wannacry | 283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-es
resource tags

arch:x64arch:x86image:win7-20240220-eslocale:es-esos:windows7-x64systemwindows
submitted
23/02/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD15D2.tmp	[email protected]

Executes dropped EXE 16 IoCs

pid	Process
2400	taskdl.exe
2316	@[email protected]
1176	@[email protected]
2040	taskhsvc.exe
1540	taskdl.exe
280	taskse.exe
552	@[email protected]
648	taskdl.exe
2416	taskse.exe
2912	@[email protected]
3016	taskdl.exe
1040	taskse.exe
320	@[email protected]
2964	taskdl.exe
1432	taskse.exe
2880	@[email protected]

Loads dropped DLL 39 IoCs

pid	Process
2808	[email protected]
2808	[email protected]
2896	cscript.exe
2808	[email protected]
2808	[email protected]
2892	cmd.exe
2892	cmd.exe
2316	@[email protected]
2316	@[email protected]
2040	taskhsvc.exe
2040	taskhsvc.exe
2040	taskhsvc.exe
2040	taskhsvc.exe
2040	taskhsvc.exe
2040	taskhsvc.exe
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]
2808	[email protected]

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2664	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vyblqiwr263 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
612	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2868	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2040	taskhsvc.exe
2040	taskhsvc.exe
2040	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeBackupPrivilege	336	vssvc.exe
Token: SeRestorePrivilege	336	vssvc.exe
Token: SeAuditPrivilege	336	vssvc.exe
Token: SeIncreaseQuotaPrivilege	568	WMIC.exe
Token: SeSecurityPrivilege	568	WMIC.exe
Token: SeTakeOwnershipPrivilege	568	WMIC.exe
Token: SeLoadDriverPrivilege	568	WMIC.exe
Token: SeSystemProfilePrivilege	568	WMIC.exe
Token: SeSystemtimePrivilege	568	WMIC.exe
Token: SeProfSingleProcessPrivilege	568	WMIC.exe
Token: SeIncBasePriorityPrivilege	568	WMIC.exe
Token: SeCreatePagefilePrivilege	568	WMIC.exe
Token: SeBackupPrivilege	568	WMIC.exe
Token: SeRestorePrivilege	568	WMIC.exe
Token: SeShutdownPrivilege	568	WMIC.exe
Token: SeDebugPrivilege	568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	568	WMIC.exe
Token: SeRemoteShutdownPrivilege	568	WMIC.exe
Token: SeUndockPrivilege	568	WMIC.exe
Token: SeManageVolumePrivilege	568	WMIC.exe
Token: 33	568	WMIC.exe
Token: 34	568	WMIC.exe
Token: 35	568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	568	WMIC.exe
Token: SeSecurityPrivilege	568	WMIC.exe
Token: SeTakeOwnershipPrivilege	568	WMIC.exe
Token: SeLoadDriverPrivilege	568	WMIC.exe
Token: SeSystemProfilePrivilege	568	WMIC.exe
Token: SeSystemtimePrivilege	568	WMIC.exe
Token: SeProfSingleProcessPrivilege	568	WMIC.exe
Token: SeIncBasePriorityPrivilege	568	WMIC.exe
Token: SeCreatePagefilePrivilege	568	WMIC.exe
Token: SeBackupPrivilege	568	WMIC.exe
Token: SeRestorePrivilege	568	WMIC.exe
Token: SeShutdownPrivilege	568	WMIC.exe
Token: SeDebugPrivilege	568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	568	WMIC.exe
Token: SeRemoteShutdownPrivilege	568	WMIC.exe
Token: SeUndockPrivilege	568	WMIC.exe
Token: SeManageVolumePrivilege	568	WMIC.exe
Token: 33	568	WMIC.exe
Token: 34	568	WMIC.exe
Token: 35	568	WMIC.exe
Token: SeTcbPrivilege	280	taskse.exe
Token: SeTcbPrivilege	280	taskse.exe
Token: SeTcbPrivilege	2416	taskse.exe
Token: SeTcbPrivilege	2416	taskse.exe
Token: SeTcbPrivilege	1040	taskse.exe
Token: SeTcbPrivilege	1040	taskse.exe
Token: SeTcbPrivilege	1432	taskse.exe
Token: SeTcbPrivilege	1432	taskse.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2316	@[email protected]
1176	@[email protected]
1176	@[email protected]
2316	@[email protected]
552	@[email protected]
552	@[email protected]
2912	@[email protected]
320	@[email protected]
2880	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2568	2808	[email protected]	28
PID 2808 wrote to memory of 2568	2808	[email protected]	28
PID 2808 wrote to memory of 2568	2808	[email protected]	28
PID 2808 wrote to memory of 2568	2808	[email protected]	28
PID 2808 wrote to memory of 2664	2808	[email protected]	29
PID 2808 wrote to memory of 2664	2808	[email protected]	29
PID 2808 wrote to memory of 2664	2808	[email protected]	29
PID 2808 wrote to memory of 2664	2808	[email protected]	29
PID 2808 wrote to memory of 2400	2808	[email protected]	32
PID 2808 wrote to memory of 2400	2808	[email protected]	32
PID 2808 wrote to memory of 2400	2808	[email protected]	32
PID 2808 wrote to memory of 2400	2808	[email protected]	32
PID 2808 wrote to memory of 904	2808	[email protected]	33
PID 2808 wrote to memory of 904	2808	[email protected]	33
PID 2808 wrote to memory of 904	2808	[email protected]	33
PID 2808 wrote to memory of 904	2808	[email protected]	33
PID 904 wrote to memory of 2896	904	cmd.exe	35
PID 904 wrote to memory of 2896	904	cmd.exe	35
PID 904 wrote to memory of 2896	904	cmd.exe	35
PID 904 wrote to memory of 2896	904	cmd.exe	35
PID 2808 wrote to memory of 1964	2808	[email protected]	36
PID 2808 wrote to memory of 1964	2808	[email protected]	36
PID 2808 wrote to memory of 1964	2808	[email protected]	36
PID 2808 wrote to memory of 1964	2808	[email protected]	36
PID 2808 wrote to memory of 2316	2808	[email protected]	39
PID 2808 wrote to memory of 2316	2808	[email protected]	39
PID 2808 wrote to memory of 2316	2808	[email protected]	39
PID 2808 wrote to memory of 2316	2808	[email protected]	39
PID 2808 wrote to memory of 2892	2808	[email protected]	40
PID 2808 wrote to memory of 2892	2808	[email protected]	40
PID 2808 wrote to memory of 2892	2808	[email protected]	40
PID 2808 wrote to memory of 2892	2808	[email protected]	40
PID 2892 wrote to memory of 1176	2892	cmd.exe	42
PID 2892 wrote to memory of 1176	2892	cmd.exe	42
PID 2892 wrote to memory of 1176	2892	cmd.exe	42
PID 2892 wrote to memory of 1176	2892	cmd.exe	42
PID 2316 wrote to memory of 2040	2316	@[email protected]	43
PID 2316 wrote to memory of 2040	2316	@[email protected]	43
PID 2316 wrote to memory of 2040	2316	@[email protected]	43
PID 2316 wrote to memory of 2040	2316	@[email protected]	43
PID 1176 wrote to memory of 2236	1176	@[email protected]	45
PID 1176 wrote to memory of 2236	1176	@[email protected]	45
PID 1176 wrote to memory of 2236	1176	@[email protected]	45
PID 1176 wrote to memory of 2236	1176	@[email protected]	45
PID 2236 wrote to memory of 612	2236	cmd.exe	47
PID 2236 wrote to memory of 612	2236	cmd.exe	47
PID 2236 wrote to memory of 612	2236	cmd.exe	47
PID 2236 wrote to memory of 612	2236	cmd.exe	47
PID 2236 wrote to memory of 568	2236	cmd.exe	49
PID 2236 wrote to memory of 568	2236	cmd.exe	49
PID 2236 wrote to memory of 568	2236	cmd.exe	49
PID 2236 wrote to memory of 568	2236	cmd.exe	49
PID 2808 wrote to memory of 1540	2808	[email protected]	51
PID 2808 wrote to memory of 1540	2808	[email protected]	51
PID 2808 wrote to memory of 1540	2808	[email protected]	51
PID 2808 wrote to memory of 1540	2808	[email protected]	51
PID 2808 wrote to memory of 280	2808	[email protected]	52
PID 2808 wrote to memory of 280	2808	[email protected]	52
PID 2808 wrote to memory of 280	2808	[email protected]	52
PID 2808 wrote to memory of 280	2808	[email protected]	52
PID 2808 wrote to memory of 552	2808	[email protected]	53
PID 2808 wrote to memory of 552	2808	[email protected]	53
PID 2808 wrote to memory of 552	2808	[email protected]	53
PID 2808 wrote to memory of 552	2808	[email protected]	53

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2568	attrib.exe
1964	attrib.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2568
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 251621708703322.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - Loads dropped DLL
    PID:2896
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:612
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:280
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vyblqiwr263" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vyblqiwr263" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
5fa6c00035963de6445f533ee379a0d6

SHA1
99b1323f4dc2adabf7e4dfce6236da4a40817c20

SHA256
4c35ccc5692dba77a6bc2a78c3fa13141b7e3a6d70582e2d5d98e125b7179a27

SHA512
d06849b61c443c2e54d5605199f46bec5c89e58b7dabac31627ee78a14a02bf85800906f68d73faedeab4f9d1286e5a1d38d91ea6124d129c74814c1fcb43a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Filesize
1.2MB

MD5
6c7133fa3637a3e26ed4115c805d486b

SHA1
3c2b91f38794426d78a6977740aa182a0fcf7a28

SHA256
77d28cd1f9660cb3dfeca643f628a890e884b5faff099343a3af268eb34f3f89

SHA512
b0b41207c5c26d4da4e1e9e35d46ceb5f844a6b62cba6738c5ee594642f5671e2ac89a6cfb1e225b90eec2f9d66ee5dd5a470c534cf7a22e733d341d6008a73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Filesize
11KB

MD5
489bb7088d35f4b6d63f1b1037096bb6

SHA1
1d94797a01f7e47c2e99cd3983d0545d27ee61bc

SHA256
5706992b4a1a24d9dbe5038a49b7c26da37abdf9259a3918c28ddb578289afe9

SHA512
295effaf1908dd17b62b651e7a2ce0b3c8575efef335e58dafd1bb08a02989f0db4492ce295411ba5b88275163c1712cd97b6df40b83ab27b10227d0f24d8eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Filesize
11KB

MD5
1b64714edadf4725af12354ef72e00c0

SHA1
8f69392181d8b36d118638889a509a459999d467

SHA256
3db9797c3fe6324b727dd6bd8971be0142765460d45004dfc10d916b77dac822

SHA512
d8300cce843251e6e5d00296ffdbba68c45a2013d98117c025d9c9ca82dd2ea6783fd6438e2bd1ee1c456f435c68832118bfc65e47814b574db4b2d906826b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Filesize
11KB

MD5
004160f2021a72c06e55ac01accd456f

SHA1
e68d848fbea6e4723ea9f3c1e2d2244e68e18554

SHA256
160d24916f7ea559e298e3fcdaacfe2ff01493829a5d5ce7ca4ccfc964043a19

SHA512
93780a3afece4da2216e4b8fb8660154816d06141396f6658d7439ddaf5409acf32cfd55e92d85f25877c714750b233f46c4a0862b7d27c614deaba006268851

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Filesize
11KB

MD5
e08439098a95feab3be8d87b930d6a92

SHA1
26be9001e1ea17088fd76231367976abd3542f3c

SHA256
52b2eba9d700b7ce6aa92f8260da400be60e72e9e15d11e86f2709b579819581

SHA512
6458e9e60edcde15b57932fd9493bd9fa3260cbce3d85f71c2dca27f9ad8bbc162d7c83ed7bdee5c27c5b07d474949533e592d7dcca189ffbb80c1032c2e20f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Filesize
1.6MB

MD5
43751320013db0d21d6e819c2a74ca9f

SHA1
b1878a32e809c6816a59f7ccb348efd4d5551129

SHA256
c2ed4dd67614893281f92cd74e0acd0befd8b9057f7b64cb7245dd44acfa597f

SHA512
a3597f6cd6003e314c5dfa6f371cc0fb619391c7700c7a7cd3aad9a7a28b7695fe734dc8e1a29ffd682c5155d55000519887dbcee4ae0ac138fd4065da662501

Download Submit
C:\Users\Admin\AppData\Local\Temp\251621708703322.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
179KB

MD5
860b4ccff543f78894cba4101e5ab59f

SHA1
0d731adb9847ed2e0b13bab58a686ab1f4bd0de3

SHA256
35dd2b2a2454c07272bfd3a51aa2523b45a287ed0557995d788f5a2039e3316f

SHA512
351573def39cfa1859545bfa715fe55df0087b522e9357dafeb3d3475f697cb316070da95fccd0e56c5afcc55f0351b2990698232751ffaa1944c23ec8ab995b

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
916B

MD5
6e613d6850fe9df599f570e98bbde2a5

SHA1
4c28a72baccea71536473d3be4f50277c616513c

SHA256
31da8aeaeeee1738f8a37dea1314c9f01a31865a2e3e3d60b160320b489945c3

SHA512
228f111af7cb17a0337296cd19882d8fb5f44dd66bb77b01ecc2b74eff985d392e79b7adb4be50eafe3b7bbc38e5c8347a1804e5108ffedb1a942d9c85f84319

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Filesize
669KB

MD5
70800b64415a0447ba08ec89cbc3f245

SHA1
c91468b0a86274facc86ce97a4988492e981e079

SHA256
baf3b7d459927630202ec0e2d469940c022a4a7a3b3daefe765b3bef9e3050b7

SHA512
d96abd40ae3f07b0ac96d043d7d37c5da89958e33706a79e938e519129c53843fa8e20cd9d85966a9257e8ce6a6c6851939f3b0c46c020faad49ecc709ba17fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Filesize
301KB

MD5
800820cf23a82175d98cf64cfb5da3fd

SHA1
b40bf54bce4e236cef1b1b2543f5cde2a863a8ea

SHA256
5a5a1a9c53630dd87b891fa3c840c3d8bcb940dd7b4f3f45388ab441310cbb91

SHA512
635860e8cc372f003a640a4430e3d2a4f682f781e33205af4c1cf69494ef1a0d784bfcc99c07960519d5d053ea972d683e7ebe3d0ad48c3c96d7905d8eecfb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
600KB

MD5
439aba9052321b7d9dc85193ffca2764

SHA1
ac6e0ccea6356f89afb7177f1f3419e3de8cbbfa

SHA256
fa23c537ce2c497901065404cc47543ec862f5114d121a2b22cab45002aee689

SHA512
87207c5803bccbab1bff58d0360d9aa972bddb886d844e76041dfca218964b15e6ee638bc53aab1e903b8fd3d0a691f544ff2ab9f5b0d2e8720eda618bda9a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
510KB

MD5
73d4823075762ee2837950726baa2af9

SHA1
ebce3532ed94ad1df43696632ab8cf8da8b9e221

SHA256
9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b

SHA512
8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.3MB

MD5
c9de4df6b783309bebc52dfd0122f0b2

SHA1
2065799742730466682e6e26ad3947fc84372493

SHA256
96e73ef016bfc1160c0d3b6e37a2192b702c6d5d93ad6eefab7439933c5df056

SHA512
d8daea89df0353b78350c4c85968815353bb8412fcedaf54df5966bf684006e0f8a380eb516042b36beff112846bbac9c1605e91444301ec4bfd9b7b364bd212

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
699KB

MD5
6a9fd0f528c55c530a75bac3d2e7a38b

SHA1
c79a82654f8725487cdde74d04412b0a39b50395

SHA256
0285a3bebc3d98eae138f71aa4f623e33474bfc79238741cc0302b96a0526d48

SHA512
3afd99d1f1b7642f811598ed6426708517e7f470c140380b4ee32a585d013fff6d3dcb8fa95d65533caa38540a8683b88b262ed1d7e587cbe31785146e3427ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
de1cbbab5ee3127aa4e080a5cb683f80

SHA1
28754455659cf171d641c967cde3691f9ce3e698

SHA256
484fcf7d2970450962f5e47e50fe9171711379bab7a88a3de64428b3b9d81722

SHA512
eda0aadbfadb0eef96c69801be33a31111423875c86cacee38a81b1438e5ff610f28513cd938e295c572d783ae60ad6b1cebbffe02d70a1636b0119c8f5573c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_Spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
4.2MB

MD5
c8eb55dfc475dfedc2f8e421d005676c

SHA1
3189cf10640569059e49ce37365b42116f1bd569

SHA256
2932c9b50369c0ca2cfada270572b7a69df81217cec30337c790369b3817122d

SHA512
e09aab7baea2a7f6efb43ad71c9cedafff284b938f789e626382a1ab646117a1e1451a1723bbcff33b662d079313e9457b0778334ab9fc36233542f799ea631c

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
192KB

MD5
107bf18bfe9ac24d85f52f7aa5c8b8c0

SHA1
f6d13ab464c334a3580f7f2b1b38883725258fef

SHA256
6653c7e7dd0937497c22e00a6ea3953db4bb608a0c92ca5d3cfb048427a800ef

SHA512
2aad33e6b999076bd7922ee0c9f942b64d1611d06a0921a0215ffece329c8b191d4468a82afaebda794e633bd5ef6bf04a6e09b10a95160eea50e5c45c33f477

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Filesize
198KB

MD5
3b28c3dd86881427235c04679ae82abf

SHA1
faf1b7111e9dc2844ab40e679f153352e939bbc6

SHA256
cb270cfae290752a1e249935a08b5c7803664a276c470e78c36e31c59bc02593

SHA512
3839854661c479b1cc776c9fda321dc2ebb39da16325c20e1f648b67fb6abae0ff3f3c3e41e7c2948b5692b4ad11caccce2c4998575fd94897ac2c124034f137

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Filesize
402KB

MD5
20d66872bd35cfc514fe10e9ce66f1ad

SHA1
5a45f439a4d957700841c7cf7029c75892c82c92

SHA256
8a90dcc83b6f19b5f9c93798f2972b8b90f7f4e8e9f6492de539f779a43cc8a7

SHA512
2d4280b2d8b3cc212a306b0984483e22a72b234f86e97f570cdaf15a61b5f93e5cc8459df861c00dcb6dd9b4f607540935a09fbd30f329b70d76e5e843e450b8

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.2MB

MD5
46fbc42176d09ceb61fe8c0c47ecd48b

SHA1
980acf3030b68ad70ba727868d5a81060635b10b

SHA256
b1992a92f4592afa2e983248e2f283c73971f087e67f4ceb80b9ca39a29ddb92

SHA512
4828a2137ae5a465bee808c85866ead7601d4c76cb8016f68ff4a35c3520ade2309275582237a802d85e6a82f603c92a22e837489676d554686254ca947d3446

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Filesize
1.2MB

MD5
c6cfa90a9ff517ac5379946766d05260

SHA1
8102fa3ac3bc9300de5cfde97c7e99f7e4260d8f

SHA256
6422ca02f7af55dae26a06deff694731432eefdce9ed3525c962c669ec4a1f9d

SHA512
252681bcb981d5f35be59725d70a67b098a85c9de21e9c85818f182fe3572a5709f6784ceb0e471489f83e22a288a24287c575dd3d16a686be6b68afa4d06643

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
memory/2040-890-0x0000000074A20000-0x0000000074A42000-memory.dmp

Filesize
136KB

Download
memory/2040-899-0x0000000074D00000-0x0000000074D77000-memory.dmp

Filesize
476KB

Download
memory/2040-900-0x0000000074AE0000-0x0000000074CFC000-memory.dmp

Filesize
2.1MB

Download
memory/2040-901-0x0000000074A50000-0x0000000074AD2000-memory.dmp

Filesize
520KB

Download
memory/2040-904-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-911-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-898-0x0000000074D80000-0x0000000074D9C000-memory.dmp

Filesize
112KB

Download
memory/2040-897-0x0000000074DA0000-0x0000000074E22000-memory.dmp

Filesize
520KB

Download
memory/2040-896-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-946-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-950-0x0000000074AE0000-0x0000000074CFC000-memory.dmp

Filesize
2.1MB

Download
memory/2040-954-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-958-0x0000000074AE0000-0x0000000074CFC000-memory.dmp

Filesize
2.1MB

Download
memory/2040-893-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-977-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-892-0x0000000074A20000-0x0000000074A42000-memory.dmp

Filesize
136KB

Download
memory/2040-891-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-1026-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-1034-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-1042-0x00000000001E0000-0x00000000004DE000-memory.dmp

Filesize
3.0MB

Download
memory/2040-888-0x0000000074AE0000-0x0000000074CFC000-memory.dmp

Filesize
2.1MB

Download
memory/2040-889-0x0000000074A50000-0x0000000074AD2000-memory.dmp

Filesize
520KB

Download
memory/2040-886-0x0000000074DA0000-0x0000000074E22000-memory.dmp

Filesize
520KB

Download
memory/2040-887-0x0000000074AE0000-0x0000000074CFC000-memory.dmp

Filesize
2.1MB

Download
memory/2040-885-0x0000000074DA0000-0x0000000074E22000-memory.dmp

Filesize
520KB

Download
memory/2808-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download