wannacry | 7846adeae0737e0ae55d0045adeb644c27745c2d0f1af92c56a9e4351e881451

Analysis

max time kernel
146s
max time network
133s
platform
windows10_x64
resource
win10v200430
submitted
14-07-2020 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.vbs
Size

589B
MD5

94d9611bf2c6e0caa430b1b0b808da1e
SHA1

723de46bdda58dd345b0c0bfd8bdbc33ea1931ec
SHA256

8cf91cb3c0524feabe3b9502aa36ec58003e9e0db849901948cd335caf0e4f66
SHA512

6baddf54c364c1c39bccd4f3e78f2b97f62297382c46642f6fc921fb2bc950e3ee44c6f94b5447c13faa028d9bc706ee9784582188e7a07fd3805de836b63e8e

Score

10^/10

ransomware discovery spyware persistence worm wannacry

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Executes dropped EXE 17 IoCs

Processes:

important.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskse.exe@[email protected]taskdl.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exe

pid	process
640	important.exe
2088	taskdl.exe
1148	@[email protected]
1732	@[email protected]
2132	taskhsvc.exe
3668	taskse.exe
3556	@[email protected]
1448	taskdl.exe
3608	taskdl.exe
3940	taskse.exe
1820	@[email protected]
2088	taskdl.exe
3812	taskse.exe
3516	@[email protected]
1668	taskse.exe
3088	@[email protected]
816	taskdl.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4020 vssadmin.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

916 icacls.exe

pid	process
4020	vssadmin.exe

pid	process
916	icacls.exe

Drops startup file 2 IoCs

Processes:

important.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC2BF.tmp	important.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC2C6.tmp	important.exe

Suspicious use of WriteProcessMemory 81 IoCs

Processes:

WScript.exeimportant.execmd.execmd.exe@[email protected]cmd.exe@[email protected]cmd.exe

description	pid	process	target process
PID 3544 wrote to memory of 640	3544	WScript.exe	important.exe
PID 3544 wrote to memory of 640	3544	WScript.exe	important.exe
PID 3544 wrote to memory of 640	3544	WScript.exe	important.exe
PID 640 wrote to memory of 864	640	important.exe	attrib.exe
PID 640 wrote to memory of 864	640	important.exe	attrib.exe
PID 640 wrote to memory of 864	640	important.exe	attrib.exe
PID 640 wrote to memory of 916	640	important.exe	icacls.exe
PID 640 wrote to memory of 916	640	important.exe	icacls.exe
PID 640 wrote to memory of 916	640	important.exe	icacls.exe
PID 640 wrote to memory of 2088	640	important.exe	taskdl.exe
PID 640 wrote to memory of 2088	640	important.exe	taskdl.exe
PID 640 wrote to memory of 2088	640	important.exe	taskdl.exe
PID 640 wrote to memory of 2448	640	important.exe	cmd.exe
PID 640 wrote to memory of 2448	640	important.exe	cmd.exe
PID 640 wrote to memory of 2448	640	important.exe	cmd.exe
PID 2448 wrote to memory of 2596	2448	cmd.exe	cscript.exe
PID 2448 wrote to memory of 2596	2448	cmd.exe	cscript.exe
PID 2448 wrote to memory of 2596	2448	cmd.exe	cscript.exe
PID 640 wrote to memory of 1148	640	important.exe	@[email protected]
PID 640 wrote to memory of 1148	640	important.exe	@[email protected]
PID 640 wrote to memory of 1148	640	important.exe	@[email protected]
PID 640 wrote to memory of 1204	640	important.exe	cmd.exe
PID 640 wrote to memory of 1204	640	important.exe	cmd.exe
PID 640 wrote to memory of 1204	640	important.exe	cmd.exe
PID 1204 wrote to memory of 1732	1204	cmd.exe	@[email protected]
PID 1204 wrote to memory of 1732	1204	cmd.exe	@[email protected]
PID 1204 wrote to memory of 1732	1204	cmd.exe	@[email protected]
PID 1148 wrote to memory of 2132	1148	@[email protected]	taskhsvc.exe
PID 1148 wrote to memory of 2132	1148	@[email protected]	taskhsvc.exe
PID 1148 wrote to memory of 2132	1148	@[email protected]	taskhsvc.exe
PID 640 wrote to memory of 3668	640	important.exe	taskse.exe
PID 640 wrote to memory of 3668	640	important.exe	taskse.exe
PID 640 wrote to memory of 3668	640	important.exe	taskse.exe
PID 640 wrote to memory of 3556	640	important.exe	@[email protected]
PID 640 wrote to memory of 3556	640	important.exe	@[email protected]
PID 640 wrote to memory of 3556	640	important.exe	@[email protected]
PID 640 wrote to memory of 1448	640	important.exe	taskdl.exe
PID 640 wrote to memory of 1448	640	important.exe	taskdl.exe
PID 640 wrote to memory of 1448	640	important.exe	taskdl.exe
PID 640 wrote to memory of 3060	640	important.exe	cmd.exe
PID 640 wrote to memory of 3060	640	important.exe	cmd.exe
PID 640 wrote to memory of 3060	640	important.exe	cmd.exe
PID 3060 wrote to memory of 1740	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 1740	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 1740	3060	cmd.exe	reg.exe
PID 1732 wrote to memory of 1036	1732	@[email protected]	cmd.exe
PID 1732 wrote to memory of 1036	1732	@[email protected]	cmd.exe
PID 1732 wrote to memory of 1036	1732	@[email protected]	cmd.exe
PID 1036 wrote to memory of 4020	1036	cmd.exe	vssadmin.exe
PID 1036 wrote to memory of 4020	1036	cmd.exe	vssadmin.exe
PID 1036 wrote to memory of 4020	1036	cmd.exe	vssadmin.exe
PID 1036 wrote to memory of 3888	1036	cmd.exe	WMIC.exe
PID 1036 wrote to memory of 3888	1036	cmd.exe	WMIC.exe
PID 1036 wrote to memory of 3888	1036	cmd.exe	WMIC.exe
PID 640 wrote to memory of 3608	640	important.exe	taskdl.exe
PID 640 wrote to memory of 3608	640	important.exe	taskdl.exe
PID 640 wrote to memory of 3608	640	important.exe	taskdl.exe
PID 640 wrote to memory of 3940	640	important.exe	taskse.exe
PID 640 wrote to memory of 3940	640	important.exe	taskse.exe
PID 640 wrote to memory of 3940	640	important.exe	taskse.exe
PID 640 wrote to memory of 1820	640	important.exe	@[email protected]
PID 640 wrote to memory of 1820	640	important.exe	@[email protected]
PID 640 wrote to memory of 1820	640	important.exe	@[email protected]
PID 640 wrote to memory of 2088	640	important.exe	taskdl.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
1148	@[email protected]
1732	@[email protected]
1148	@[email protected]
1732	@[email protected]
3556	@[email protected]
3556	@[email protected]
1820	@[email protected]
3516	@[email protected]
3088	@[email protected]

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

864 attrib.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1740 reg.exe

pid	process
864	attrib.exe

pid	process
1740	reg.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\biiywaghgcpcp303 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

taskhsvc.exe

pid process

2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe
2132 taskhsvc.exe

pid	process
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe

pid	process
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe
2132	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

taskse.exevssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeTcbPrivilege	3668	taskse.exe
Token: SeTcbPrivilege	3668	taskse.exe
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3888	WMIC.exe
Token: SeSecurityPrivilege	3888	WMIC.exe
Token: SeTakeOwnershipPrivilege	3888	WMIC.exe
Token: SeLoadDriverPrivilege	3888	WMIC.exe
Token: SeSystemProfilePrivilege	3888	WMIC.exe
Token: SeSystemtimePrivilege	3888	WMIC.exe
Token: SeProfSingleProcessPrivilege	3888	WMIC.exe
Token: SeIncBasePriorityPrivilege	3888	WMIC.exe
Token: SeCreatePagefilePrivilege	3888	WMIC.exe
Token: SeBackupPrivilege	3888	WMIC.exe
Token: SeRestorePrivilege	3888	WMIC.exe
Token: SeShutdownPrivilege	3888	WMIC.exe
Token: SeDebugPrivilege	3888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3888	WMIC.exe
Token: SeRemoteShutdownPrivilege	3888	WMIC.exe
Token: SeUndockPrivilege	3888	WMIC.exe
Token: SeManageVolumePrivilege	3888	WMIC.exe
Token: 33	3888	WMIC.exe
Token: 34	3888	WMIC.exe
Token: 35	3888	WMIC.exe
Token: 36	3888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3888	WMIC.exe
Token: SeSecurityPrivilege	3888	WMIC.exe
Token: SeTakeOwnershipPrivilege	3888	WMIC.exe
Token: SeLoadDriverPrivilege	3888	WMIC.exe
Token: SeSystemProfilePrivilege	3888	WMIC.exe
Token: SeSystemtimePrivilege	3888	WMIC.exe
Token: SeProfSingleProcessPrivilege	3888	WMIC.exe
Token: SeIncBasePriorityPrivilege	3888	WMIC.exe
Token: SeCreatePagefilePrivilege	3888	WMIC.exe
Token: SeBackupPrivilege	3888	WMIC.exe
Token: SeRestorePrivilege	3888	WMIC.exe
Token: SeShutdownPrivilege	3888	WMIC.exe
Token: SeDebugPrivilege	3888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3888	WMIC.exe
Token: SeRemoteShutdownPrivilege	3888	WMIC.exe
Token: SeUndockPrivilege	3888	WMIC.exe
Token: SeManageVolumePrivilege	3888	WMIC.exe
Token: 33	3888	WMIC.exe
Token: 34	3888	WMIC.exe
Token: 35	3888	WMIC.exe
Token: 36	3888	WMIC.exe
Token: SeTcbPrivilege	3940	taskse.exe
Token: SeTcbPrivilege	3940	taskse.exe
Token: SeTcbPrivilege	3812	taskse.exe
Token: SeTcbPrivilege	3812	taskse.exe
Token: SeTcbPrivilege	1668	taskse.exe
Token: SeTcbPrivilege	1668	taskse.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]important.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	important.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Blacklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 3544 WScript.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

3544 WScript.exe

flow	pid	process
2	3544	WScript.exe

pid	process
3544	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
1⤵
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Deletes itself
PID:3544
- C:\Users\Admin\AppData\Local\Temp\important.exe
  "C:\Users\Admin\AppData\Local\Temp\important.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  - Sets desktop wallpaper using registry
  PID:640
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:864
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:916
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 230491594719096.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      PID:2596
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    - Suspicious use of SetWindowsHookEx
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      Suspicious use of SetWindowsHookEx
      PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:4020
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3668
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Sets desktop wallpaper using registry
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "biiywaghgcpcp303" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "biiywaghgcpcp303" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
      4⤵
      Modifies registry key
      Adds Run entry to start application
      PID:1740
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3608
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3516
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\230491594719096.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\26.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\27.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\28.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\29.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\30.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\31.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\33.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\34.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\35.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.WNCRYT

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\important.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\important.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Download Submit
memory/640-46-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/640-4-0x0000000000000000-mapping.dmp

Download
memory/816-650-0x0000000000000000-mapping.dmp

Download
memory/864-7-0x0000000000000000-mapping.dmp

Download
memory/916-8-0x0000000000000000-mapping.dmp

Download
memory/1036-595-0x0000000000000000-mapping.dmp

Download
memory/1148-55-0x0000000000000000-mapping.dmp

Download
memory/1204-56-0x0000000000000000-mapping.dmp

Download
memory/1448-578-0x0000000000000000-mapping.dmp

Download
memory/1668-646-0x0000000000000000-mapping.dmp

Download
memory/1732-59-0x0000000000000000-mapping.dmp

Download
memory/1732-58-0x0000000000000000-mapping.dmp

Download
memory/1740-594-0x0000000000000000-mapping.dmp

Download
memory/1820-601-0x0000000000000000-mapping.dmp

Download
memory/2088-604-0x0000000000000000-mapping.dmp

Download
memory/2088-47-0x0000000000000000-mapping.dmp

Download
memory/2132-407-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2132-527-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2132-410-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/2132-579-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2132-411-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2132-62-0x0000000000000000-mapping.dmp

Download
memory/2132-243-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2132-79-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2132-244-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/2132-80-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/2132-245-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2132-316-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2132-81-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2132-409-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2448-49-0x0000000000000000-mapping.dmp

Download
memory/2596-51-0x0000000000000000-mapping.dmp

Download
memory/3060-580-0x0000000000000000-mapping.dmp

Download
memory/3088-648-0x0000000000000000-mapping.dmp

Download
memory/3516-626-0x0000000000000000-mapping.dmp

Download
memory/3556-575-0x0000000000000000-mapping.dmp

Download
memory/3608-598-0x0000000000000000-mapping.dmp

Download
memory/3668-574-0x0000000000000000-mapping.dmp

Download
memory/3812-612-0x0000000000000000-mapping.dmp

Download
memory/3888-597-0x0000000000000000-mapping.dmp

Download
memory/3940-600-0x0000000000000000-mapping.dmp

Download
memory/4020-596-0x0000000000000000-mapping.dmp

Download