wannacry | 283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

Resubmissions

06-02-2024 15:24

240206-ss2flabggp 10

Analysis

max time kernel
158s
max time network
133s
platform
windows7_x64
resource
win7-20231215-es
resource tags

arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
submitted
06-02-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD237A.tmp	[email protected]

Executes dropped EXE 19 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exe

pid	process
2544	taskdl.exe
924	@[email protected]
664	@[email protected]
1512	taskhsvc.exe
2592	taskdl.exe
2620	taskse.exe
3028	@[email protected]
1720	taskdl.exe
2968	taskse.exe
2928	@[email protected]
1256	taskdl.exe
948	taskse.exe
2180	@[email protected]
1468	taskdl.exe
676	taskse.exe
664	@[email protected]
2916	taskse.exe
2848	@[email protected]
1528	taskdl.exe

Loads dropped DLL 45 IoCs

Processes:

[email protected]cscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
2008	[email protected]
2008	[email protected]
2724	cscript.exe
2008	[email protected]
2008	[email protected]
2012	cmd.exe
2012	cmd.exe
924	@[email protected]
924	@[email protected]
1512	taskhsvc.exe
1512	taskhsvc.exe
1512	taskhsvc.exe
1512	taskhsvc.exe
1512	taskhsvc.exe
1512	taskhsvc.exe
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]
2008	[email protected]

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2864 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2864	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epkpryutff721 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1956 vssadmin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2780 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhsvc.exe

pid process

1512 taskhsvc.exe
1512 taskhsvc.exe
1512 taskhsvc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

3028 @[email protected]

pid	process
1956	vssadmin.exe

pid	process
2780	reg.exe

pid	process
1512	taskhsvc.exe
1512	taskhsvc.exe
1512	taskhsvc.exe

pid	process
3028	@[email protected]

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

vssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	1892	vssvc.exe
Token: SeRestorePrivilege	1892	vssvc.exe
Token: SeAuditPrivilege	1892	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3000	WMIC.exe
Token: SeSecurityPrivilege	3000	WMIC.exe
Token: SeTakeOwnershipPrivilege	3000	WMIC.exe
Token: SeLoadDriverPrivilege	3000	WMIC.exe
Token: SeSystemProfilePrivilege	3000	WMIC.exe
Token: SeSystemtimePrivilege	3000	WMIC.exe
Token: SeProfSingleProcessPrivilege	3000	WMIC.exe
Token: SeIncBasePriorityPrivilege	3000	WMIC.exe
Token: SeCreatePagefilePrivilege	3000	WMIC.exe
Token: SeBackupPrivilege	3000	WMIC.exe
Token: SeRestorePrivilege	3000	WMIC.exe
Token: SeShutdownPrivilege	3000	WMIC.exe
Token: SeDebugPrivilege	3000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3000	WMIC.exe
Token: SeRemoteShutdownPrivilege	3000	WMIC.exe
Token: SeUndockPrivilege	3000	WMIC.exe
Token: SeManageVolumePrivilege	3000	WMIC.exe
Token: 33	3000	WMIC.exe
Token: 34	3000	WMIC.exe
Token: 35	3000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3000	WMIC.exe
Token: SeSecurityPrivilege	3000	WMIC.exe
Token: SeTakeOwnershipPrivilege	3000	WMIC.exe
Token: SeLoadDriverPrivilege	3000	WMIC.exe
Token: SeSystemProfilePrivilege	3000	WMIC.exe
Token: SeSystemtimePrivilege	3000	WMIC.exe
Token: SeProfSingleProcessPrivilege	3000	WMIC.exe
Token: SeIncBasePriorityPrivilege	3000	WMIC.exe
Token: SeCreatePagefilePrivilege	3000	WMIC.exe
Token: SeBackupPrivilege	3000	WMIC.exe
Token: SeRestorePrivilege	3000	WMIC.exe
Token: SeShutdownPrivilege	3000	WMIC.exe
Token: SeDebugPrivilege	3000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3000	WMIC.exe
Token: SeRemoteShutdownPrivilege	3000	WMIC.exe
Token: SeUndockPrivilege	3000	WMIC.exe
Token: SeManageVolumePrivilege	3000	WMIC.exe
Token: 33	3000	WMIC.exe
Token: 34	3000	WMIC.exe
Token: 35	3000	WMIC.exe
Token: SeTcbPrivilege	2620	taskse.exe
Token: SeTcbPrivilege	2620	taskse.exe
Token: SeTcbPrivilege	2968	taskse.exe
Token: SeTcbPrivilege	2968	taskse.exe
Token: SeTcbPrivilege	948	taskse.exe
Token: SeTcbPrivilege	948	taskse.exe
Token: SeTcbPrivilege	676	taskse.exe
Token: SeTcbPrivilege	676	taskse.exe
Token: SeTcbPrivilege	2916	taskse.exe
Token: SeTcbPrivilege	2916	taskse.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
924	@[email protected]
664	@[email protected]
664	@[email protected]
924	@[email protected]
3028	@[email protected]
3028	@[email protected]
2928	@[email protected]
2180	@[email protected]
664	@[email protected]
2848	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

[email protected]cmd.execmd.exe@[email protected]@[email protected]cmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 2664	2008	[email protected]	attrib.exe
PID 2008 wrote to memory of 2664	2008	[email protected]	attrib.exe
PID 2008 wrote to memory of 2664	2008	[email protected]	attrib.exe
PID 2008 wrote to memory of 2664	2008	[email protected]	attrib.exe
PID 2008 wrote to memory of 2864	2008	[email protected]	icacls.exe
PID 2008 wrote to memory of 2864	2008	[email protected]	icacls.exe
PID 2008 wrote to memory of 2864	2008	[email protected]	icacls.exe
PID 2008 wrote to memory of 2864	2008	[email protected]	icacls.exe
PID 2008 wrote to memory of 2544	2008	[email protected]	taskdl.exe
PID 2008 wrote to memory of 2544	2008	[email protected]	taskdl.exe
PID 2008 wrote to memory of 2544	2008	[email protected]	taskdl.exe
PID 2008 wrote to memory of 2544	2008	[email protected]	taskdl.exe
PID 2008 wrote to memory of 1588	2008	[email protected]	cmd.exe
PID 2008 wrote to memory of 1588	2008	[email protected]	cmd.exe
PID 2008 wrote to memory of 1588	2008	[email protected]	cmd.exe
PID 2008 wrote to memory of 1588	2008	[email protected]	cmd.exe
PID 1588 wrote to memory of 2724	1588	cmd.exe	cscript.exe
PID 1588 wrote to memory of 2724	1588	cmd.exe	cscript.exe
PID 1588 wrote to memory of 2724	1588	cmd.exe	cscript.exe
PID 1588 wrote to memory of 2724	1588	cmd.exe	cscript.exe
PID 2008 wrote to memory of 1496	2008	[email protected]	attrib.exe
PID 2008 wrote to memory of 1496	2008	[email protected]	attrib.exe
PID 2008 wrote to memory of 1496	2008	[email protected]	attrib.exe
PID 2008 wrote to memory of 1496	2008	[email protected]	attrib.exe
PID 2008 wrote to memory of 924	2008	[email protected]	@[email protected]
PID 2008 wrote to memory of 924	2008	[email protected]	@[email protected]
PID 2008 wrote to memory of 924	2008	[email protected]	@[email protected]
PID 2008 wrote to memory of 924	2008	[email protected]	@[email protected]
PID 2008 wrote to memory of 2012	2008	[email protected]	cmd.exe
PID 2008 wrote to memory of 2012	2008	[email protected]	cmd.exe
PID 2008 wrote to memory of 2012	2008	[email protected]	cmd.exe
PID 2008 wrote to memory of 2012	2008	[email protected]	cmd.exe
PID 2012 wrote to memory of 664	2012	cmd.exe	@[email protected]
PID 2012 wrote to memory of 664	2012	cmd.exe	@[email protected]
PID 2012 wrote to memory of 664	2012	cmd.exe	@[email protected]
PID 2012 wrote to memory of 664	2012	cmd.exe	@[email protected]
PID 924 wrote to memory of 1512	924	@[email protected]	taskhsvc.exe
PID 924 wrote to memory of 1512	924	@[email protected]	taskhsvc.exe
PID 924 wrote to memory of 1512	924	@[email protected]	taskhsvc.exe
PID 924 wrote to memory of 1512	924	@[email protected]	taskhsvc.exe
PID 664 wrote to memory of 2900	664	@[email protected]	cmd.exe
PID 664 wrote to memory of 2900	664	@[email protected]	cmd.exe
PID 664 wrote to memory of 2900	664	@[email protected]	cmd.exe
PID 664 wrote to memory of 2900	664	@[email protected]	cmd.exe
PID 2900 wrote to memory of 1956	2900	cmd.exe	vssadmin.exe
PID 2900 wrote to memory of 1956	2900	cmd.exe	vssadmin.exe
PID 2900 wrote to memory of 1956	2900	cmd.exe	vssadmin.exe
PID 2900 wrote to memory of 1956	2900	cmd.exe	vssadmin.exe
PID 2900 wrote to memory of 3000	2900	cmd.exe	WMIC.exe
PID 2900 wrote to memory of 3000	2900	cmd.exe	WMIC.exe
PID 2900 wrote to memory of 3000	2900	cmd.exe	WMIC.exe
PID 2900 wrote to memory of 3000	2900	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 2592	2008	[email protected]	taskdl.exe
PID 2008 wrote to memory of 2592	2008	[email protected]	taskdl.exe
PID 2008 wrote to memory of 2592	2008	[email protected]	taskdl.exe
PID 2008 wrote to memory of 2592	2008	[email protected]	taskdl.exe
PID 2008 wrote to memory of 2620	2008	[email protected]	taskse.exe
PID 2008 wrote to memory of 2620	2008	[email protected]	taskse.exe
PID 2008 wrote to memory of 2620	2008	[email protected]	taskse.exe
PID 2008 wrote to memory of 2620	2008	[email protected]	taskse.exe
PID 2008 wrote to memory of 3028	2008	[email protected]	@[email protected]
PID 2008 wrote to memory of 3028	2008	[email protected]	@[email protected]
PID 2008 wrote to memory of 3028	2008	[email protected]	@[email protected]
PID 2008 wrote to memory of 3028	2008	[email protected]	@[email protected]

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2664 attrib.exe
1496 attrib.exe

pid	process
2664	attrib.exe
1496	attrib.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2664

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2864

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c 39081707233361.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
PID:2724

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "epkpryutff721" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "epkpryutff721" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2780

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2928

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1256

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1468

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:664

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
36b773472cf21b2b53e8ed9816c21a90

SHA1
5f12f32f7efc7c472723eb660f1e58216720c873

SHA256
0cef4e25c1aa038ebfbc15266295d319f405b79f6173e3b1cab688d6406cb744

SHA512
6be5cd21ab9755be88828918808c87c0dda504d42af721d93cd45d64516602fc07f24ba4db2099928443b9f3c61f5c5f1e2d900c16748ab890bad7373d89bbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Filesize
237KB

MD5
120565c37d8b42aa02c543402dd67b60

SHA1
5682dc8c253c605a16cc486fc476d969abb90c7d

SHA256
f5c119f23c988118efff9eaa6eb324eb0b42b5c782dacfdbf534e68a44cd5e50

SHA512
2dbe2fb1035a4b809e388e453ad527f05a3cd11bb49ce8d8981e25c9df4af1b7e1d151a719e3786aadb79984545b8ea44e58edc13999fabc2b084be87a81de7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Filesize
322KB

MD5
16351c55df5c0aab32159bcf42d9377a

SHA1
9783b16cdc2d4edad3a06d0421db103286b0f931

SHA256
6bae4ffad818720a76794d347822bbc6ef1ef770e1d77098d2096f9eefd6b61f

SHA512
91b2f6461de3c408c7272fbb7bc7c1ec3d71d800706062b4cd12fa7b75d85847ec9e978e919db2f6e30ecdafbd59736db95ed088a39d28977395e9895935efad

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Filesize
11KB

MD5
d72f57d775c1dea0d851e11302ab56d9

SHA1
6f5ffd350a278fc35c313d08fb2f9948a2de7c06

SHA256
592f7dd41e0fe76479337a13691a00702b35308ce03177f5c8308f314b02bcc1

SHA512
caf62b4ccd97186ecf1b03e09bc6aa8655ea262f1df902646a268e97b479b4b77ac4648db67583b49747cdbae80c7e21791269821dbab9b5f4aba223f6198083

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Filesize
260KB

MD5
abed27779a647bb38ca7712e3c56ba4c

SHA1
5e400274179355939c5963b3069e6e0e8c6b7aa5

SHA256
2ff78d9e1ef9d710d1cb8c4e10cb5e7e47032b076a8e6b4f5682b98de6e53d42

SHA512
08e8ef4acf413dfd834946555a4c0aadd628d7d60aae92394a0f4c8b4295cc74eb2a76420966283eb4ad070633a84f7494f73002d20da1471a2281db91e7cb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Filesize
405KB

MD5
d037c43014c0bd606023a68fc3cd9a6c

SHA1
fb5aa8cc71f6454301afe3999ba541c9d476783f

SHA256
1b6918e36a5170290f948fb8a8269a73103555270ee66688628b886afb0ba311

SHA512
2155758b69631d2c18bc9f075780731b69a1307e397f446f077ea396a8f17cef61852305f533c27771f5f4930614af60593bbf81803a4965c1802a2e97ac9e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Filesize
11KB

MD5
b3ea882c4b9e2e3bffe15bf2246ec5f0

SHA1
69ec3ecfc55d067fdc0d6b0511620bd109cdf0e3

SHA256
c30524c0871efa1f087a7df44aabe05d8c094b10c3cc56a4fe4486b4014eb836

SHA512
9c3b81198e17ebd04a5d87bc23e4fa5ff49f527aa6ad86e68f248afc49d60a94464366f1b0b9392d28935648ca4f28950f66c90a9335ac4502eec6d7bdd0952e

Download Submit
C:\Users\Admin\AppData\Local\Temp\39081707233361.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
916B

MD5
403e7170a927cc43dd100c7e1d6edab2

SHA1
22782367ded38d8104cc4ad361f21605dac60dda

SHA256
d247138bfba8fb34b8b58a08f408b3d46f5c209eaa55ca3f87595754463eee5c

SHA512
4dedc2d0701f14c5b68a79174340d3b1c101a87f864b581482884a099cffe1752d8c6ea6773c3b61228e3264b0db01ad88941e2bb087f70b97a45416e780200c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Filesize
403KB

MD5
3a78b122a84cd190e0c6894b08de2f9a

SHA1
19b851e15538f047c7ba8358069a3f2117b6a5ec

SHA256
f87cfe876ec3a9af75cf8fb313fab36cd9f2a636b0c94a2960e4b7dcaf878a86

SHA512
d1cadf3bb3b89e9fc4a7344ef051d212ced3d90b12503703ed7c12cf67f0c85d979051e960a26c00899afd20f96ddd984f366867183dbb87779d3a4bc1a1f18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Filesize
319KB

MD5
9c1c94ed6a2dfe2f40c6aabce9d0e1bd

SHA1
db1eb29b6bc72b391e6cc17dcadb21e5752b1ea5

SHA256
e69daf76b41295d837aa2d89be644ee94a1164e53a85b92774e1f0049f02c2e4

SHA512
fa99c6137abc37844a1a5d1ecd9340534793f0f8eebf861916ecd02c3d24af10fac51d225407393aaca33705e2a57905058fad499abee3b1116079ad0cfea2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
12KB

MD5
4e2ee2a4f44aeefddb9abe3132729494

SHA1
338ca05a622a16ac1424e1e12d4f06974f5a1d96

SHA256
d0d824fa4dd751e37ac9f25b837c65f24a82902600ea52fd071eb568c592ca41

SHA512
c13f8f31de64cbf9516c554ea715577caf4290603c2c980ce1bb4785483e7701d3d291f3465b9dc6dabec9ae96ad0919638b98f241c82f295b99a17aa9b1520d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
296KB

MD5
48ff0c2519707d217c8718b3cdd08227

SHA1
e208c2b4b4c7e5223c0a90e6d45b0194203e574c

SHA256
c2306358f6dacbb9014d9648d828638a200be988b2b54d212ad469183be3cacb

SHA512
8a006e85ccc38b99d0baa0726dea78dfcbb570f78f5288e413ff966346411fd6418a31f8d940803e6cb9048b6a39d1cce7d42548d3470b11144b7acf34f3f084

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Filesize
7KB

MD5
9031a7b6795d569a240c958e1f961de1

SHA1
768849af72189c75df15a1b25ff6af90d3147bbd

SHA256
8cb9dbb5f51480dbb23323c51a7b5521f343107c15984ccc55306f9058e0a1a9

SHA512
286c31a588919e8239b162fdb03f220e7b47763064435946cf8ac55771bb677a89622ad8ff5e0e2fce9c65d7de8caa98ad2668c652f25bf5f24d2ca8ad7d5314

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
5KB

MD5
32a0e22ca5590078846aa21fd9cca673

SHA1
c754feab3f66dad405f1468579910fd70555dce7

SHA256
21e0a2d452bc0731c14aa1bb65c024f6ad529e9d1753322536fabcd82d34f37f

SHA512
805fc8f3ce89816cd36b2553fa7902ea2a63c452c40248839afc5315e2526d3f5f36305434c998c1ed40bdf3527460149353d4f3118f10d0c59300610d2571a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
11KB

MD5
7e0e2f69e442972430ba2827975d4f33

SHA1
393736184b9dc3b1a2c817bb844d9c8967508308

SHA256
51d1b802093eb7a85866ae680fce80f66db822aa8d9219d710a26913dccf8d94

SHA512
e9856a0652bd9db049e7a0294448f931b46aaaf471f68b0f90f03bd05b38c3122040ece92933b66d9669756dad457f00195ca56649c1a168bf63bee751a2a89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
526KB

MD5
3948b5e163d6d3e2ac72fabeba4a231d

SHA1
c8f6dcd60564db90f49dd415c2c122708cd6f8bd

SHA256
6974547b739d590a79e771d27bf661e00fb2b498453d3ea02892982369c31207

SHA512
65f1435dd32a0bc624dcf4f620d1ceb7cf772f69de48dff880f50f5379c0dc9de04cc998ec7638f269f25c2fe8a450ada2d38e6270ceda272528a3a8580e597f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
8c3f4820e8b9f9edf45b419e2f8f3737

SHA1
78f733bd80310c87d07d7b7c516b8bd16dfba305

SHA256
98bffe155be397b98dd425a6cebd32cb267dba3de4bcef83411d572ff3f7d22d

SHA512
b5cce5a3490ef200e3b0529d914cafef605d8dd9501f307eace4713ac11c18376af5748cd41e43d3efbf8f93f1b51a7b98388676e9cb5ba9284913cb1b5aee1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_Spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Filesize
37KB

MD5
b1815eaae6830b668541dae4dc3828c3

SHA1
d9749a321536d7c2e1f0180b09f0067e9769af93

SHA256
cd26f03d71b4c343d5a70365f90a8f98e17fda52aef98263500def0fbac2077b

SHA512
e356df7ab2339ea3ae9b50fa52244a9dcd0396ea29cf517e836b022bb333f29acc94095dea8e3562365d78ed9ddb9dafa60d71a5741923b6a53af1b1921038ff

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
1.4MB

MD5
3e8a4e632172f0565956172ff6af3a93

SHA1
bde315a0e8b36d3b284ba3fda7655aa9c294333f

SHA256
b3956e94797c565665bfe90a2ed26e3675c33d0289d756283894e52891d9a128

SHA512
83ab737139f7512e1369775b74b9b0269b249b5ae4106bf7588b4f0593ec0a43afd34a9bc9d66256cb3055ff023406708098fcf16e66618df851edceace77271

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Filesize
390KB

MD5
542637b35a64ed65838395e9ba4989c1

SHA1
5ea04cc282fabbb4d5d30f214e563a0a52c63417

SHA256
c0c59833b7b397f76946e37a8bf556b71de4289f0f64a8dacd8de229e41de298

SHA512
78dd139022aa4a759c173f4f9fbc9d321a3d4c106bcc1dfddf33fc4e1d514169dbd589176dabaee2b782352b47787631e8a13954fa32bd09a3a825d76b797875

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
13KB

MD5
8cb44733a6218295e40f46da9ec5fad1

SHA1
158ce5a4195901e6650a29ab7191918b349f6fc1

SHA256
a67e6d8c170b8c7cda9f2cfa7db80cbff3cdd33a5620610b878994c329ac9b54

SHA512
8c6c8ac78653f9e754eadad0f4cc8b7beabd8695f4934b5ee913f8bef7c4d402bed7f709a5bc551f0c25f29e042424daace43c91a1856e8b31090c5b20b17257

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
320KB

MD5
976bfd98841a2ac31fc187ad22332b8b

SHA1
a55b0a3e9a36f8502abbac4a8f918c48a9a1759e

SHA256
b1882d6d1788a79eeb99cbf7bd4fd0711219408ac18797e75abaa92efac574bc

SHA512
fc35710b4910377e1d92fe71bc36be7ceb97b321315f1d3ea18fa312d926e08f79b654ef9a57bacb04fa4a550ebac63c6ac6b9f9429da89ec37319b3c6da6cfd

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Filesize
11KB

MD5
d994c1e5940a89d8e89e7d5122b5a745

SHA1
ee3a2c587712911c658df997ff5b47ca6af59871

SHA256
b6205008a4a2b27539e380fe85adfe320dc19a81664f827675342d05cc619e97

SHA512
99e3a9a08698468bfe091c580464f2b99ae40c8febca457d769f8a9b5ab593fd551d905139ec3dc20bce703fe574d9396f3d657362d12f7eaf32294bb73c8d15

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Filesize
265KB

MD5
91298883222b953d488a3b74a860adc3

SHA1
9b3df08cee515a0450b3d86529f026d9cd73e6a7

SHA256
58de9a374487a02cc9cf2cdf2203cf520f0ba83fa7e1abe4aedbede9560e2013

SHA512
beaed5e82f44c2035e6a1d7ad556b96427fdd2352d91ab34a8b236a1c4b0498332979920a2b14b2d250cec9051a433e94b09ea8dfa6a153ea7004ee6e8d9ce66

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
333KB

MD5
78c174ded2d53a27df66a78bdaa39e2d

SHA1
58fcb81166967e96696e0cb60f2dc12d81d034fe

SHA256
f9177d72e24baef0837c104a86e3a7baa441601029dab1d6ccb395b9ca288075

SHA512
8ddd66582f8da87dfd10452e7f876e6dd100ce04ac3408e2c1b6ac79a808f24d4256ffe3930084aad86828babdd3147b85648b54e9c17763cf59b49c4e17b07b

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
memory/1512-1004-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-1040-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-992-0x0000000074580000-0x00000000745F7000-memory.dmp

Filesize
476KB

Download
memory/1512-991-0x0000000074600000-0x000000007461C000-memory.dmp

Filesize
112KB

Download
memory/1512-989-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-996-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-1000-0x0000000074360000-0x000000007457C000-memory.dmp

Filesize
2.1MB

Download
memory/1512-976-0x00000000742A0000-0x00000000742C2000-memory.dmp

Filesize
136KB

Download
memory/1512-994-0x00000000742D0000-0x0000000074352000-memory.dmp

Filesize
520KB

Download
memory/1512-975-0x0000000074360000-0x000000007457C000-memory.dmp

Filesize
2.1MB

Download
memory/1512-973-0x0000000074620000-0x00000000746A2000-memory.dmp

Filesize
520KB

Download
memory/1512-990-0x0000000074620000-0x00000000746A2000-memory.dmp

Filesize
520KB

Download
memory/1512-1029-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-993-0x0000000074360000-0x000000007457C000-memory.dmp

Filesize
2.1MB

Download
memory/1512-1044-0x0000000074360000-0x000000007457C000-memory.dmp

Filesize
2.1MB

Download
memory/1512-1049-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-971-0x0000000074620000-0x00000000746A2000-memory.dmp

Filesize
520KB

Download
memory/1512-1124-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-1132-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-1136-0x0000000074360000-0x000000007457C000-memory.dmp

Filesize
2.1MB

Download
memory/1512-1140-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-978-0x00000000742A0000-0x00000000742C2000-memory.dmp

Filesize
136KB

Download
memory/1512-979-0x0000000000020000-0x000000000031E000-memory.dmp

Filesize
3.0MB

Download
memory/1512-977-0x00000000742D0000-0x0000000074352000-memory.dmp

Filesize
520KB

Download
memory/1512-972-0x0000000074360000-0x000000007457C000-memory.dmp

Filesize
2.1MB

Download
memory/1512-974-0x00000000742D0000-0x0000000074352000-memory.dmp

Filesize
520KB

Download
memory/2008-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download