	process
2888	reg.exe

pid	process
704	taskhsvc.exe
704	taskhsvc.exe
704	taskhsvc.exe

pid	process
2828	@[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	2376	vssvc.exe
Token: SeRestorePrivilege	2376	vssvc.exe
Token: SeAuditPrivilege	2376	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2192	WMIC.exe
Token: SeSecurityPrivilege	2192	WMIC.exe
Token: SeTakeOwnershipPrivilege	2192	WMIC.exe
Token: SeLoadDriverPrivilege	2192	WMIC.exe
Token: SeSystemProfilePrivilege	2192	WMIC.exe
Token: SeSystemtimePrivilege	2192	WMIC.exe
Token: SeProfSingleProcessPrivilege	2192	WMIC.exe
Token: SeIncBasePriorityPrivilege	2192	WMIC.exe
Token: SeCreatePagefilePrivilege	2192	WMIC.exe
Token: SeBackupPrivilege	2192	WMIC.exe
Token: SeRestorePrivilege	2192	WMIC.exe
Token: SeShutdownPrivilege	2192	WMIC.exe
Token: SeDebugPrivilege	2192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2192	WMIC.exe
Token: SeRemoteShutdownPrivilege	2192	WMIC.exe
Token: SeUndockPrivilege	2192	WMIC.exe
Token: SeManageVolumePrivilege	2192	WMIC.exe
Token: 33	2192	WMIC.exe
Token: 34	2192	WMIC.exe
Token: 35	2192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2192	WMIC.exe
Token: SeSecurityPrivilege	2192	WMIC.exe
Token: SeTakeOwnershipPrivilege	2192	WMIC.exe
Token: SeLoadDriverPrivilege	2192	WMIC.exe
Token: SeSystemProfilePrivilege	2192	WMIC.exe
Token: SeSystemtimePrivilege	2192	WMIC.exe
Token: SeProfSingleProcessPrivilege	2192	WMIC.exe
Token: SeIncBasePriorityPrivilege	2192	WMIC.exe
Token: SeCreatePagefilePrivilege	2192	WMIC.exe
Token: SeBackupPrivilege	2192	WMIC.exe
Token: SeRestorePrivilege	2192	WMIC.exe
Token: SeShutdownPrivilege	2192	WMIC.exe
Token: SeDebugPrivilege	2192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2192	WMIC.exe
Token: SeRemoteShutdownPrivilege	2192	WMIC.exe
Token: SeUndockPrivilege	2192	WMIC.exe
Token: SeManageVolumePrivilege	2192	WMIC.exe
Token: 33	2192	WMIC.exe
Token: 34	2192	WMIC.exe
Token: 35	2192	WMIC.exe
Token: SeTcbPrivilege	2824	taskse.exe
Token: SeTcbPrivilege	2824	taskse.exe
Token: SeTcbPrivilege	3052	taskse.exe
Token: SeTcbPrivilege	3052	taskse.exe
Token: SeTcbPrivilege	1324	taskse.exe
Token: SeTcbPrivilege	1324	taskse.exe
Token: SeTcbPrivilege	540	taskse.exe
Token: SeTcbPrivilege	540	taskse.exe
Token: SeTcbPrivilege	636	taskse.exe
Token: SeTcbPrivilege	636	taskse.exe
Token: SeTcbPrivilege	1600	taskse.exe
Token: SeTcbPrivilege	1600	taskse.exe
Token: SeTcbPrivilege	2128	taskse.exe
Token: SeTcbPrivilege	2128	taskse.exe
Token: SeTcbPrivilege	2356	taskse.exe
Token: SeTcbPrivilege	2356	taskse.exe
Token: SeTcbPrivilege	2108	taskse.exe
Token: SeTcbPrivilege	2108	taskse.exe
Token: SeTcbPrivilege	2844	taskse.exe
Token: SeTcbPrivilege	2844	taskse.exe
Token: SeTcbPrivilege	2792	taskse.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	process
2932	@[email protected]
1452	@[email protected]
2932	@[email protected]
1452	@[email protected]
2828	@[email protected]
2828	@[email protected]
2112	@[email protected]
1584	@[email protected]
564	@[email protected]
2676	@[email protected]
1896	@[email protected]
1672	@[email protected]
1832	@[email protected]
2876	@[email protected]
2672	@[email protected]
2804	@[email protected]
916	@[email protected]
1280	@[email protected]
1188	@[email protected]
2236	@[email protected]
2524	@[email protected]
952	@[email protected]
2292	@[email protected]
820	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

[email protected]cmd.execmd.exe@[email protected]@[email protected]cmd.exe

description	pid	process	target process
PID 2060 wrote to memory of 2716	2060	[email protected]	attrib.exe
PID 2060 wrote to memory of 2716	2060	[email protected]	attrib.exe
PID 2060 wrote to memory of 2716	2060	[email protected]	attrib.exe
PID 2060 wrote to memory of 2716	2060	[email protected]	attrib.exe
PID 2060 wrote to memory of 2684	2060	[email protected]	icacls.exe
PID 2060 wrote to memory of 2684	2060	[email protected]	icacls.exe
PID 2060 wrote to memory of 2684	2060	[email protected]	icacls.exe
PID 2060 wrote to memory of 2684	2060	[email protected]	icacls.exe
PID 2060 wrote to memory of 1464	2060	[email protected]	taskdl.exe
PID 2060 wrote to memory of 1464	2060	[email protected]	taskdl.exe
PID 2060 wrote to memory of 1464	2060	[email protected]	taskdl.exe
PID 2060 wrote to memory of 1464	2060	[email protected]	taskdl.exe
PID 2060 wrote to memory of 2796	2060	[email protected]	cmd.exe
PID 2060 wrote to memory of 2796	2060	[email protected]	cmd.exe
PID 2060 wrote to memory of 2796	2060	[email protected]	cmd.exe
PID 2060 wrote to memory of 2796	2060	[email protected]	cmd.exe
PID 2796 wrote to memory of 1584	2796	cmd.exe	cscript.exe
PID 2796 wrote to memory of 1584	2796	cmd.exe	cscript.exe
PID 2796 wrote to memory of 1584	2796	cmd.exe	cscript.exe
PID 2796 wrote to memory of 1584	2796	cmd.exe	cscript.exe
PID 2060 wrote to memory of 2540	2060	[email protected]	attrib.exe
PID 2060 wrote to memory of 2540	2060	[email protected]	attrib.exe
PID 2060 wrote to memory of 2540	2060	[email protected]	attrib.exe
PID 2060 wrote to memory of 2540	2060	[email protected]	attrib.exe
PID 2060 wrote to memory of 2932	2060	[email protected]	@[email protected]
PID 2060 wrote to memory of 2932	2060	[email protected]	@[email protected]
PID 2060 wrote to memory of 2932	2060	[email protected]	@[email protected]
PID 2060 wrote to memory of 2932	2060	[email protected]	@[email protected]
PID 2060 wrote to memory of 2276	2060	[email protected]	cmd.exe
PID 2060 wrote to memory of 2276	2060	[email protected]	cmd.exe
PID 2060 wrote to memory of 2276	2060	[email protected]	cmd.exe
PID 2060 wrote to memory of 2276	2060	[email protected]	cmd.exe
PID 2276 wrote to memory of 1452	2276	cmd.exe	@[email protected]
PID 2276 wrote to memory of 1452	2276	cmd.exe	@[email protected]
PID 2276 wrote to memory of 1452	2276	cmd.exe	@[email protected]
PID 2276 wrote to memory of 1452	2276	cmd.exe	@[email protected]
PID 2932 wrote to memory of 704	2932	@[email protected]	taskhsvc.exe
PID 2932 wrote to memory of 704	2932	@[email protected]	taskhsvc.exe
PID 2932 wrote to memory of 704	2932	@[email protected]	taskhsvc.exe
PID 2932 wrote to memory of 704	2932	@[email protected]	taskhsvc.exe
PID 1452 wrote to memory of 2996	1452	@[email protected]	cmd.exe
PID 1452 wrote to memory of 2996	1452	@[email protected]	cmd.exe
PID 1452 wrote to memory of 2996	1452	@[email protected]	cmd.exe
PID 1452 wrote to memory of 2996	1452	@[email protected]	cmd.exe
PID 2996 wrote to memory of 1612	2996	cmd.exe	vssadmin.exe
PID 2996 wrote to memory of 1612	2996	cmd.exe	vssadmin.exe
PID 2996 wrote to memory of 1612	2996	cmd.exe	vssadmin.exe
PID 2996 wrote to memory of 1612	2996	cmd.exe	vssadmin.exe
PID 2996 wrote to memory of 2192	2996	cmd.exe	WMIC.exe
PID 2996 wrote to memory of 2192	2996	cmd.exe	WMIC.exe
PID 2996 wrote to memory of 2192	2996	cmd.exe	WMIC.exe
PID 2996 wrote to memory of 2192	2996	cmd.exe	WMIC.exe
PID 2060 wrote to memory of 2664	2060	[email protected]	taskdl.exe
PID 2060 wrote to memory of 2664	2060	[email protected]	taskdl.exe
PID 2060 wrote to memory of 2664	2060	[email protected]	taskdl.exe
PID 2060 wrote to memory of 2664	2060	[email protected]	taskdl.exe
PID 2060 wrote to memory of 2824	2060	[email protected]	taskse.exe
PID 2060 wrote to memory of 2824	2060	[email protected]	taskse.exe
PID 2060 wrote to memory of 2824	2060	[email protected]	taskse.exe
PID 2060 wrote to memory of 2824	2060	[email protected]	taskse.exe
PID 2060 wrote to memory of 2828	2060	[email protected]	@[email protected]
PID 2060 wrote to memory of 2828	2060	[email protected]	@[email protected]
PID 2060 wrote to memory of 2828	2060	[email protected]	@[email protected]
PID 2060 wrote to memory of 2828	2060	[email protected]	@[email protected]

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2540 attrib.exe
2716 attrib.exe

pid	process
2540	attrib.exe
2716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1464

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c 241951706716659.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2684

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:704

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nnzzsvcjqe067" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1868

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:564

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:840

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3008

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:568

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2872

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:2468

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:3060

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1184

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:1472

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:952

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:816

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:908

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:1672

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:820

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:568

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
- Loads dropped DLL
PID:1584

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1612

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nnzzsvcjqe067" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run key to start application
- Modifies registry key
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
eaf35162df8e5f9bdfc46d5f326d8889

SHA1
4bf7aca3748c08fc28b59b200bd6759993fedb01

SHA256
9c556cd57b181ce0e5e56e7df2d2019146e50fed95b645a37e759020c2ceed3c

SHA512
43dddc18af3696d6b7cab88d55947ad8fe09240965a8c1b8bcfbc7c803924c39dcb102f7e40f7cde618117810261d915ae38c028c35b923a060c4d0db41e4e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\241951706716659.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
185KB

MD5
473c4d04aaccf5f9eb02455f6fd960ea

SHA1
28fc4236592efb06dae269f20b86afc2b6b90c2d

SHA256
827b0abcc108d866be234a77124f1226c703e025b446e2d6c38263208c041150

SHA512
d0fd34678d98fa8c1cb1903ffbe3ec529f74f615a0909c022ce43315b2f6b44210dc1f188c59897c4a25638dc600aa90b5a83abbb55c19e582ca1972fc0652a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
8KB

MD5
e24d44158e56ca72e690233a809ef6b8

SHA1
cbb8da965d5bacca7742bc452e2c582df1c6d07d

SHA256
f92d46b073e5978e7b039cdfca663ec3f8cb25f409f3ab30d17b5b4ca7f5e0a3

SHA512
706ed12fde761a808d3d621d81f540f506db6c0a69fe7e12db3e66543a39ed4b6cfdc896477cce7c6da3822b6575da63ff289b1cb6854b02083a0b2a905998ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
916B

MD5
0404b424d3c675d350f2c12570e2e066

SHA1
581c112bdbe8af6ef6c427818c2cd74ee782d175

SHA256
65316d5386a0d5c2dffff7e7ac7fce1bbbc5a7ecd5e9bf89e4dc5b3071e17678

SHA512
6eb99742f2c3a54e62f9f7fd6ac43aaea07bcd718e92131215d9c97699622c44f5f0035632ea99fccbbacac620b018ff4722926385ef38b21d2a073c8824b6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Filesize
224KB

MD5
3c0972be5c8a5416e278d7ddc1732f1d

SHA1
49a19cdac6c403916cfc47976d79f57c74744f9c

SHA256
19b46ee9a2f3c22239eabb4faac3c824dbb410b679226423597b94964cdb0add

SHA512
d06c2d0f1dba544c9b0cbc622092c234a861c5d618ede168a4b319ca2e365ee8aaa40ff00dc6ea157cd400ee1d8996b228c5d2bfb0b1a4d43050c24834f33735

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Filesize
185KB

MD5
1b2403abb70c6365a53393a65386df46

SHA1
5f0c313b856eb889e51ab91cbe66cc28393b66ef

SHA256
bbe9cdae29a64ba263bc4a0683e93cd23b5d36f7aa2850b369b29dabe8430417

SHA512
da02a8fe7284ab5cfd64ae5d0a96e02bfef235c7505a69ce21264de7baa8b34045310cbfc3990153a5757fbab02c7da99914e60c43924b18555a426d95689e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
301KB

MD5
722100779737905584c6fbb70c238272

SHA1
439f2313fe05ab9618afab5be3a8ae6b95c6807a

SHA256
f0df7901ac85dc2673554df29f1c3db7fc908fef4d97451b9181424dabe32214

SHA512
bf743231fd8668a9201c90fd7bbaff2fd8629efd9b296b4145c773a547caba6d61ddf533d14fb7f799ff6b89455ec53a78f4ecb58fb7c731a90856ea9ce9dde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
336KB

MD5
7316f54a54fcbdaf8a448a3b3908c662

SHA1
daec4e11fb23373f810e2450785e5f57acb43913

SHA256
5350220438d0e08e6367112883d701c0cc4c9dc3ca490b0b18a981d31c8202a5

SHA512
c374449d69095deed21ec058137f4c644eacb9ff1b06ec88425b2830e9b5f637cb16e04e9d2ef0dccba27d41b287152a121490db0c65ed3527cf9b1b65a5d72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
275KB

MD5
3024e11c7ed1ffc80cf16ad1dfe23466

SHA1
7b82e2d31e30d162cb75f46f25988baf167aaf69

SHA256
e8f4bff3d7c7d81a804fa976d8106f1ddba45391d268e5edbaafe4b0cac8982c

SHA512
047d08a59ac22f3faf34775a1d63fa0c619a1e9ea5812c1f6495492ec8c69850636ae3db81245d8a17e577c57984a4021869d3e54c5e6986fb20aba6d0ff3815

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
296KB

MD5
16914243603a451b54a829f45b57bb9b

SHA1
8907d4264c0d1cb6c3946b9cdcdccf7ff43b2293

SHA256
544cf89b0e1b3910f3a4c66055c8a5876849141c8d1937eb4648a26956beed78

SHA512
de412bbe2527dde09160e1f448d0f8e8fb000ea37fb94793da427870dd36f3a953b4e75bc8011277250b2a34246f710c6255416781a5da213f6838d3a1a6b4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
162KB

MD5
a8472abca8ae92c998878adcb660bb2b

SHA1
b9785539c677f83296253174afc24bf5a81f4c0a

SHA256
be4f6f1b5f7c36868de7be0e577d2cf7254c74e71b07d496a48a750c6d8e1ade

SHA512
c45c5b5f3d7e7d3ea010a438182e04fb62982379bc3f3397a4705dd36563782997a663f317263383323f318145e48073f7ca15a2db4d172d54f2b24c6589c97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Filesize
15KB

MD5
9c060b140fadc5b8ac477f69f82b17ab

SHA1
2248d1be7ac6784da486bd50b694dc971681d3de

SHA256
434beddfb01c6fdc8dba1ef644b1cbe18b4afc4c541c432d919aadca7d70615d

SHA512
ee8f3b31030dd0078940c3409ff2c888efdc8d85df3a4c8804432671857e6fb33158e6e08eee682e7b5edf24a4e7b7caa5d5408c2a2370c06038685288f7d834

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Filesize
14KB

MD5
56b893be8ad15de07bf5d20a2dd8f5f6

SHA1
482568a408f12258512673202be41ec0a78a0783

SHA256
2aacf2a8c52cbbc3aedb7363fa03085af77a0fc875064562a36c6a6eebcf9dd7

SHA512
6eeaf8ea7414a33ada78291ee1982cc322e77bae37a2058c13ef4748b1e023a2a27aacfebe5d9749973b7829db541ff6bf4728fc09918f138c33dc716193d13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Filesize
1KB

MD5
d8a702d2bbc88098cd372927548a54dd

SHA1
7f255f6ce0a05560d9c76e64160d3ff176170988

SHA256
7774f5a2935f8beb38b1c77d1ed6d719b590c803565cbac8e2064800d90287ff

SHA512
99b3960892cee7ae86ae47d2b5bbd67be55995736b2a8ea89b4ee07e1b30c37286462155d92c0268cf34e7a9b82b21c9b98531b3b439f55a2544ca99c25c11ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Filesize
10KB

MD5
e39bdc9821b4d76ca673e9a55e00ef6d

SHA1
5dec09365f83ddb6469ca6387a9e589e785d7194

SHA256
3b6f99041a12955d88492d9a2d6bb9b970fc93aaf1d8b8c73e006fa957d16046

SHA512
e5f2f66db34b12847b5b7321fe3bad37ef09cf6f27d3e8f65985cf1ac0323d988eb7818f5ca2854f16540c030e72d39b98fd1a75ba1fa9ebf2c6f4b443611005

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Filesize
39KB

MD5
137606bf595a20636c79a6dec5218bb7

SHA1
8430ea6e7da3076435750c9f148c5a13e0bbf262

SHA256
5f87800ce885267d54a3e1fe7804344279503979090af588a1c996b5dfc8be53

SHA512
33f86425b254170b5cfba958ca6f7bf0dc369135fa0b9066d4afb588184fd6afad1734c0793a0f3ef41973c4c01eeba65dbc65e6bef77925a9d93b29b92b29ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Filesize
28KB

MD5
6296453ca55c4f35d25cfb1f5931b976

SHA1
33810732a550c47c9075916cfee265b80c8aa1fc

SHA256
2c2721db24b32b759076e5dbe9595343d16561f6ad00e54cc4f3f9ee7753dfc8

SHA512
eda59f3c70e55fc4d9bd98308b225a1fd32616b3cd5397ff8195e50d4ff7f359708be633b5bc3f514c961ab6f9eb265e5009f85071e2736b9d5fe1d9586bacef

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Filesize
15KB

MD5
2112b84a9cfc2c4bcb672dda880e23a0

SHA1
a74190818db100707cb87e9df555db8bb4a552fd

SHA256
0e57285e591e7796e8ded74e7b8ff657d90b4df33214da95e68016d2134a0082

SHA512
26d4332ed0abcab6ba904b45951ed66c4bc2fc80a267c5f23d341dc9f3c1238ce4caa32cc9f6322ed36a3d24cb8963441614567b5efbd0be5ccf0ba93b21c67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
1KB

MD5
e7ee99407bc93477d3463a716db11372

SHA1
29cf47d5bdacbb13a09fffbdce599d730ffee028

SHA256
b7a3501376d56da4bd97d644b373b542930b71d1845091bb290c66e347c987a3

SHA512
d307ef40b5755c191224ce12c62c32fdf4adb4a04bae7095c99f5046ca6be5838845ad97c99952edf6347199ed023e861675542946434b83c62c13ea87322890

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
5KB

MD5
775e4f8c5e54ab767a2c0d22494c9705

SHA1
ba46c6774ebff719d45a9a072e7e0e38a55ac8a7

SHA256
26003917ad20e9599be5213356f5b2f03e39923cb6b54a029ce39caa8eec2f3e

SHA512
55bf36c6ec974299257d2ed4a05ff41ec42d1c55590e1e7007998ed8f75640aed5fc36f2dc0be9e3a2b6453f11cf0ddbc4a73b1682a246f8c016353081c014d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Filesize
5KB

MD5
9ead08d68d1de5bcf9cd58a9648ba8f6

SHA1
810fd465749ee46ae9a724de4a45425b1c82333d

SHA256
5691d191088236f9dfc27da0da36217696b13ca37fb5a8f8962b3f576b549b08

SHA512
efcd7220b0bd8d7945ce5a2e80d701d4c782d3b3050f075c831f90912bedeaca2c182ad453026dd02be86b19f54796241b96621a41e3401d4758e425022f0358

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
96KB

MD5
b569a76d7985f6c6510fe5393bf2f206

SHA1
e9faa8227ccff8a36f0414eea910aceaf64b17a2

SHA256
fe3407931305d8a4953a06467afeb4efe4453ca095dabdc2912f1e2493d78421

SHA512
01c850c744808b3a08a089cc3da4ca0fef25f950ea4e39e88ebafcd10620399c84c1bc2059ed137c73619cb66841ea20ea96ff1d1a1c0c4b63c8ed34e6ace35a

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
183KB

MD5
d5a39377ccade0067db1ff9df9a73d4f

SHA1
97c73b1d709ccdde2d2c6684315ba5e3907a031c

SHA256
0ee5e992afa904eb1b9efbd9927ab4058976f526bdbf477d7da158fec0b20146

SHA512
2d0352e461e8b2f7a8a48eaa31c9c57535b33995cdf040376d6ecc53842283c13c5ed0589d05e82a42ec1f9bde8b1341d82414a811000e0a1c59e1e2c1290224

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
227KB

MD5
7bdc6a5d2a0fb7fff3c030582d690e7b

SHA1
e68402142effd0a042f3f9853b73cdc3baaef4e9

SHA256
d8e7277b44b6613e638dab6379bb64d8514c0ba637479af546257524f2ab368e

SHA512
b11a33cd7cce4232dca1c8a10f02b34923b3bcec13cae47d1794beda08c8cfe2c7d80a3c3dd240788ae2de19e6c669aaee3db4b577504a82d7010ac7c93ccb65

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Filesize
208KB

MD5
26dce300696f6704336cb033002fdfea

SHA1
a86950354a10edb3be8aedde943302d789052be7

SHA256
d0b3bd71373b5ac6056f1f70d92f2e81e4e66ae1e190c154144a96cfcc1ba693

SHA512
6bd20b7558a9131af7463fc560e01e6ae3a627d7453346b971f1388a202b110ecd6232fb2f74034c086070761f01abb0ca80ac88b005ea27f0749a2c15596483

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
350937fe924226ed999527b42f777939

SHA1
94d6a42df618535293d652654b596de6a67b2baa

SHA256
0cb696297a270febdc7f970932cb33b5e65a469a87f52914149d89a8952163a5

SHA512
ba60eb15b267ea3b40246a96f6074407786b5cfbe10422b4fb5eadf6cc6f6eade2eb6d4ae500220fc921775b2afeb8b060b46b3335f2a200fd0205e026be5adb

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Filesize
639KB

MD5
d7f61e60b7ca359b6991b872449c03f9

SHA1
a99defada36e09fdc49d8f4ed7f02735ed71cb6e

SHA256
6e3a7ab2002ee5bcd03e8bcd3e4830662608afb2fba185fa9b05d0ca049361a1

SHA512
a8186ccd1a46e1526e49ac2fd2d821cf3ada18dc92046b96364f149f1fd2bbaacd08ba49d64c6c38c5712b349a427afa4c5ba1ab31633a7cda445784d482608d

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
357KB

MD5
443a6455a421e158a44185305a8865d7

SHA1
4750140772f3b7ebb33e077ab46141fd4c963911

SHA256
aa03d8c51aae279633e8edb9f556ea3f728f5ac33fada68b93d4ae1d25c6945c

SHA512
a51c54a60b5d7240269c195e92374d9dc1b5f26bf52e2028d315e8eae4ca35e5438f36f538de7c9891f68f9c0928a1734ad084396b0bd88161c8e908c126aabd

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
422KB

MD5
e0bdf1dddcde4817a6ae3c9780c1ca30

SHA1
e66e705a84540396dfa15cc2fb135a8633206c56

SHA256
5141090611b6d5a7fc0a54eba24c88423625412b7f2c58a7d7b8a51799394b54

SHA512
63f2781c41dd2601b2c4ec3d745cd39d32a7d8445f87aa465eafcddcac0b98546ce6ff489c70225dc1bc5e8c2b12b665f38b4296fa15b5418572a293729d5bfd

Download Submit
memory/704-1009-0x0000000074820000-0x00000000748A2000-memory.dmp

Filesize
520KB

Download
memory/704-1004-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-1001-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-998-0x00000000747F0000-0x0000000074812000-memory.dmp

Filesize
136KB

Download
memory/704-1000-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-997-0x00000000748B0000-0x0000000074ACC000-memory.dmp

Filesize
2.1MB

Download
memory/704-994-0x00000000748B0000-0x0000000074ACC000-memory.dmp

Filesize
2.1MB

Download
memory/704-993-0x0000000074B50000-0x0000000074BD2000-memory.dmp

Filesize
520KB

Download
memory/704-995-0x0000000074B50000-0x0000000074BD2000-memory.dmp

Filesize
520KB

Download
memory/704-1010-0x00000000747F0000-0x0000000074812000-memory.dmp

Filesize
136KB

Download
memory/704-996-0x0000000074820000-0x00000000748A2000-memory.dmp

Filesize
520KB

Download
memory/704-1008-0x00000000748B0000-0x0000000074ACC000-memory.dmp

Filesize
2.1MB

Download
memory/704-1007-0x0000000074AD0000-0x0000000074B47000-memory.dmp

Filesize
476KB

Download
memory/704-1006-0x00000000752C0000-0x00000000752DC000-memory.dmp

Filesize
112KB

Download
memory/704-1005-0x0000000074B50000-0x0000000074BD2000-memory.dmp

Filesize
520KB

Download
memory/704-999-0x0000000074820000-0x00000000748A2000-memory.dmp

Filesize
520KB

Download
memory/704-1011-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-1022-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-1026-0x00000000748B0000-0x0000000074ACC000-memory.dmp

Filesize
2.1MB

Download
memory/704-1029-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-1033-0x00000000748B0000-0x0000000074ACC000-memory.dmp

Filesize
2.1MB

Download
memory/704-1037-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-1041-0x00000000748B0000-0x0000000074ACC000-memory.dmp

Filesize
2.1MB

Download
memory/704-1071-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-1075-0x00000000748B0000-0x0000000074ACC000-memory.dmp

Filesize
2.1MB

Download
memory/704-1086-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/704-1090-0x00000000748B0000-0x0000000074ACC000-memory.dmp

Filesize
2.1MB

Download
memory/704-1097-0x0000000001370000-0x000000000166E000-memory.dmp

Filesize
3.0MB

Download
memory/2060-41-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download