deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into live

Browse Source
This commit is contained in:
LizRoss 2017-05-15 19:23:59 -07:00
commit 297d3032bf
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
View File

@ -71,7 +71,7 @@ When run, WannaCrypt creates the following registry keys:
It changes the wallpaper to a ransom message by modifying the following registry key: It changes the wallpaper to a ransom message by modifying the following registry key:
- *HKCU\Control Panel\Desktop\Wallpaper: '\<malware working directory>\@WanaDecryptor@.bmp'* - *HKCU\Control Panel\Desktop\Wallpaper: '\<malware working directory>\\@WanaDecryptor@.bmp'*
It creates the following files in the malware's working directory: It creates the following files in the malware's working directory:
@ -134,8 +134,8 @@ It creates the following files in the malware's working directory:
WannaCrypt may also create the following files: WannaCrypt may also create the following files:
- *%SystemRoot%\tasksche.exe* - *%SystemRoot%\tasksche.exe*
- *%SystemDrive%\intel\<random directory name>\tasksche.exe* - *%SystemDrive%\intel\\\<random directory name>\tasksche.exe*
- *%ProgramData%\<random directory name>\tasksche.exe* - *%ProgramData%\\\<random directory name>\tasksche.exe*
It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '<malware working directory>\tasksche.exe'`. It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '<malware working directory>\tasksche.exe'`.